From c1c4523c1e7b336ed97b56222eb768532266c69c Mon Sep 17 00:00:00 2001 From: Lachlan Evenson Date: Tue, 12 Feb 2019 14:08:48 -0800 Subject: [PATCH] Rename to gatekeeper (#52) * Rename to gatekeeper Signed-off-by: Lachlan Evenson * remove definite article before gatekeeper Signed-off-by: Lachlan Evenson * remove instances of Azure repo Signed-off-by: Lachlan Evenson * update kpc to gatekeeper Signed-off-by: Lachlan Evenson * rename kpc.yaml to gatekeeper.yaml Signed-off-by: Lachlan Evenson * update deploy-all.sh Signed-off-by: Lachlan Evenson --- Dockerfile | 6 +-- Makefile | 4 +- PROJECT | 2 +- README.md | 30 ++++++------- cmd/manager/main.go | 8 ++-- config/default/kustomization.yaml | 4 +- config/default/manager_image_patch.yaml | 2 +- config/manager/manager.yaml | 2 +- demo/port-forward.sh | 4 +- deploy/createnamespace.sh | 4 +- deploy/delete-all.sh | 2 +- deploy/delete-webhook.sh | 4 +- deploy/deploy-admission-policy.sh | 6 +-- deploy/deploy-all.sh | 8 ++-- deploy/deploy-controller.sh | 2 +- deploy/deploy-kubernetes-policy.sh | 4 +- deploy/{kpc.yaml => gatekeeper.yaml} | 42 +++++++++---------- .../kubernetes-policy-controller.kubeconfig | 2 +- deploy/kubernetes-policy-controller.yaml | 14 +++---- docs/design/design.md | 4 +- docs/ingress-host-conflict.md | 22 +++++----- docs/post.md | 12 +++--- pkg/opa/fake_opa.go | 2 +- pkg/standalone/server.go | 4 +- pkg/webhook/policy.go | 14 +++---- pkg/webhook/policy_test.go | 4 +- 26 files changed, 106 insertions(+), 106 deletions(-) rename deploy/{kpc.yaml => gatekeeper.yaml} (82%) diff --git a/Dockerfile b/Dockerfile index 0a6d7b92919..350144b8b26 100644 --- a/Dockerfile +++ b/Dockerfile @@ -2,16 +2,16 @@ FROM golang:1.10.3 as builder # Copy in the go src -WORKDIR /go/src/github.com/open-policy-agent/kubernetes-policy-controller +WORKDIR /go/src/github.com/open-policy-agent/gatekeeper COPY pkg/ pkg/ COPY cmd/ cmd/ COPY vendor/ vendor/ # Build -RUN CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build -a -o manager github.com/open-policy-agent/kubernetes-policy-controller/cmd/manager +RUN CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build -a -o manager github.com/open-policy-agent/gatekeeper/cmd/manager # Copy the controller-manager into a thin image FROM ubuntu:latest WORKDIR /root/ -COPY --from=builder /go/src/github.com/open-policy-agent/kubernetes-policy-controller/manager . +COPY --from=builder /go/src/github.com/open-policy-agent/gatekeeper/manager . ENTRYPOINT ["./manager"] diff --git a/Makefile b/Makefile index 597fededc4c..d796e90baf9 100644 --- a/Makefile +++ b/Makefile @@ -1,6 +1,6 @@ # Image URL to use all building/pushing image targets -IMG ?= docker.io/nikhilbh/kubernetes-policy-controller:latest +IMG ?= docker.io/nikhilbh/gatekeeper:latest all: test manager @@ -10,7 +10,7 @@ test: generate fmt vet manifests # Build manager binary manager: generate fmt vet - go build -o bin/manager github.com/open-policy-agent/kubernetes-policy-controller/cmd/manager + go build -o bin/manager github.com/open-policy-agent/gatekeeper/cmd/manager # Run against the configured Kubernetes cluster in ~/.kube/config run: generate fmt vet diff --git a/PROJECT b/PROJECT index 62b75223fcd..94110fbe957 100644 --- a/PROJECT +++ b/PROJECT @@ -1,3 +1,3 @@ version: "1" domain: styra.org -repo: github.com/open-policy-agent/kubernetes-policy-controller +repo: github.com/open-policy-agent/gatekeeper diff --git a/README.md b/README.md index c6cb5cce5e9..b2b21bdbcab 100644 --- a/README.md +++ b/README.md @@ -1,10 +1,10 @@ -# kubernetes-policy-controller +# gatekeeper Every organization has some rules. Some of these are essential to meet governance, and legal requirements and other are based on learning from past experience and