How to Use OPA Gatekeeper with Kubernetes for Policy Enforcement
To use
OPA Gatekeeper in Kubernetes, first install Gatekeeper as an admission controller to enforce policies. Then, create ConstraintTemplates and Constraints to define and apply your custom rules that validate or block unwanted Kubernetes resources.Syntax
OPA Gatekeeper uses Kubernetes Custom Resource Definitions (CRDs) to define policies and constraints.
- ConstraintTemplate: Defines the policy logic using Rego language.
- Constraint: Applies the policy to specific Kubernetes resources.
- Gatekeeper Controller: Runs inside the cluster and enforces the constraints during resource creation or update.
yaml
apiVersion: templates.gatekeeper.sh/v1beta1
kind: ConstraintTemplate
metadata:
name: k8srequiredlabels
spec:
crd:
spec:
names:
kind: K8sRequiredLabels
targets:
- target: admission.k8s.gatekeeper.sh
rego: |
package k8srequiredlabels
violation["missing label"] {
input.review.object.metadata.labels[label] == ""
label == input.parameters.labels[_]
}Example
This example shows how to enforce that all Kubernetes namespaces must have a label environment.
yaml
apiVersion: templates.gatekeeper.sh/v1beta1
kind: ConstraintTemplate
metadata:
name: k8srequiredlabels
spec:
crd:
spec:
names:
kind: K8sRequiredLabels
targets:
- target: admission.k8s.gatekeeper.sh
rego: |
package k8srequiredlabels
violation["missing label"] {
label := input.parameters.labels[_]
not input.review.object.metadata.labels[label]
}
---
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRequiredLabels
metadata:
name: ns-must-have-environment-label
spec:
match:
kinds:
- apiGroups: [""]
kinds: ["Namespace"]
parameters:
labels: ["environment"]Output
ConstraintTemplate "k8srequiredlabels" created
Constraint "ns-must-have-environment-label" created
If you try to create a Namespace without the "environment" label, Gatekeeper will deny it.
Common Pitfalls
1. Forgetting to install Gatekeeper: Without the Gatekeeper controller running, constraints won't be enforced.
2. Incorrect ConstraintTemplate Rego syntax: Rego errors cause policies to fail silently or not enforce.
3. Not matching the right resource kinds: Constraints must specify correct apiGroups and kinds to apply.
4. Applying constraints without testing: Always test constraints in a dev cluster to avoid blocking critical deployments.
yaml
### Wrong: Missing 'kinds' in match apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sRequiredLabels metadata: name: bad-constraint spec: match: kinds: [] parameters: labels: ["app"] ### Right: Specify kinds correctly apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sRequiredLabels metadata: name: good-constraint spec: match: kinds: - apiGroups: [""] kinds: ["Pod"] parameters: labels: ["app"]
Quick Reference
| Resource | Purpose | Example |
|---|---|---|
| ConstraintTemplate | Defines policy logic in Rego | k8srequiredlabels |
| Constraint | Applies policy to resources | ns-must-have-environment-label |
| Gatekeeper Controller | Enforces policies on admission | Runs as a Deployment in cluster |
Key Takeaways
Install Gatekeeper in your Kubernetes cluster to enable policy enforcement.
Define policies using ConstraintTemplates with Rego language.
Apply policies by creating Constraints targeting specific resource kinds.
Test constraints carefully to avoid blocking valid resource creation.
Use Gatekeeper logs and status to debug policy enforcement issues.