Kubernetes - Overview & Architecture - 《Open Policy Agent v0.30.2 Documentation》

Additional Resources

For example, by deploying OPA as an admission controller you can:

Require specific labels on all resources.
Require container images come from the corporate image registry.
Require all Pods specify resource requests and limits.
Prevent conflicting Ingress objects from being created.

Admission controllers can also mutate incoming objects. By deploying OPA as a mutating admission controller you can:

Inject sidecar containers into Pods.
Rewrite container images to point at the corporate image registry.
Include node and pod (anti-)affinity selectors on Deployments.

These are just examples of policies you can enforce with admission controllers and OPA. There are dozens of other policies you will want to enforce in your Kubernetes clusters for security, cost, and availability reasons.

is a new project that provides first-class integration between OPA and Kubernetes. For background information see this blog post on kubernetes.io and check out this .

OPA Gatekeeper adds the following on top of plain OPA:

An extensible, parameterized policy library.
Native Kubernetes CRDs for instantiating the policy library (aka “constraints”).
Native Kubernetes CRDs for extending the policy library (aka “constraint templates”).
Audit functionality.

If you want to kick the tires:

See the Installation Instructions in the README.

The Kubernetes API Server is configured to query OPA for admission control decisions when objects (e.g., Pods, Services, etc.) are created, updated, or deleted.

Admission Control Flow

The API Server sends the entire Kubernetes object in the webhook request to OPA. OPA evaluates the policies it has loaded using the admission review as . For example, the following policy denies objects that include container images referring to illegal registries:

When deny is evaluated with the input defined below the answer is:

The input document contains the following fields:

input.request.kind specifies the type of the object (e.g., Pod, , etc.)
input.request.operation specifies the type of the operation, i.e., CREATE, UPDATE, DELETE, .
input.request.userInfo specifies the identity of the caller.
input.request.object contains the entire Kubernetes object.
input.request.oldObject specifies the previous version of the Kubernetes object on UPDATE and .

The policies you give to OPA ultimately generate an admission review response that is sent back to the API Server. Here is an example of the policy decision sent back to the API Server.

Policies can be loaded into OPA dynamically via ConfigMap objects using the sidecar container. The kube-mgmt sidecar container can also load any other Kubernetes object into OPA as JSON under data. This lets you enforce policies that rely on an eventually consistent snapshot of the Kubernetes cluster as context.

Policy and Data Caching

See the Policy Authoring and pages for more details.

A Guide to Kubernetes Admission Controllers for a quick primer on admission controllers.
for details on configuring external admission controllers.