-
Notifications
You must be signed in to change notification settings - Fork 166
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Enhance OPA policies #19
Comments
We'll use opa-gatekeeper (v3) for this, this is the latest version of OPA for Kubernetes. How is Gatekeeper different from OPA?Compared to using OPA with its sidecar kube-mgmt (aka Gatekeeper v1.0), Gatekeeper introduces the following functionality:
I've added examples Constrains in the opa-gatekeeper branch, this includes policies per team namespace; nonroot, nohostnetwork and required labels. |
This framework exists and rules should be enforced again after carefully making resources meet their criteria |
@githubcdr see here comments from closed duplicate issue: See below On Thu, 10 Sep 2020 at 16:09, cDR notifications@github.com wrote:
opa is nicer and allows pre deploy linting
Limitrange sux. We should check resource specs in opa. Again better to lint
one per ns |
only resource constraint template for now |
Do you think you can still do that this week? |
Whoever will do this task, please upgrade the operator chart by copying the contents of this file: https://github.com/open-policy-agent/gatekeeper/blob/master/deploy/gatekeeper.yaml into the and updating Chart.yaml to reflect the new version |
We should start refactoring all the policies to a common PR that started all the mess here - plexsystems/konstraint#80 |
|
Awesome! |
We want our opa policies to also limit access to the following resources:
The text was updated successfully, but these errors were encountered: