Photo by Mac Gaither on Unsplash

OPA and Gatekeeper enforce policy defaults in Kubernetes

Watchdog

Article from ADMIN 65/2021

By Martin Loschwitz

Enforce container compliance in Kubernetes in one of two ways: with Open Policy Agent or Gatekeeper.

For compliance officers and chief information security officers (CISOs), the motto of the day is clear: Container-based setups need no more and no less compliance and security than their conventional relatives; they need different but equally well-monitored compliance. A container environment is where the Open Policy Agent (OPA) [1] with its Kubernetes sidecar on the one hand and the Gatekeeper policy enforcement service built specifically for Kubernetes (K8s) on the other hand enter the play. Of course, Gatekeeper relies on OPA in the background, as well.

In this article, I introduce OPA and its possible spheres of application and show how integration works with a sidecar or Gatekeeper in K8s.

Flexibility

If you ask developers and admins what they particularly like about containers, you regularly hear the same answers: Containers are flexible, dynamic, easy to manage – at least that's what sworn container fans claim. In fact, containers embody the ideas of agile development particularly well, symbolized by the cloud-ready architecture with its principle of microservices.

What excites developers and admins in terms of flexibility and dynamics, however, regularly puts worry lines on the foreheads of compliance officers and CISOs. All too great is the temptation for many a developer or administrator to use a ready-made image for containers from the Internet, roll it out on their own infrastructure, and just say, "well, it works for me," without considering the security and compliance implications of the operation. This issue has already been addressed in the past, but it doesn't hurt to take at least another quick look at the topic of container compliance.