Open Policy Agent (OPA) is a general-purpose policy engine that can be used to enforce policies in microservices, Kubernetes, CI/CD pipelines, API gateways, and more. OPA policies are expressed in a high-level declarative language called Rego.
Gatekeeper provides first-class integration with OPA and Kubernetes. It is a customizable admission webhook for Kubernetes, enforcing CRD-based policies executed by Open Policy Agent (OPA). In addition to "enforcement", Gatekeeper also supports an audit functionality that allows evaluation of already deployed resources for pre-existing misconfigurations.
The following manifests are used with OPA Gatekeeper to specify the desired state:
- Constraint Templates
One or more Constraints can be associated with a Policy. The Policy construct makes it significantly easier to manage and enforce Gatekeeper manifests across a fleet of clusters. Enforcement of policy is through association with a cluster blueprint.
Org Admin and Infra Admin roles are allowed to configure and use this feature to enforce the policies on clusters.
Users are encouraged to use one of the following "Get Started" guides to learn how to use this service.
||Configure and Deploy OPA Gatekeeper Policies using CLI|
||Turnkey OPA Gatekeeper Policies|