not repeating the same mistakes. These decisions cannot tolerate human response time as they need near a real-time action. Services that are policy enabled to make the organization agile and are essential for long-term success as they are more adaptable as violations and conflicts can be discovered consistently as they are not prone to human error. -Kubernetes allows decoupling complex logic such as policy decisions from the inner working of the API Server by means of [admission controller webhooks](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/). This webhooks are executed whenever a resource is created, updated or deleted and can be used to implement complex custom logic. `kubernetes-policy-controller` is a mutating and a validating webhook that gets called for matching Kubernetes API server requests by the admission controller. Kubernetes also has another extension mechanism for general authorization decisions (not necessarily related to resources) which is called [authorization modules](https://kubernetes.io/docs/reference/access-authn-authz/authorization/). Usually, just the RBAC authorization module is used, but with `kubernetes-policy-controller` it's possible to implement a blacklist in front of RBAC. The `kubernetes-policy-controller` uses Open Policy Agent ([OPA](https://github.com/open-policy-agent/opa)), a policy engine for Cloud Native environments hosted by CNCF as a sandbox-level project. +Kubernetes allows decoupling complex logic such as policy decisions from the inner working of the API Server by means of [admission controller webhooks](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/). This webhooks are executed whenever a resource is created, updated or deleted and can be used to implement complex custom logic. `gatekeeper` is a mutating and a validating webhook that gets called for matching Kubernetes API server requests by the admission controller. Kubernetes also has another extension mechanism for general authorization decisions (not necessarily related to resources) which is called [authorization modules](https://kubernetes.io/docs/reference/access-authn-authz/authorization/). Usually, just the RBAC authorization module is used, but with `gatekeeper` it's possible to implement a blacklist in front of RBAC. `gatekeeper` uses Open Policy Agent ([OPA](https://github.com/open-policy-agent/opa)), a policy engine for Cloud Native environments hosted by CNCF as a sandbox-level project. -Kubernetes compliance is enforced at the “runtime” via tools such as network policy and pod security policy. [kubernetes-policy-controller](https://github.com/Azure/kubernetes-policy-controller) extends the compliance enforcement at “create” event not at “run“ event. For example, a kubernetes service could answer questions like : +Kubernetes compliance is enforced at the “runtime” via tools such as network policy and pod security policy. [gatekeeper](https://github.com/Azure/gatekeeper) extends the compliance enforcement at “create” event not at “run“ event. For example, a kubernetes service could answer questions like : * Can we whitelist / blacklist registries. * Not allow conflicting hosts for ingresses. @@ -32,16 +32,16 @@ project will more closely resemble examples in that tutorial. - Join [weekly meetings](https://docs.google.com/document/d/1A1-Q-1OMw3QODs1wT6eqfLTagcGmgzAJAjJihiO3T48/edit) to discuss development, issues, use cases, etc. -- Use [GitHub Issues](https://github.com/open-policy-agent/kubernetes-policy-controller/issues) +- Use [GitHub Issues](https://github.com/open-policy-agent/gatekeeper/issues) to file bugs, request features, or ask questions asynchronously. -## Using kubernetes-policy-controller +## Using gatekeeper ## 