Open Policy Agent (OPA) is a general-purpose policy engine that can be used to enforce policies in microservices, Kubernetes, CI/CD pipelines, API gateways, and more. OPA policies are expressed in a high-level declarative language called Rego.
Gatekeeper provides first-class integration with OPA and Kubernetes. It is a customizable admission webhook for Kubernetes, enforcing CRD-based policies executed by Open Policy Agent (OPA). In addition to "enforcement", Gatekeeper also supports an audit functionality that allows evaluation of already deployed resources for pre-existing misconfigurations.
The following manifests are used with OPA Gatekeeper to specify the desired state:
- Constraint Templates
One or more Constraints can be associated with a Policy. The Policy construct makes it significantly easier to manage and enforce Gatekeeper manifests across a fleet of clusters. Enforcement of policy is through association with a cluster blueprint.
Org Admin and Infra Admin roles are allowed to configure and use this feature to enforce the policies on clusters.