Skip to content

Commit

Permalink
Rename to gatekeeper (open-policy-agent#52)
Browse files Browse the repository at this point in the history
* Rename to gatekeeper

Signed-off-by: Lachlan Evenson <[email protected]>

* remove definite article before gatekeeper

Signed-off-by: Lachlan Evenson <[email protected]>

* remove instances of Azure repo

Signed-off-by: Lachlan Evenson <[email protected]>

* update kpc to gatekeeper

Signed-off-by: Lachlan Evenson <[email protected]>

* rename kpc.yaml to gatekeeper.yaml

Signed-off-by: Lachlan Evenson <[email protected]>

* update deploy-all.sh

Signed-off-by: Lachlan Evenson <[email protected]>
  • Loading branch information
lachie83 authored Feb 12, 2019
1 parent 2365175 commit c1c4523
Show file tree
Hide file tree
Showing 26 changed files with 106 additions and 106 deletions.
6 changes: 3 additions & 3 deletions Dockerfile
Original file line number Diff line number Diff line change
Expand Up @@ -2,16 +2,16 @@
FROM golang:1.10.3 as builder

# Copy in the go src
WORKDIR /go/src/github.com/open-policy-agent/kubernetes-policy-controller
WORKDIR /go/src/github.com/open-policy-agent/gatekeeper
COPY pkg/ pkg/
COPY cmd/ cmd/
COPY vendor/ vendor/

# Build
RUN CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build -a -o manager github.com/open-policy-agent/kubernetes-policy-controller/cmd/manager
RUN CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build -a -o manager github.com/open-policy-agent/gatekeeper/cmd/manager

# Copy the controller-manager into a thin image
FROM ubuntu:latest
WORKDIR /root/
COPY --from=builder /go/src/github.com/open-policy-agent/kubernetes-policy-controller/manager .
COPY --from=builder /go/src/github.com/open-policy-agent/gatekeeper/manager .
ENTRYPOINT ["./manager"]
4 changes: 2 additions & 2 deletions Makefile
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@

# Image URL to use all building/pushing image targets
IMG ?= docker.io/nikhilbh/kubernetes-policy-controller:latest
IMG ?= docker.io/nikhilbh/gatekeeper:latest

all: test manager

Expand All @@ -10,7 +10,7 @@ test: generate fmt vet manifests

# Build manager binary
manager: generate fmt vet
go build -o bin/manager github.com/open-policy-agent/kubernetes-policy-controller/cmd/manager
go build -o bin/manager github.com/open-policy-agent/gatekeeper/cmd/manager

# Run against the configured Kubernetes cluster in ~/.kube/config
run: generate fmt vet
Expand Down
2 changes: 1 addition & 1 deletion PROJECT
Original file line number Diff line number Diff line change
@@ -1,3 +1,3 @@
version: "1"
domain: styra.org
repo: github.com/open-policy-agent/kubernetes-policy-controller
repo: github.com/open-policy-agent/gatekeeper
30 changes: 15 additions & 15 deletions README.md
Original file line number Diff line number Diff line change
@@ -1,10 +1,10 @@
# kubernetes-policy-controller
# gatekeeper

Every organization has some rules. Some of these are essential to meet governance, and legal requirements and other are based on learning from past experience and not repeating the same mistakes. These decisions cannot tolerate human response time as they need near a real-time action. Services that are policy enabled to make the organization agile and are essential for long-term success as they are more adaptable as violations and conflicts can be discovered consistently as they are not prone to human error.

Kubernetes allows decoupling complex logic such as policy decisions from the inner working of the API Server by means of [admission controller webhooks](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/). This webhooks are executed whenever a resource is created, updated or deleted and can be used to implement complex custom logic. `kubernetes-policy-controller` is a mutating and a validating webhook that gets called for matching Kubernetes API server requests by the admission controller. Kubernetes also has another extension mechanism for general authorization decisions (not necessarily related to resources) which is called [authorization modules](https://kubernetes.io/docs/reference/access-authn-authz/authorization/). Usually, just the RBAC authorization module is used, but with `kubernetes-policy-controller` it's possible to implement a blacklist in front of RBAC. The `kubernetes-policy-controller` uses Open Policy Agent ([OPA](https://github.com/open-policy-agent/opa)), a policy engine for Cloud Native environments hosted by CNCF as a sandbox-level project.
Kubernetes allows decoupling complex logic such as policy decisions from the inner working of the API Server by means of [admission controller webhooks](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/). This webhooks are executed whenever a resource is created, updated or deleted and can be used to implement complex custom logic. `gatekeeper` is a mutating and a validating webhook that gets called for matching Kubernetes API server requests by the admission controller. Kubernetes also has another extension mechanism for general authorization decisions (not necessarily related to resources) which is called [authorization modules](https://kubernetes.io/docs/reference/access-authn-authz/authorization/). Usually, just the RBAC authorization module is used, but with `gatekeeper` it's possible to implement a blacklist in front of RBAC. `gatekeeper` uses Open Policy Agent ([OPA](https://github.com/open-policy-agent/opa)), a policy engine for Cloud Native environments hosted by CNCF as a sandbox-level project.

