Skip to content

Policies

Policies can contain one or more constraint(s) and are deployed to clusters through a blueprint. Multiple policies can be created with different constraints as required.


Create New Policy

Perform the below steps to create a new policy:

  • Login to the Controller and select Policies under the OPA Gatekeeper. Users can view the list of existing policies on the Policies main page
  • Click New Policy
  • Provide a name for the policy and click Create

OPA New Policy

Policy New Version

Perform the below steps in the New Version page

  • Provide a version name

Constraints List

  • Click Add Constraint to add one or more constraints to this policy

Constraints List

Excluded Namespaces and Process

Users are allowed to exclude the namespace(s) and process associated with the selected namespace from evaluation

  • Click Add Namespace to exclude one or more namespace(s) from evaluation
  • Click Add Process to exclude one or more process(s). Audit process exclusion will exclude resources from specified namespace(s) in audit results. WebHook process exclusion will exclude resources from specified namespace(s) from the admission webhook. Sync process exclusion will exclude resources from specified namespace(s) from being synced into OPA. All would include all of the process exclusions

Exclude Namespace and Process

Sync Objects

Sync Objects allows to sync data into OPA. Kubernetes data can be replicated into OPA via the sync config resource.

  • Click Add Sync Object to add group, version and kind

Add Sync Objects

Installation Parameters

Users can enable/disable the below audit parameters to the policy, if required

  • Set the Audit interval and Constraint Violation Limit. This audit functionality enables periodic evaluations of resources to detect pre-existing misconfigurations. The default value of Audit Interval is 60 seconds and Constraint Violation Limit is 20

  • Enable Audit from Cache to rely on OPA cache as the source-of-truth for audit queries

Note: This requires replication of Kubernetes resources into OPA before they can be evaluated against the enforced policies

  • If all of the constraints match against specific kinds (example: match only pods), enable Audit Match KindOnly to speed up audit runs. This will only check resources of the kinds specified in the constraints associated with the policy

  • A few non-compliant deletes may happen despite the policy. Enable Enable Delete Operations to audit the non-compliant deletes performed through Gatekeeper's admission webhook

Installation Parameters

  • Click Save Changes

On successful policy creation, users can view the new policy details available with different versions. Policy enforcement on clusters is through association with a blueprint.

Policy Versions

Important

Users with Namespace Admin role do not have access to Policies page


View Policies

To view policy violations, select Audit Logs from the System drop-down menu. Selecting the OPA Tab displays the list of violations and they can be filtered by Project, Cluster and Constraint as desired.