• Stars
    star
    628
  • Rank 71,541 (Top 2 %)
  • Language Open Policy Agent
  • License
    Apache License 2.0
  • Created over 5 years ago
  • Updated 3 months ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

📚 The OPA Gatekeeper policy library

OPA Gatekeeper Library

Artifact Hub

A community-owned library of policies for the OPA Gatekeeper project.

Validation and Mutation

The library consists of two main components: Validation and Mutation.

  • Validation: Gatekeeper can validate resources in the cluster against Gatekeeper validation policies, such as these defined in the library. The policies are defined as ConstraintTemplates and Constraints. ConstraintTemplates can be applied directly to a cluster and then Constraints can be applied to customize policy to fit your specific needs.
  • Mutation: Gatekeeper can mutate resources in the cluster against the Gatekeeper mutation policies, such as these defined in the library. Mutation policies are only examples, they should be customized to meet your needs before being applied.

Usage

kustomize

You can use kustomize to install some or all of the templates alongside your own constraints.

First, create a kustomization.yaml file:

apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- github.com/open-policy-agent/gatekeeper-library/library
# You can optionally install a subset by specifying a subfolder, or specify a commit SHA
# - github.com/open-policy-agent/gatekeeper-library/library/pod-security-policy?ref=0c82f402fb3594097a90d15215ae223267f5b955
- constraints.yaml

Then define your constraints in a file called constraints.yaml in the same directory. Example constraints can be found in the "samples" folders.

You can install everything with kustomize build . | kubectl apply -f -.

More information can be found in the kustomization documentation.

kubectl

Instead of using kustomize, you can directly apply the template.yaml and constraint.yaml provided in each directory under library/

For example

cd library/general/httpsonly/
kubectl apply -f template.yaml
kubectl apply -f samples/ingress-https-only/constraint.yaml
kubectl apply -f library/general/httpsonly/sync.yaml # optional: when GK is running with OPA cache

Testing

The suite.yaml files define test cases for each ConstraintTemplate in the library. Changes to gatekeeper-library ConstraintTemplates may be tested with the gator CLI:

gatekeeper-library$ gator verify ./...

The gator CLI may be downloaded from the Gatekeeper releases page.

How to contribute to the library

New policy

If you have a policy you would like to contribute, please submit a pull request. Each new policy should contain:

  • A constraint template named src/<policy-name>/constraint.tmpl with a description annotation and the parameter structure, if any, defined in spec.crd.spec.validation.openAPIV3Schema. The template is rendered using gomplate.
  • One or more sample constraints, each with an example of an allowed (example_allowed.yaml) and disallowed (example_disallowed.yaml) resource under library/<policy-name>/samples/<policy-name>
  • kustomization.yaml and suite.yaml under library/<policy-name>
  • The rego source, as src.rego and unit tests as src_test.rego in the corresponding subdirectory under src/<policy-name>
  • Versioning has been introduced for Gatekeeper Library policies. Please make sure to add or bump the version of the policy as per the guidelines in the src/<policy-name>/constraint.tmpl annotation.
    • Major version bump required: Whenever there is a breaking change in the policy e.g. updating template Kind, updating existing parameter schema, adding the requires-sync-data annotation to sync new data, or any other breaking changes
    • Minor version bump required: Whenever there is a backward compatible change in the policy e.g. adding a parameter, updating Rego logic
    • Patch version bump required: Whenever there is a simple backward compatible change in the policy, e.g. Simple Rego fix, updating policy metadata
    • Note: Sample constraints, mutations, and expansion templates are provided as examples, and severable changes do not require a version bump.

Development

  • policy code and tests are maintained in src/<policy-name>/src.rego and src/<policy-name>/src_test.rego
  • make generate will generate library/<policy-name>/template.yaml from src/<policy-name>/src.rego using gomplate.
  • make generate-website-docs will generate the markdown files required for the website.
  • make generate-artifacthub-artifacts will generate or update the artifact hub packages and associated artifacthub-pkg.yml file under /artifacthub directory.
  • make generate-all will generate all artifacts above.
  • make validate will run validation checks on the library repo. Currently it validates directory structure of website/docs directory.
  • make unit-test will run all unit tests in the scripts directory.
  • run all tests with ./test.sh
  • run single test with opa test src/<folder>/src.rego src/<folder>/src_test.rego --verbose
  • print results with trace(sprintf("%v", [thing]))

More Repositories

1

opa

Open Policy Agent (OPA) is an open source, general-purpose policy engine.
Go
9,480
star
2

gatekeeper

🐊 Gatekeeper - Policy Controller for Kubernetes
Go
3,602
star
3

conftest

Write tests against structured configuration data using the Open Policy Agent Rego query language
Go
2,857
star
4

contrib

Integrations, examples, and proof-of-concepts that are not part of OPA proper.
Go
321
star
5

opa-envoy-plugin

A plugin to enforce OPA policies with Envoy
Go
316
star
6

kube-mgmt

Sidecar for managing OPA instances in Kubernetes.
Go
232
star
7

npm-opa-wasm

Open Policy Agent WebAssembly NPM module (opa-wasm)
JavaScript
130
star
8

frameworks

Go
120
star
9

vscode-opa

An extension for VS Code which provides support for OPA and the Rego policy language
TypeScript
109
star
10

library

The Open Policy Agent project standard library.
Open Policy Agent
93
star
11

example-api-authz-go

Example Go service that uses OPA for API authorization.
Go
93
star
12

cert-controller

Go
89
star
13

opa-docker-authz

A policy-enabled authorization plugin for Docker.
Go
81
star
14

opa-idea-plugin

Open Policy Agent plugin for IntelliJ
Kotlin
56
star
15

rego-python

Python library for interacting with Rego ASTs.
Python
48
star
16

opa-envoy-spire-ext-authz

OPA-Envoy-SPIRE External Authorization Example.
Go
47
star
17

setup-opa

Sets up Open Policy Agent CLI in your GitHub Actions workflow.
TypeScript
44
star
18

example-api-authz-python

Example Python service that uses OPA for API authorization.
Python
32
star
19

community

The Community repository is the place to go for support with OPA and OPA Sub-Projects, like Conftest and Gatekeeper.
31
star
20

golang-opa-wasm

Open Policy Agent WebAssembly Go SDK
Go
20
star
21

gatekeeper-external-data-provider

A template repository for building external data providers for Gatekeeper.
Shell
10
star