Kubernetes compliance is enforced at the “runtime” via tools such as network policy and pod security policy. [kubernetes-policy-controller](https://github.com/Azure/kubernetes-policy-controller) extends the compliance enforcement at “create” event not at “run“ event. For example, a kubernetes service could answer questions like :
Kubernetes compliance is enforced at the “runtime” via tools such as network policy and pod security policy. [gatekeeper](https://github.com/Azure/gatekeeper) extends the compliance enforcement at “create” event not at “run“ event. For example, a kubernetes service could answer questions like :

* Can we whitelist / blacklist registries.
* Not allow conflicting hosts for ingresses.
Expand Down Expand Up @@ -32,16 +32,16 @@ project will more closely resemble examples in that tutorial.
- Join [weekly meetings](https://docs.google.com/document/d/1A1-Q-1OMw3QODs1wT6eqfLTagcGmgzAJAjJihiO3T48/edit)
to discuss development, issues, use cases, etc.

- Use [GitHub Issues](https://github.com/open-policy-agent/kubernetes-policy-controller/issues)
- Use [GitHub Issues](https://github.com/open-policy-agent/gatekeeper/issues)
to file bugs, request features, or ask questions asynchronously.

## Using kubernetes-policy-controller
## Using gatekeeper

## 1. Deployment

Access to a Kubernetes cluster with "cluster-admin" permission is the only prerequisite.

Deploy `kubernetes-policy-controller`:
Deploy `gatekeeper`:

```bash
./deploy/deploy-all.sh
Expand All @@ -65,7 +65,7 @@ There are two scenarios of the policy engine namely Validation and Mutation
Load the policy as a ConfigMap:

```bash
kubectl create configmap example -n kpc-system --from-file ./policy/admission/ingress-host-fqdn.rego
kubectl create configmap example -n gatekeeper-system --from-file ./policy/admission/ingress-host-fqdn.rego
```

```bash
Expand All @@ -85,7 +85,7 @@ This policy will mutate resources that define an annotation with the key `"test-
Load the policy as a ConfigMap:

```bash
kubectl create configmap -n kpc-system example2 --from-file ./policy/admission/annotate.rego
kubectl create configmap -n gatekeeper-system example2 --from-file ./policy/admission/annotate.rego
```

First create a Deployment:
Expand Down Expand Up @@ -114,11 +114,11 @@ kubectl get deployment nginx -o json | jq '.metadata'

### 2.3 `authorization` scenario

`kubernetes-policy-controller` must be deployed in combination with OPA. In this scenario, `kubenetes-policy-controller` cannot be deployed via the usual mechanisms because the APIServer relies on it for every request. Afaik, the only viable scenario is to deploy it via static pod manifest on all master nodes. The following steps are necessary to configure `kubernetes-policy-controller` as authorization module webhook.
`gatekeeper` must be deployed in combination with OPA. In this scenario, `kubenetes-policy-controller` cannot be deployed via the usual mechanisms because the APIServer relies on it for every request. Afaik, the only viable scenario is to deploy it via static pod manifest on all master nodes. The following steps are necessary to configure `gatekeeper` as authorization module webhook.

