Gatekeeper

Gatekeeper is a customizable policy controller and auditor for Kubernetes. Gatekeeper accepts incoming requests to clusters and validates them in real time to make sure they comply with predefined policies.

Gatekeeper improves on the Open Policy Agent (OPA) and offers the following benefits:

• Extendable parameterized policy library.
• Native Kubernetes CRDs (constraints and constraint templates) for creating instances and extending the policy library.
• Native Kubernetes CRDs for mutations.
• Audit mode.
• Support of external data sources.

1. Configure the application:

   • Namespace: Create a new namespace, e.g., gatekeeper-space. If you leave the default namespace, Gatekeeper may work incorrectly.

   • Application name: Enter a name for the application.

   • Audit interval: Set the interval between audits in seconds. 0 disables audits.

   • Constraint violations limit: Set the maximum number of violations to be logged for each constraint.

   • Only matching resource types: Select this option if you only need to validate those Kubernetes resource types for each constraint, which are explicitly specified in the respective constraint. If no resource types are specified or the option is disabled, all resources will be validated.

   • Events in affected namespace: Select this option if events with violation details should be created in the namespace in which a constraint violation was logged. Only applies if the Create events at audit option is enabled.

     If the Events in affected namespace option is disabled, events will be created in the namespace in which Gatekeeper is installed.

   • Allow external data: Select this option to enable support of external data sources.

2. Click Install.

3. Wait for the application to change its status to Deployed.

• Creating policies for Kubernetes cluster resources.
• Automatically applying the set policies across a cluster.
• Auditing cluster resources.

Yandex Cloud technical support is available 24/7. The types of requests you can submit and the appropriate response time depend on your pricing plan. You can switch to the paid support plan in the management console. You can learn more about the technical support terms here.