1. Deployment Access to a Kubernetes cluster with "cluster-admin" permission is the only prerequisite. -Deploy `kubernetes-policy-controller`: +Deploy `gatekeeper`: ```bash ./deploy/deploy-all.sh @@ -65,7 +65,7 @@ There are two scenarios of the policy engine namely Validation and Mutation Load the policy as a ConfigMap: ```bash -kubectl create configmap example -n kpc-system --from-file ./policy/admission/ingress-host-fqdn.rego +kubectl create configmap example -n gatekeeper-system --from-file ./policy/admission/ingress-host-fqdn.rego ``` ```bash @@ -85,7 +85,7 @@ This policy will mutate resources that define an annotation with the key `"test- Load the policy as a ConfigMap: ```bash -kubectl create configmap -n kpc-system example2 --from-file ./policy/admission/annotate.rego +kubectl create configmap -n gatekeeper-system example2 --from-file ./policy/admission/annotate.rego ``` First create a Deployment: @@ -114,11 +114,11 @@ kubectl get deployment nginx -o json | jq '.metadata' ### 2.3 `authorization` scenario -`kubernetes-policy-controller` must be deployed in combination with OPA. In this scenario, `kubenetes-policy-controller` cannot be deployed via the usual mechanisms because the APIServer relies on it for every request. Afaik, the only viable scenario is to deploy it via static pod manifest on all master nodes. The following steps are necessary to configure `kubernetes-policy-controller` as authorization module webhook. +`gatekeeper` must be deployed in combination with OPA. In this scenario, `kubenetes-policy-controller` cannot be deployed via the usual mechanisms because the APIServer relies on it for every request. Afaik, the only viable scenario is to deploy it via static pod manifest on all master nodes. The following steps are necessary to configure `gatekeeper` as authorization module webhook. 1. Add the authorization module to the APIServer via flag, e.g.: `--authorization-mode=Node,Webhook,RBAC` -1. Configure a webhook config file which is used by the APIServer to call the webhook, e.g.: `--authorization-webhook-config-file=/etc/kubernetes/kubernetes-policy-controller.kubeconfig`. See example file content [here](./deploy/kubernetes-policy-controller.kubeconfig) -1. Deploy the policy-controller via static pod manifest. Place e.g. the following file in `/etc/kubernetes/manifests/`. See example file content [here](./deploy/kubernetes-policy-controller.yaml). In this case no `kube-mgmt` container is deployed, because this would lead to an circular dependency. In this case the policies are stored in the folder `/etc/kubernetes/policy` on the master node. Alternatively, they could be deployed via shared volume and an `initContainer`. +1. Configure a webhook config file which is used by the APIServer to call the webhook, e.g.: `--authorization-webhook-config-file=/etc/kubernetes/gatekeeper.kubeconfig`. See example file content [here](./deploy/gatekeeper.kubeconfig) +1. Deploy the policy-controller via static pod manifest. Place e.g. the following file in `/etc/kubernetes/manifests/`. See example file content [here](./deploy/gatekeeper.yaml). In this case no `kube-mgmt` container is deployed, because this would lead to an circular dependency. In this case the policies are stored in the folder `/etc/kubernetes/policy` on the master node. Alternatively, they could be deployed via shared volume and an `initContainer`. 