1. Add the authorization module to the APIServer via flag, e.g.: `--authorization-mode=Node,Webhook,RBAC`
1. Configure a webhook config file which is used by the APIServer to call the webhook, e.g.: `--authorization-webhook-config-file=/etc/kubernetes/kubernetes-policy-controller.kubeconfig`. See example file content [here](./deploy/kubernetes-policy-controller.kubeconfig)
1. Deploy the policy-controller via static pod manifest. Place e.g. the following file in `/etc/kubernetes/manifests/`. See example file content [here](./deploy/kubernetes-policy-controller.yaml). In this case no `kube-mgmt` container is deployed, because this would lead to an circular dependency. In this case the policies are stored in the folder `/etc/kubernetes/policy` on the master node. Alternatively, they could be deployed via shared volume and an `initContainer`.
1. Configure a webhook config file which is used by the APIServer to call the webhook, e.g.: `--authorization-webhook-config-file=/etc/kubernetes/gatekeeper.kubeconfig`. See example file content [here](./deploy/gatekeeper.kubeconfig)
1. Deploy the policy-controller via static pod manifest. Place e.g. the following file in `/etc/kubernetes/manifests/`. See example file content [here](./deploy/gatekeeper.yaml). In this case no `kube-mgmt` container is deployed, because this would lead to an circular dependency. In this case the policies are stored in the folder `/etc/kubernetes/policy` on the master node. Alternatively, they could be deployed via shared volume and an `initContainer`.
1. To avoid dependencies on the Kubernetes API Server use the flag `--authorization-mode=true`
1. Deploy some of the policies stored under [policy/authorization](./policy/authorization). There are examples for:
1. Blocking create/update/delete on Calico CRDs
Expand All @@ -133,12 +133,12 @@ kubectl get deployment nginx -o json | jq '.metadata'

### policy language

The `kubernetes-policy-controller` uses OPA as the policy engine. OPA provides a high-level declarative language for authoring policies and simple APIs to answer policy queries.
`gatekeeper` uses OPA as the policy engine. OPA provides a high-level declarative language for authoring policies and simple APIs to answer policy queries.
Policy rules are created as a rego files.

### package admission

`kubernetes-policy-controller` defines a special package name `admission` which is used to logically execute all the `admission` rules.
`gatekeeper` defines a special package name `admission` which is used to logically execute all the `admission` rules.
So any `admission` rule defined should be part of this package.

```go
Expand All @@ -164,7 +164,7 @@ deny[{

### matches[[kind, namespace, name, matched_resource_output]]

When defining a deny rule, you must find Kubernetes resources that match specific criteria, such as Ingress resources in a particular namespace. `kubernetes-policy-controller` provides the matches functionality by importing `data.kubernetes.matches`.
When defining a deny rule, you must find Kubernetes resources that match specific criteria, such as Ingress resources in a particular namespace. `gatekeeper` provides the matches functionality by importing `data.kubernetes.matches`.

```go
import data.kubernetes.matches
Expand Down Expand Up @@ -281,7 +281,7 @@ deny[{

