• This repository has been archived on 30/Aug/2021
  • Stars
    star
    107
  • Rank 323,587 (Top 7 %)
  • Language
    Go
  • License
    Apache License 2.0
  • Created about 6 years ago
  • Updated almost 6 years ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Kubernetes Operator to manage Dynamic Admission Controllers using Open Policy Agent

GateKeeper

CircleCI

Gatekeeper is currently an implementation of a Kubernetes Operator for installing, configuring and managing Open Policy Agent to provide dynamic admission controllers in a cluster.

Getting Started

The recommended way to configure Gatekeeper is to use Replicated Ship:

brew install ship
ship init https://github.com/replicatedhq/gatekeeper/tree/master/docs/gatekeeper-k8s

Ship will download and give you an opportunity to review the Kubernetes manifests included to run Gatekeeper. You can create patches and overlays to make any changes necessary for your environment. Once finished, follow the instructions in Ship and kubectl apply -f rendered.yaml.

You can then use ship watch && ship update to watch and configure updates as they are shipped here.

For more information on the components, and other methods to install Gatekeeper, read the docs.

Deploying Policies

After installing Gatekeeper to a cluster, a policy can be deployed using kubectl apply -f ./config/samples/policies_v1alpha2_admissionpolicy.yaml. (This is a sample policy that prevents any pod from using images tagged :latest). When the policy is applied, if OPA is running in the same namespace, the controller will deploy the policy from the YAML to the OPA instance. If OPA is not found, the controller will provision a new OPA instance, and deploy the policy to that new instance, whne it's ready.

Gatekeeper provisions Open Policy Agent with all of the necessary TLS configuration, webhook configuration, and underlying Kubernetes resources that are required to create a dynamic admission controller.

Motivations

The Open Policy Agent (OPA) project is an ambitious project that does much more than just Kubernetes Admission Controllers.

Simplify the task of installing and configuring OPA in Kubernetes.

Installing OPA into a Kubernetes cluster is more complex than many applications. The recommended installation includes creating a new certificate authority (CA) and then creating a cert, signed by that CA. This TLS configuration should be deployed and referenced in the openpolicyagent deployment and also manually copied into the webhook configuration. Managing this through automation can be difficult and prone to errors. The Gatekeeper operator manages this in-cluster, so the keys never have to be transferred to the cluster, and the CA and certs are properly configured every time.

Dynamic admission controllers in Kubernetes are powerful, but can also be difficult to troubleshoot and configure. A goal of the Gatekeeper operator is to make it easier to roll out new admission policies, with as little risk as possible.

Provide a custom resource to manage policy files (.rego) instead of using ConfigMaps

This allows for easier listing and management of individual policies. Instead of using the existing ConfigMap and in-cluster sync, the Gatekeeper operator introduces a new type named admissionpolicies.policies.replicated.com. This makes it easy to just kubectl get admissionpolicies.policies.replicated.com and view all dynamic admission policies installed in the cluster.

Validation of policies before deployment

One future goal of Gatekeeper is to validate new policies and changes to existing policies before deploying. This includes compiling the policy and also backtesting it against previous requests received to ensure that the policy will have the expected effects.

Architecture and Roadmap

Gatekeeper is still an early project that's evolving. To see our roadmap and better understand the current and planned architecture, architecture doc and the roadmap doc in this repo.

Contributing

Fork and clone this repo, and you can run it locally on a Kubernetes cluster:

make install  # this will install the CRDs to your cluster
skaffold dev  # this will start the manager and controllers in your cluster, and watch for file changes and redeploy

More Repositories

1

dockerfilelint

An opinionated Dockerfile linter.
JavaScript
990
star
2

kots

KOTS provides the framework, tools and integrations that enable the delivery and management of 3rd-party Kubernetes applications, a.k.a. Kubernetes Off-The-Shelf (KOTS) Software.
Go
888
star
3

kURL

Production-grade, airgapped Kubernetes installer combining upstream k8s with overlays and popular components
Shell
737
star
4

ship

A better way to deploy Kubernetes Helm charts
Go
638
star
5

troubleshoot

Preflight Checks and Support Bundles Framework for Kubernetes Applications
Go
533
star
6

ttl.sh

An anonymous & ephemeral Docker image registry
TypeScript
461
star
7

outdated

Kubectl plugin to find and report outdated images running in a Kubernetes cluster
Go
422
star
8

kotsadm

Kotsadm has been merged into the KOTS repo
JavaScript
250
star
9

unfork

Kubectl plugin to find forked Helm Charts and other K8s resources and unfork them with Kustomize
Go
145
star
10

krew-plugin-template

GitHub Repository Template for creating new Kubectl plugins
Go
65
star
11

kubeflare

A Kubernetes Operator to manage Cloudflare settings via a declarative Kubernetes API
Go
56
star
12