1. To avoid dependencies on the Kubernetes API Server use the flag `--authorization-mode=true` 1. Deploy some of the policies stored under [policy/authorization](./policy/authorization). There are examples for: 1. Blocking create/update/delete on Calico CRDs @@ -133,12 +133,12 @@ kubectl get deployment nginx -o json | jq '.metadata' ### policy language -The `kubernetes-policy-controller` uses OPA as the policy engine. OPA provides a high-level declarative language for authoring policies and simple APIs to answer policy queries. +`gatekeeper` uses OPA as the policy engine. OPA provides a high-level declarative language for authoring policies and simple APIs to answer policy queries. Policy rules are created as a rego files. ### package admission -`kubernetes-policy-controller` defines a special package name `admission` which is used to logically execute all the `admission` rules. +`gatekeeper` defines a special package name `admission` which is used to logically execute all the `admission` rules. So any `admission` rule defined should be part of this package. ```go @@ -164,7 +164,7 @@ deny[{ ### matches[[kind, namespace, name, matched_resource_output]] -When defining a deny rule, you must find Kubernetes resources that match specific criteria, such as Ingress resources in a particular namespace. `kubernetes-policy-controller` provides the matches functionality by importing `data.kubernetes.matches`. +When defining a deny rule, you must find Kubernetes resources that match specific criteria, such as Ingress resources in a particular namespace. `gatekeeper` provides the matches functionality by importing `data.kubernetes.matches`. ```go import data.kubernetes.matches @@ -281,7 +281,7 @@ deny[{ ### package authorization -`kubernetes-policy-controller` defines a special package name `authorization` which is used to logically execute all the `authorization` rules. +`gatekeeper` defines a special package name `authorization` which is used to logically execute all the `authorization` rules. So any `authorization` rule defined should be part of this package. ```go diff --git a/cmd/manager/main.go b/cmd/manager/main.go index 0078f9ed94b..2f85cc0bb1c 100644 --- a/cmd/manager/main.go +++ b/cmd/manager/main.go @@ -19,10 +19,10 @@ import ( "flag" "os" - "github.com/open-policy-agent/kubernetes-policy-controller/pkg/apis" - "github.com/open-policy-agent/kubernetes-policy-controller/pkg/controller" - "github.com/open-policy-agent/kubernetes-policy-controller/pkg/standalone" - "github.com/open-policy-agent/kubernetes-policy-controller/pkg/webhook" + "github.com/open-policy-agent/gatekeeper/pkg/apis" + "github.com/open-policy-agent/gatekeeper/pkg/controller" + "github.com/open-policy-agent/gatekeeper/pkg/standalone" + "github.com/open-policy-agent/gatekeeper/pkg/webhook" _ "k8s.io/client-go/plugin/pkg/client/auth/gcp" "sigs.k8s.io/controller-runtime/pkg/client/config" "sigs.k8s.io/controller-runtime/pkg/manager" diff --git a/config/default/kustomization.yaml b/config/default/kustomization.yaml index 7f2a1a41f71..b14269d67c6 100644 --- a/config/default/kustomization.yaml +++ b/config/default/kustomization.yaml @@ -1,12 +1,12 @@ # Adds namespace to all resources. -namespace: kpc-system +namespace: gatekeeper-system # Value of this field is prepended to the # names of all resources, e.g. a deployment named # "wordpress" becomes "alices-wordpress". # Note that it should also match with the prefix (text before '-') of the namespace # field above. -namePrefix: kpc- +namePrefix: gatekeeper- # Labels to add to all resources and selectors. #commonLabels: diff --git a/config/default/manager_image_patch.yaml b/config/default/manager_image_patch.yaml index 8b344fbffc5..28dc34e19c5 100644 --- a/config/default/manager_image_patch.yaml +++ b/config/default/manager_image_patch.yaml @@ -8,5 +8,5 @@ spec: spec: containers: # Change the value of image field below to your controller image URL - - image: docker.io/nikhilbh/kubernetes-policy-controller:latest + - image: docker.io/nikhilbh/gatekeeper:latest name: manager diff --git