### package authorization

`kubernetes-policy-controller` defines a special package name `authorization` which is used to logically execute all the `authorization` rules.
`gatekeeper` defines a special package name `authorization` which is used to logically execute all the `authorization` rules.
So any `authorization` rule defined should be part of this package.

```go
Expand Down
8 changes: 4 additions & 4 deletions cmd/manager/main.go
Original file line number Diff line number Diff line change
Expand Up @@ -19,10 +19,10 @@ import (
"flag"
"os"

"github.com/open-policy-agent/kubernetes-policy-controller/pkg/apis"
"github.com/open-policy-agent/kubernetes-policy-controller/pkg/controller"
"github.com/open-policy-agent/kubernetes-policy-controller/pkg/standalone"
"github.com/open-policy-agent/kubernetes-policy-controller/pkg/webhook"
"github.com/open-policy-agent/gatekeeper/pkg/apis"
"github.com/open-policy-agent/gatekeeper/pkg/controller"
"github.com/open-policy-agent/gatekeeper/pkg/standalone"
"github.com/open-policy-agent/gatekeeper/pkg/webhook"
_ "k8s.io/client-go/plugin/pkg/client/auth/gcp"
"sigs.k8s.io/controller-runtime/pkg/client/config"
"sigs.k8s.io/controller-runtime/pkg/manager"
Expand Down
4 changes: 2 additions & 2 deletions config/default/kustomization.yaml
Original file line number Diff line number Diff line change
@@ -1,12 +1,12 @@
# Adds namespace to all resources.
namespace: kpc-system
namespace: gatekeeper-system

# Value of this field is prepended to the
# names of all resources, e.g. a deployment named
# "wordpress" becomes "alices-wordpress".
# Note that it should also match with the prefix (text before '-') of the namespace
# field above.
namePrefix: kpc-
namePrefix: gatekeeper-

# Labels to add to all resources and selectors.
#commonLabels:
Expand Down
2 changes: 1 addition & 1 deletion config/default/manager_image_patch.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -8,5 +8,5 @@ spec:
spec:
containers:
# Change the value of image field below to your controller image URL
- image: docker.io/nikhilbh/kubernetes-policy-controller:latest
- image: docker.io/nikhilbh/gatekeeper:latest
name: manager
2 changes: 1 addition & 1 deletion config/manager/manager.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -84,7 +84,7 @@ spec:
- "--replicate-cluster=v1/namespaces"
- "--replicate=extensions/v1beta1/ingresses"
- "--replicate=v1/pods"
- "--policies=kpc-system"
- "--policies=gatekeeper-system"
terminationGracePeriodSeconds: 10
volumes:
- name: cert
Expand Down
4 changes: 2 additions & 2 deletions demo/port-forward.sh
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
#!/bin/bash

controllerpod=$(kubectl -n kpc-system get po --no-headers | awk '{print $1}')
kubectl -n kpc-system port-forward $controllerpod 7925:7925
controllerpod=$(kubectl -n gatekeeper-system get po --no-headers | awk '{print $1}')
kubectl -n gatekeeper-system port-forward $controllerpod 7925:7925
4 changes: 2 additions & 2 deletions deploy/createnamespace.sh
Original file line number Diff line number Diff line change
Expand Up @@ -3,9 +3,9 @@
cd "${0%/*}"

set -e
echo "Create kpc-system namespace"
echo "Create gatekeeper-system namespace"

read -p "Press enter to continue"

# create opa namespace
kubectl create ns kpc-system
kubectl create ns gatekeeper-system
2 changes: 1 addition & 1 deletion deploy/delete-all.sh
Original file line number Diff line number Diff line change
Expand Up @@ -7,4 +7,4 @@ read -p "Press enter to continue"
rm -rf ./secret

./delete-webhook.sh
kubectl delete ns kpc-system
kubectl delete ns gatekeeper-system
4 changes: 2 additions & 2 deletions deploy/delete-webhook.sh
Original file line number Diff line number Diff line change
Expand Up @@ -3,8 +3,8 @@
cd "${0%/*}"

#set -e
echo "Delete Kubernetes-policy-controller webhook config"
echo "Delete gatekeeper webhook config"

read -p "Press enter to continue"

kubectl delete mutatingwebhookconfiguration kpc
kubectl delete mutatingwebhookconfiguration gatekeeper
6 changes: 3 additions & 3 deletions deploy/deploy-admission-policy.sh
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,6 @@ echo "Deploy Admission policies"
read -p "Press enter to continue"

# deploy admission policies
kubectl -n kpc-system create configmap ingress-conflict --from-file=../policy/admission/ingress-conflict.rego
kubectl -n kpc-system create configmap ingress-host-fqdn --from-file=../policy/admission/ingress-host-fqdn.rego
kubectl -n kpc-system create configmap annotate --from-file=../policy/admission/annotate.rego
kubectl -n gatekeeper-system create configmap ingress-conflict --from-file=../policy/admission/ingress-conflict.rego
kubectl -n gatekeeper-system create configmap ingress-host-fqdn --from-file=../policy/admission/ingress-host-fqdn.rego
kubectl -n gatekeeper-system create configmap annotate --from-file=../policy/admission/annotate.rego
8 changes: 4 additions & 4 deletions deploy/deploy-all.sh
