Background
RealTheory can notify you if OPA Gatekeeper is a required component in your environment that is not present on your cluster or if the version of OPA Gatekeeper that is installed is not in compliance with organizational standards.
Solution - Installation
If OPA Gatekeeper is a required component in your Kubernetes environment, it is most likely that the manifest files needed for the installation or an OPA Gatekeeper Helm chart already exist. Contact your Operations or DevOps team to determine if there are company resources for installing OPA Gatekeeper BEFORE using either of the following procedures.
Procedure Using HELM Chart Package Manager
To install OPA Gatekeeper:
-
Use the Helm Installation Guide to install Helm (if not already installed).
-
Use the following commands to add the OPA Gatekeeper Helm repository:
helm repo add gatekeeper https://open-policy-agent.github.io/gatekeeper/chartshelm repo update -
Create a namespace for OPA Gatekeeper.
Example:
kubectl create namespace gatekeeper-system -
Do one of the following:
-
To install the latest version, use the following command:
helm install gatekeeper gatekeeper/gatekeeper --namespace gatekeeper-system -
To install a specific version, use the following command:
helm install gatekeeper gatekeeper/gatekeeper --namespace gatekeeper-system --version <version>where
<version>is the version number of OPA Gatekeeper you want to install.
-
-
Verify the OPA Gatekeeper components are running:
Example:
kubectl get pods -n gatekeeper-system -
Create a simple constraint to test the installation.
Example:
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRequiredLabels
metadata:
name: test-constraint
spec:
match:
kinds:
- apiGroups: [""]
kinds: ["Pod"]
parameters:
labels:
required:
- key: environment
values: ["production"] -
Apply the constraint.
Example:
kubectl apply -f test-constraint.yaml -
Create a pod without the required label to verify OPA Gatekeeper enforces the test constraint.
Example:
apiVersion: v1
kind: Pod
metadata:
name: test-pod
labels:
app: nginx
spec:
containers:
- name: nginx
image: nginx:latest -
Apply the pod yaml.
Example:
kubectl apply -f pod-without-label.yamlYou should see a constraint violation error.
Procedure Using the YAML Manifest
To install OPA Gatekeeper:
-
Create the Custom Resource Definitions (CRDs) required by OPA Gatekeeper.
Example:
kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper/release-3.7/deploy/crds/gatekeeper.openpolicyagent.org_constraintpodstatuses.yamlkubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper/release-3.7/deploy/crds/gatekeeper.openpolicyagent.org_constrainttemplatepodstatuses.yamlkubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper/release-3.7/deploy/crds/gatekeeper.openpolicyagent.org_constraints.yaml -
Create a namespace for OPA Gatekeeper.
Example:
kubectl create namespace gatekeeper-system -
Deploy the OPA Gatekeeper components.
Example:
kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper/release-3.7/deploy/gatekeeper.yaml -
Verify the OPA Gatekeeper components are running:
Example:
kubectl get pods -n gatekeeper-system -
Create a simple constraint to test the installation.
Example:
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRequiredLabels
metadata:
name: test-constraint
spec:
match:
kinds:
- apiGroups: [""]
kinds: ["Pod"]
parameters:
labels:
required:
- key: environment
values: ["production"] -
Apply the constraint.
Example:
kubectl apply -f test-constraint.yaml -
Create a pod without the required label to verify OPA Gatekeeper enforces the test constraint.
Example:
apiVersion: v1
kind: Pod
metadata:
name: test-pod
labels:
app: nginx
spec:
containers:
- name: nginx
image: nginx:latest -
Apply the pod yaml.
Example:
kubectl apply -f pod-without-label.yamlYou should see a constraint violation error.
Solution - Upgrade
If a specific version of OPA Gatekeeper is required in your Kubernetes environment, it is most likely that the manifest files or an OPA Gatekeeper Helm chart already exist. Contact your Operations or DevOps team to determine if there are company resources for installing OPA Gatekeeper BEFORE using either of the following procedures.
Procedure Using HELM Chart Package Manager
To upgrade OPA Gatekeeper:
-
Use the Helm Installation Guide to install Helm (if not already installed).
-
Do one of the following:
-
To upgrade to the latest version, use the following command:
helm upgrade gatekeeper gatekeeper/gatekeeper --namespace gatekeeper-system -
To upgrade to a specific version, use the following command:
helm upgrade gatekeeper gatekeeper/gatekeeper --namespace gatekeeper-system --version <version>where
<version>is the version number of OPA Gatekeeper you want to upgrade to.
-
-
Verify the OPA Gatekeeper components are running and have been updated:
Example:
kubectl get pods -n gatekeeper-system
Procedure Using YAML Manifest
To upgrade OPA Gatekeeper:
-
Upgrade the Custom Resource Definitions (CRDs) required by OPA Gatekeeper.
Example:
kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper/release-3.7/deploy/crds/gatekeeper.openpolicyagent.org_constraintpodstatuses.yamlkubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper/release-3.7/deploy/crds/gatekeeper.openpolicyagent.org_constrainttemplatepodstatuses.yamlkubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper/release-3.7/deploy/crds/gatekeeper.openpolicyagent.org_constraints.yaml -
Upgrade the OPA Gatekeeper deployment.
Example:
kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper/release-3.7/deploy/gatekeeper.yaml -
Verify the OPA Gatekeeper components are running and have been updated:
Example:
kubectl get pods -n gatekeeper-system