Policies can contain one or more constraint(s) and are deployed to clusters through a blueprint. Multiple policies can be created with different constraints as required.
Create New Policy¶
Perform the below steps to create a new policy:
- Login to the Controller and select Policies under the OPA Gatekeeper. Users can view the list of existing policies on the Policies main page
- Click New Policy
- Provide a name for the policy and click Create
Policy New Version¶
Perform the below steps in the New Version page
- Provide a version name
- Click Add Constraint to add one or more constraints to this policy
Excluded Namespaces and Process
Users are allowed to exclude the namespace(s) and process associated with the selected namespace from evaluation
- Click Add Namespace to exclude one or more namespace(s) from evaluation
- Click Add Process to exclude one or more process(s). Audit process exclusion will exclude resources from specified namespace(s) in audit results. WebHook process exclusion will exclude resources from specified namespace(s) from the admission webhook. Sync process exclusion will exclude resources from specified namespace(s) from being synced into OPA. All would include all of the process exclusions
Sync Objects allows to sync data into OPA. Kubernetes data can be replicated into OPA via the sync config resource.
- Click Add Sync Object to add group, version and kind
Users can enable/disable the below audit parameters to the policy, if required
Set the Audit interval and Constraint Violation Limit. This audit functionality enables periodic evaluations of resources to detect pre-existing misconfigurations. The default value of Audit Interval is 60 seconds and Constraint Violation Limit is 20
Enable Audit from Cache to rely on OPA cache as the source-of-truth for audit queries
Note: This requires replication of Kubernetes resources into OPA before they can be evaluated against the enforced policies
If all of the constraints match against specific kinds (example: match only pods), enable Audit Match KindOnly to speed up audit runs. This will only check resources of the kinds specified in the constraints associated with the policy
A few non-compliant deletes may happen despite the policy. Enable Enable Delete Operations to audit the non-compliant deletes performed through Gatekeeper's admission webhook
- Click Save Changes
On successful policy creation, users can view the new policy details available with different versions. Policy enforcement on clusters is through association with a blueprint.
Users with Namespace Admin role do not have access to Policies page
To view policy violations, select Audit Logs from the System drop-down menu. Selecting the OPA Tab displays the list of violations and they can be filtered by Project, Cluster and Constraint as desired.