Kubernetes Fury OPA
Kubernetes Fury OPA provides policy enforcement for the Kubernetes Fury Distribution (KFD) using OPA Gatekeeper.
If you are new to KFD please refer to the official documentation on how to get started with KFD.
Overview
The Kubernetes API server provides a mechanism to review every request that is made, being objects creation, modification or deletion. To use this mechanism the API server allow us to create a Validating Admission Webhook that, as the name says, will validate every requests and let the API server know if the request is allowed or not based on some logic (policy).
Kubernetes Fury OPA module is based on OPA Gatekeeper, a popular open-source Kubernetes-native policy engine with OPA as its core that runs as a Validating Admission Webhook. It allows writing custom constraints (policies) in rego (a tailor-made language) as Kubernetes objects and enforce at runtime.
SIGHUP provides a set of base constraints that could be used both as a starting point to apply constraints to your current workloads or to give you an idea on how to implement new rules matching your requirements.
Packages
Fury Kubernetes OPA provides the following packages:
| Package | Version | Description |
|---|---|---|
| Gatekeeper Core | v3.7.0 | Gatekeeper deployment, ready to apply rules. |
| Gatekeeper Rules | N.A. | A set of custom rules to get started. |
| Gatekeeper Policy Manager | v0.5.1 | Gatekeeper Policy Manager, a simple to use web-ui for Gatekeeper. |
Click on each package to see its full documentation.
Compatibility
| Kubernetes Version | Compatibility | Notes |
|---|---|---|
1.20.x | ✅ | No known issues |
1.21.x | ✅ | No known issues |
1.22.x | ✅ | No known issues |
1.23.x | ⚠️ | Conformance tests passed. Not officially supported. |
Check the compatibility matrix for additional informations about previous releases of the modules.
Usage
Prerequisites
| Tool | Version | Description |
|---|---|---|
| furyctl | >=0.6.0 | The recommended tool to download and manage KFD modules and their packages. To learn more about furyctl read the official documentation. |
| kustomize | >=3.5.0 | Packages are customized using kustomize. To learn how to create your customization layer with kustomize, please refer to the repository. |
| KFD Monitoring Module | >v1.10.0 | Expose metrics to Prometheus (optional) |
You can comment out the service monitor in the kustomization.yaml file if you don't want to install the monitoring module.
Deployment
- List the packages you want to deploy and their version in a
Furyfile.yml
bases:
- name: opa/gatekeeper
version: "v1.6.2"
See
furyctldocumentation for additional details aboutFuryfile.ymlformat.
-
Execute
furyctl vendor -Hto download the packages -
Inspect the download packages under
./vendor/katalog/opa/gatekeeper. -
Define a
kustomization.yamlthat includes the./vendor/katalog/opa/gatekeeperdirectory as resource.
resources:
- ./vendor/katalog/opa/gatekeeper
-
Apply the necessary patches. You can find a list of common customization here.
-
To deploy the packages to your cluster, execute:
kustomize build . | kubectl apply -f -
Common Customizations
Disable constraints
Disable one of the default constraints by creating the following kustomize patch:
patchesJson6902:
- target:
group: constraints.gatekeeper.sh
version: v1beta1
kind: K8sUniqueIngressHost # replace with the kind of the constraint you want to disable
name: unique-ingress-host # replace with the name of the constraint you want to disable
path: patches/allow.yml
add this in the patches/allow.yml file:
- op: "replace"
path: "/spec/enforcementaction"
value: "allow"
Emergency break
If for some reason OPA Gatekeeper is giving you issues and blocking normal operations in your cluster, you can disable it by removing the Validating Admission Webhook definition from your cluster:
kubectl delete ValidatingWebhookConfiguration gatekeeper-validating-webhook-configuration