OPA on Kubernetes: Security policies

helm repo add gatekeeper https://open-policy-agent.github.io/gatekeeper/charts helm install gatekeeper/gatekeeper --name-template=gatekeeper --namespace gatekeeper-system --create-namespace

kubectl get all -n gatekeeper-system

required labels

k create -f constraint-template-labels.yaml

k apply -f constraint-instance-ns.yaml

k apply -f example_allowed_ns.yaml

k apply -f example_disallowed_ns.yaml

k apply -f constraint-template-priviledged.yaml

k apply -f constraint-instance-priviledge

k apply -f example_allowed_pod.yaml

k apply -f example_disallowed_pod.yaml

k apply -f constraint-template-repos.yaml

k apply -f constraint-allowed-repo.yaml

k apply -f example_allowed_repo.yaml

k apply -f example_disallowed_repo.yaml

terraform init

terraform plan --out planfile

terraform show -json planfile > plan.json

opa eval data.policy.all_policies -d infra-policies/ -i plan.json -f pretty

Name		Name	Last commit message	Last commit date
Latest commit History 2 Commits
infra-policies		infra-policies
LICENSE		LICENSE
README.md		README.md
constraint-allowed-repo.yaml		constraint-allowed-repo.yaml
constraint-instance-ns.yaml		constraint-instance-ns.yaml
constraint-instance-pod.yaml		constraint-instance-pod.yaml
constraint-instance-priviledge.yaml		constraint-instance-priviledge.yaml
constraint-template-labels.yaml		constraint-template-labels.yaml
constraint-template-priviledged.yaml		constraint-template-priviledged.yaml
constraint-template-repos.yaml		constraint-template-repos.yaml
example_allowed_ns.yaml		example_allowed_ns.yaml
example_allowed_pod.yaml		example_allowed_pod.yaml
example_allowed_repo.yaml		example_allowed_repo.yaml
example_disallowed_ns.yaml		example_disallowed_ns.yaml
example_disallowed_pod.yaml		example_disallowed_pod.yaml
example_disallowed_repo.yaml		example_disallowed_repo.yaml
main.tf		main.tf
plan.json		plan.json
planfile		planfile
policy.rego		policy.rego
provider.tf		provider.tf
test-ns.yaml		test-ns.yaml
tfplan.binary		tfplan.binary