Gatekeeper

Gatekeeper is a customizable policy controller and auditor for Kubernetes. Gatekeeper accepts incoming requests to clusters and validates them in real time to make sure they comply with predefined policies.

Gatekeeper improves on the Open Policy Agent (OPA) and offers the following benefits:

• Extendable parameterized policy library.
• Native Kubernetes CRDs (constraints and constraint templates) for creating instances and extending the policy library.
• Native Kubernetes CRDs for mutations.
• Audit mode.
• Support of external data sources.

1. Configure the application:

   • Namespace: Select a namespace or create a new one.

   • Application name: Enter an application name.

   • Audit interval: Set the interval between audits in seconds. 0 disables audits.

   • Constraint violations limit: Set the maximum number of violations to be logged for each constraint.

   • Only matching kinds: Select this option if you only need to validate those kinds of Kubernetes resources for each constraint, which are explicitly specified in the respective constraint. If none are specified or if this option is disabled, all resources will be validated.

   • Emit audit events: Select this option to emit a Kubernetes event for each constraint violation detected during the audit, with detailed information about the violation.

   • Events in affected namespace: Select this option if events with violation details should be created in the namespace in which a constraint violation was logged. Only applies if the Emit audit events option is enabled.

     If the Events in affected namespace option is disabled, events will be created in the namespace in which Gatekeeper is installed.

   • Allow external data: Select this option to enable experimental support of external data sources.

2. Click Install.

3. Wait for the application status to change to Deployed.

• Creating policies for Kubernetes cluster resources.
• Automatically applying the set policies across a cluster.
• Auditing cluster resources.

Yandex Cloud technical support is available 24/7 to respond to requests. The types of requests available and their response time depend on your pricing plan. You can enable paid support in the management console. Learn more about requesting technical support.