a/config/manager/manager.yaml b/config/manager/manager.yaml index 588b48face7..2cd484714dd 100644 --- a/config/manager/manager.yaml +++ b/config/manager/manager.yaml @@ -84,7 +84,7 @@ spec: - "--replicate-cluster=v1/namespaces" - "--replicate=extensions/v1beta1/ingresses" - "--replicate=v1/pods" - - "--policies=kpc-system" + - "--policies=gatekeeper-system" terminationGracePeriodSeconds: 10 volumes: - name: cert diff --git a/demo/port-forward.sh b/demo/port-forward.sh index 48d425f9c21..53b922a7c8a 100755 --- a/demo/port-forward.sh +++ b/demo/port-forward.sh @@ -1,4 +1,4 @@ #!/bin/bash -controllerpod=$(kubectl -n kpc-system get po --no-headers | awk '{print $1}') -kubectl -n kpc-system port-forward $controllerpod 7925:7925 \ No newline at end of file +controllerpod=$(kubectl -n gatekeeper-system get po --no-headers | awk '{print $1}') +kubectl -n gatekeeper-system port-forward $controllerpod 7925:7925 \ No newline at end of file diff --git a/deploy/createnamespace.sh b/deploy/createnamespace.sh index 67b83e66486..7352ec295a1 100755 --- a/deploy/createnamespace.sh +++ b/deploy/createnamespace.sh @@ -3,9 +3,9 @@ cd "${0%/*}" set -e -echo "Create kpc-system namespace" +echo "Create gatekeeper-system namespace" read -p "Press enter to continue" # create opa namespace -kubectl create ns kpc-system \ No newline at end of file +kubectl create ns gatekeeper-system \ No newline at end of file diff --git a/deploy/delete-all.sh b/deploy/delete-all.sh index 0ad583e1d79..5777ac9c076 100755 --- a/deploy/delete-all.sh +++ b/deploy/delete-all.sh @@ -7,4 +7,4 @@ read -p "Press enter to continue" rm -rf ./secret ./delete-webhook.sh -kubectl delete ns kpc-system +kubectl delete ns gatekeeper-system diff --git a/deploy/delete-webhook.sh b/deploy/delete-webhook.sh index 8b9e25c16fc..ee0ad369859 100755 --- a/deploy/delete-webhook.sh +++ b/deploy/delete-webhook.sh @@ -3,8 +3,8 @@ cd "${0%/*}" #set -e -echo "Delete Kubernetes-policy-controller webhook config" +echo "Delete gatekeeper webhook config" read -p "Press enter to continue" -kubectl delete mutatingwebhookconfiguration kpc \ No newline at end of file +kubectl delete mutatingwebhookconfiguration gatekeeper \ No newline at end of file diff --git a/deploy/deploy-admission-policy.sh b/deploy/deploy-admission-policy.sh index d6ecf9847b3..74f37e2370a 100755 --- a/deploy/deploy-admission-policy.sh +++ b/deploy/deploy-admission-policy.sh @@ -8,6 +8,6 @@ echo "Deploy Admission policies" read -p "Press enter to continue" # deploy admission policies -kubectl -n kpc-system create configmap ingress-conflict --from-file=../policy/admission/ingress-conflict.rego -kubectl -n kpc-system create configmap ingress-host-fqdn --from-file=../policy/admission/ingress-host-fqdn.rego -kubectl -n kpc-system create configmap annotate --from-file=../policy/admission/annotate.rego +kubectl -n gatekeeper-system create configmap ingress-conflict --from-file=../policy/admission/ingress-conflict.rego +kubectl -n gatekeeper-system create configmap ingress-host-fqdn --from-file=../policy/admission/ingress-host-fqdn.rego +kubectl -n gatekeeper-system create configmap annotate --from-file=../policy/admission/annotate.rego diff --git a/deploy/deploy-all.sh b/deploy/deploy-all.sh index 5769a821e8e..fe66a000316 100755 --- a/deploy/deploy-all.sh +++ b/deploy/deploy-all.sh @@ -7,10 +7,10 @@ echo "Deploy OPA and kube-mgmt" read -p "Press enter to continue" # create opa namespace -kubectl create ns kpc-system +kubectl create ns gatekeeper-system -# deploy kubernetes-policy-controller -kubectl apply -n kpc-system -f ./deploy/kpc.yaml +# deploy gatekeeper +kubectl apply -n gatekeeper-system -f ./deploy/gatekeeper.yaml # deploy kubernetes policies -kubectl -n kpc-system create configmap