Open Policy Agent (OPA) is a general-purpose policy engine that can be used to enforce policies in microservices, Kubernetes, CI/CD pipelines, API gateways, and more. OPA policies are expressed in a high-level declarative language called Rego.

Gatekeeper provides first-class integration with OPA and Kubernetes. It is a customizable admission webhook for Kubernetes, enforcing CRD-based policies executed by Open Policy Agent (OPA). In addition to "enforcement", Gatekeeper also supports an audit functionality that allows evaluation of already deployed resources for pre-existing misconfigurations.

The following manifests are used with OPA Gatekeeper to specify the desired state:

  • Constraint Templates
  • Constraints

One or more Constraints can be associated with a Policy. The Policy construct makes it significantly easier to manage and enforce Gatekeeper manifests across a fleet of clusters. Enforcement of policy is through association with a cluster blueprint.

Org Admin and Infra Admin roles are allowed to configure and use this feature to enforce the policies on clusters.