Original file line number Diff line number Diff line change
Expand Up @@ -7,10 +7,10 @@ echo "Deploy OPA and kube-mgmt"
read -p "Press enter to continue"

# create opa namespace
kubectl create ns kpc-system
kubectl create ns gatekeeper-system

# deploy kubernetes-policy-controller
kubectl apply -n kpc-system -f ./deploy/kpc.yaml
# deploy gatekeeper
kubectl apply -n gatekeeper-system -f ./deploy/gatekeeper.yaml

# deploy kubernetes policies
kubectl -n kpc-system create configmap kubernetes-matches --from-file=./policy/kubernetes/matches.rego
kubectl -n gatekeeper-system create configmap kubernetes-matches --from-file=./policy/kubernetes/matches.rego
2 changes: 1 addition & 1 deletion deploy/deploy-controller.sh
Original file line number Diff line number Diff line change
Expand Up @@ -9,4 +9,4 @@ echo "Deploy OPA and kube-mgmt"
read -p "Press enter to continue"

# deploy opa
kubectl apply -n kpc-system -f ./kpc.yaml
kubectl apply -n gatekeeper-system -f ./gatekeeper.yaml
4 changes: 2 additions & 2 deletions deploy/deploy-kubernetes-policy.sh
Original file line number Diff line number Diff line change
Expand Up @@ -7,5 +7,5 @@ echo "Deploy Kubernetes policies"
read -p "Press enter to continue"

# deploy kubernetes policies
kubectl -n kpc-system create configmap kubernetes-matches --from-file=../policy/kubernetes/matches.rego
kubectl -n kpc-system create configmap kubernetes-policymatches --from-file=../policy/kubernetes/policymatches.rego
kubectl -n gatekeeper-system create configmap kubernetes-matches --from-file=../policy/kubernetes/matches.rego
kubectl -n gatekeeper-system create configmap kubernetes-policymatches --from-file=../policy/kubernetes/policymatches.rego
42 changes: 21 additions & 21 deletions deploy/kpc.yaml → deploy/gatekeeper.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -17,7 +17,7 @@ subjects:
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: kpc-cluster-role
name: gatekeeper-cluster-role
rules:
- apiGroups: ["admissionregistration.k8s.io"]
resources: ["mutatingwebhookconfigurations", "validatingwebhookconfigurations"]
Expand All @@ -30,22 +30,22 @@ rules:
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: kpc-cluster-role
name: gatekeeper-cluster-role
roleRef:
kind: ClusterRole
name: kpc-cluster-role
name: gatekeeper-cluster-role
apiGroup: rbac.authorization.k8s.io
subjects:
- kind: ServiceAccount
name: default
namespace: kpc-system
namespace: gatekeeper-system
---
# Define role for OPA/kube-mgmt to update configmaps and manage services and secrets
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
namespace: kpc-system
name: kpc-namespace-role
namespace: gatekeeper-system
name: gatekeeper-namespace-role
rules:
- apiGroups: [""]
resources: ["configmaps"]
Expand All @@ -58,25 +58,25 @@ rules:
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
namespace: kpc-system
name: kpc-namespace-role
namespace: gatekeeper-system
name: gatekeeper-namespace-role
roleRef:
kind: Role
name: kpc-namespace-role
name: gatekeeper-namespace-role
apiGroup: rbac.authorization.k8s.io
subjects:
- kind: ServiceAccount
name: default
namespace: kpc-system
namespace: gatekeeper-system
---
apiVersion: v1
kind: Service
metadata:
labels:
control-plane: controller-manager
controller-tools.k8s.io: "1.0"
name: kpc-controller-manager-service
namespace: kpc-system
name: gatekeeper-controller-manager-service
namespace: gatekeeper-system
spec:
selector:
control-plane: controller-manager
Expand All @@ -90,14 +90,14 @@ metadata:
labels:
control-plane: controller-manager
controller-tools.k8s.io: "1.0"
name: kpc-controller-manager
namespace: kpc-system
name: gatekeeper-controller-manager
namespace: gatekeeper-system
spec:
selector:
matchLabels:
control-plane: controller-manager
controller-tools.k8s.io: "1.0"
serviceName: kpc-controller-manager-service
serviceName: gatekeeper-controller-manager-service
template:
metadata:
labels:
Expand All @@ -117,8 +117,8 @@ spec:
apiVersion: v1
fieldPath: metadata.namespace
- name: SECRET_NAME
value: kpc-webhook-server-secret
image: docker.io/nikhilbh/kubernetes-policy-controller:latest
value: gatekeeper-webhook-server-secret
image: docker.io/nikhilbh/gatekeeper:latest
imagePullPolicy: Always
ports:
- containerPort: 9876
Expand Down Expand Up @@ -148,7 +148,7 @@ spec:
- --replicate-cluster=v1/namespaces
- --replicate=extensions/v1beta1/ingresses
- --replicate=v1/pods
- --policies=kpc-system
- --policies=gatekeeper-system
image: openpolicyagent/kube-mgmt:0.6
imagePullPolicy: Always
resources: {}
Expand All @@ -157,10 +157,10 @@ spec:
- name: cert
secret:
defaultMode: 420
secretName: kpc-webhook-server-secret
secretName: gatekeeper-webhook-server-secret
---
apiVersion: v1
kind: Secret
metadata:
name: kpc-webhook-server-secret
namespace: kpc-system
name: gatekeeper-webhook-server-secret
namespace: gatekeeper-system
Loading

0 comments on commit c1c4523

Please sign in to comment.