pvmigrate

Go
54
star
13

hugo-algolia

Enables search with Algolia in Hugo static sites
JavaScript
47
star
14

sbctl

Go
40
star
15

replicated

A CLI to create, edit and promote releases in Replicated
Go
34
star
16

local-volume-provider

A Velero plugin for backup/restore directly to Kubernetes volumes.
Go
32
star
17

troubleshoot.sh

JavaScript
29
star
18

fromlatest.io

JavaScript
19
star
19

embedded-cluster

Go
18
star
20

replicated-field-labs

Defines the Replicated Platform Hands-On Labs powered by the Instruqt platform
Shell
16
star
21

studio

Streamline your Replicated Application development in 3 easy steps, or your money back!
TypeScript
14
star
22

kots-sentry

Makefile
14
star
23

kurl.sh

JavaScript
11
star
24

libyaml

Go
11
star
25

replicated-lint

YAML linting tools for Replicated applications
TypeScript
8
star
26

ekco

ekco: Embedded kURL Cluster Operator
Go
8
star
27

replicated-docs

Replicated Product Documentation
JavaScript
8
star
28

replicated-starter-ship

Starter repo for managing Ship Apps in GitHub
Makefile
8
star
29

k8s-secret-generator

Go
7
star
30

enterprise-gtm-starter

Go-to-market starter project for Replicated apps
Go
7
star
31

ips

Current list of Replicated public facing IP addresses
6
star
32

replicated-actions

TypeScript
6
star
33

kots-lint

Lint a KOTS application before deploying it
Go
6
star
34

kubectl-traceroute

A kubectl plugin to diagnose and debug why a service is not responding
Go
6
star
35

homebrew-ship

Homebrew Formulae to ship binaries, powered by @replicatedhq
Ruby
6
star
36

kots.io

Docs site for KOTS
SCSS
6
star
37

vendor-docs-starter

6
star
38

help-center

Replicated help center
HTML
4
star
39

replicated-sdk

Service that allows you to embed key Replicated features alongside your application.
Go
4
star
40

ansible

Shell
4
star
41

helm-charts

Smarty
4
star
42

replicated-installer

Shell
4
star
43

troubleshoot-specs

Python
4
star
44

replicated-ci-demo

Example repo showcasing how to use the Replicated APIs and tools to manage your Replicated application YAML using git
Makefile
3
star
45

repl-yaml-samples

Resource for Replicated sample YAML's and snippets
3
star
46

replicated-automation

Shell
3
star
47

replicated-starter-helm

3
star
48

kots-helm

Smarty
3
star
49

platform-examples

Large and small examples of Replicated Platform capabilities
Smarty
3
star
50

kotsapps

Mustache
3
star
51

ledismock

Go
3
star
52

cc-qa-automation

Coding Challenge: QA Automation Engineer
Go
3
star
53

replicated-starter-kubernetes

Starter repo for developing Kubernetes applications on Replicated
Makefile
3
star
54

docs

Replicated Documentation
CSS
3
star
55

terraform-kots-eks

HCL
3
star
56

kots-cicd-demo

3
star
57

action-kots-lint

Dockerfile
2
star
58

exfilter

C
2
star
59

replicated-preview

CoffeeScript
2
star
60

homebrew-replicated

Replicated Homebrew Tap
Ruby
2
star
61

kots-default-yaml

YAML files used for new KOTS projects
2
star
62

kgrid

Go
2
star
63

kubectl-grid

Go
2
star
64

replicated-starter-swarm

Starter repo for developing Docker Swarm applications on Replicated
Makefile
2
star
65

kurlkinds

Host of kurl's Kubernetes clients and types.
Go
2
star
66

terraform-provider-replicated

Go
2
star
67

codeclimate-dockerfile

A CodeClimate engine for Dockerfilelint
JavaScript
2
star
68

action-k3s

JavaScript
2
star
69

tslint-config-replicated

TypeScript
1
star
70

replicated-action

A GitHub Action to interact with the Replicated API
Dockerfile
1
star
71

action-kots-release

Dockerfile
1
star
72

crd-to-openapischema

Go
1
star
73

grafana-kube-demo

Makefile
1
star
74

action-okteto-test

JavaScript
1
star
75

community

1
star
76

troubleshoot-preview

Go
1
star
77

superbigtool-k8s

1
star
78

velero-exec-hooks-qa

Shell
1
star
79

kURL-testgrid

Testgrid is a an automation testing platform for kURL
Go
1
star
80

kots-idp-example-app

Go
1
star
81

replicated-scripts

Python
1
star
82

vendor-schemas

1
star
83

license-create-download-worker

TypeScript
1
star
84

kustomize-demo

JavaScript
1
star
85

embedded-cluster-operator

Go
1
star
86

terraform-provider-kURL

this repo will be used as terraform provisioning a customer kurl cluster based on their kurl installer config
HCL
1
star
87

kots2helm

Go
1
star
88

ship-starter-compose

Starter repo for developing Docker Compose / Swarm application on Ship
Makefile
1
star
89

dehydrated-docker

Makefile
1
star