3

I am trying to understand what is OPA(open policy agent) and its use-cases and I'm in the basic stage . When I was reading an opa article I got to know about the OPA Gatekeeper but I don't have a clear understanding about why we need this OPA gatekeeper? can we use this for auditing all kinds of policies in kubernetes like Pod scheduling, Cluster placement ,Authorization etc.or is it only specific for kubernetes admission control phase ?.

Will Beason
  • 3,417
  • 2
  • 28
  • 46

1 Answers1

1

According to the official docs:

Kubernetes allows decoupling policy decisions from the API server by means of admission controller webhooks to intercept admission requests before they are persisted as objects in Kubernetes. Gatekeeper was created to enable users to customize admission control via configuration, not code and to bring awareness of the cluster’s state, not just the single object under evaluation at admission time. Gatekeeper is a customizable admission webhook for Kubernetes that enforces policies executed by the Open Policy Agent (OPA).

Validating Admission Control

Once all the Gatekeeper components have been installed in your cluster, the API server will trigger the Gatekeeper admission webhook to process the admission request whenever a resource in the cluster is created, updated, or deleted.

Audit

The audit functionality enables periodic evaluations of replicated resources against the Constraints enforced in the cluster to detect pre-existing misconfigurations. Gatekeeper stores audit results as violations listed in the status field of the relevant Constraint. By default, the audit will request each resource from the Kubernetes API during each cycle of the audit.

And to answer your questions in short: Gatekeeper is designed to take care of both the admission scenario and the audit of the replicated resources.

Sources:

Please let me know if that helped.

Wytrzymały Wiktor
  • 11,492
  • 5
  • 29
  • 37
  • Thank You very much for your answer and I’ll definitely read these sources too. Another thing that I got from all this information is we can use Gatekeeper only for admission control in kubernetes (Please make me correct if I'm wrong). And I wanted to know, other than that is there any relationship between Gatekeeper and the other OPA use cases in kubernetes like Workload Placement ,Pod scheduling etc ? –  May 14 '20 at 11:48
  • I suggest going through the listed sources as they will explain in detail way better than I possibly could. But to answer your additional question in short: admission control is not the only functionality of Gatekeeper. It also takes care of auditing and provides "constraints" and "constraints templates". And `Gatekeeper is a customizable admission webhook for Kubernetes that enforces policies executed by the Open Policy Agent (OPA)` is the general relationship between these two. – Wytrzymały Wiktor May 14 '20 at 12:12
  • Thank you so much for your reply and resources .Now I understand the point and it helped me a lot. thank you. –  May 15 '20 at 05:22