kubernetes-matches --from-file=./policy/kubernetes/matches.rego +kubectl -n gatekeeper-system create configmap kubernetes-matches --from-file=./policy/kubernetes/matches.rego diff --git a/deploy/deploy-controller.sh b/deploy/deploy-controller.sh index 94f567224e0..484bd4954aa 100755 --- a/deploy/deploy-controller.sh +++ b/deploy/deploy-controller.sh @@ -9,4 +9,4 @@ echo "Deploy OPA and kube-mgmt" read -p "Press enter to continue" # deploy opa -kubectl apply -n kpc-system -f ./kpc.yaml +kubectl apply -n gatekeeper-system -f ./gatekeeper.yaml diff --git a/deploy/deploy-kubernetes-policy.sh b/deploy/deploy-kubernetes-policy.sh index 6f2e1dac33d..2425e65d3b6 100755 --- a/deploy/deploy-kubernetes-policy.sh +++ b/deploy/deploy-kubernetes-policy.sh @@ -7,5 +7,5 @@ echo "Deploy Kubernetes policies" read -p "Press enter to continue" # deploy kubernetes policies -kubectl -n kpc-system create configmap kubernetes-matches --from-file=../policy/kubernetes/matches.rego -kubectl -n kpc-system create configmap kubernetes-policymatches --from-file=../policy/kubernetes/policymatches.rego +kubectl -n gatekeeper-system create configmap kubernetes-matches --from-file=../policy/kubernetes/matches.rego +kubectl -n gatekeeper-system create configmap kubernetes-policymatches --from-file=../policy/kubernetes/policymatches.rego diff --git a/deploy/kpc.yaml b/deploy/gatekeeper.yaml similarity index 82% rename from deploy/kpc.yaml rename to deploy/gatekeeper.yaml index f63cbaf8e8b..0f4c56ed717 100644 --- a/deploy/kpc.yaml +++ b/deploy/gatekeeper.yaml @@ -17,7 +17,7 @@ subjects: kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: - name: kpc-cluster-role + name: gatekeeper-cluster-role rules: - apiGroups: ["admissionregistration.k8s.io"] resources: ["mutatingwebhookconfigurations", "validatingwebhookconfigurations"] @@ -30,22 +30,22 @@ rules: kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: - name: kpc-cluster-role + name: gatekeeper-cluster-role roleRef: kind: ClusterRole - name: kpc-cluster-role + name: gatekeeper-cluster-role apiGroup: rbac.authorization.k8s.io subjects: - kind: ServiceAccount name: default - namespace: kpc-system + namespace: gatekeeper-system --- # Define role for OPA/kube-mgmt to update configmaps and manage services and secrets kind: Role apiVersion: rbac.authorization.k8s.io/v1 metadata: - namespace: kpc-system - name: kpc-namespace-role + namespace: gatekeeper-system + name: gatekeeper-namespace-role rules: - apiGroups: [""] resources: ["configmaps"] @@ -58,16 +58,16 @@ rules: kind: RoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: - namespace: kpc-system - name: kpc-namespace-role + namespace: gatekeeper-system + name: gatekeeper-namespace-role roleRef: kind: Role - name: kpc-namespace-role + name: gatekeeper-namespace-role apiGroup: rbac.authorization.k8s.io subjects: - kind: ServiceAccount name: default - namespace: kpc-system + namespace: gatekeeper-system --- apiVersion: v1 kind: Service @@ -75,8 +75,8 @@ metadata: labels: control-plane: controller-manager controller-tools.k8s.io: "1.0" - name: kpc-controller-manager-service - namespace: kpc-system + name: gatekeeper-controller-manager-service + namespace: gatekeeper-system spec: selector: control-plane: controller-manager @@ -90,14 +90,14 @@ metadata: labels: control-plane: controller-manager controller-tools.k8s.io: "1.0" - name: kpc-controller-manager - namespace: kpc-system + name: gatekeeper-controller-manager + namespace: gatekeeper-system spec: selector: matchLabels: control-plane: controller-manager controller-tools.k8s.io: "1.0" - serviceName: kpc-controller-manager-service + serviceName: gatekeeper-controller-manager-service template: metadata: labels: @@ -117,8 +117,8 @@ spec: apiVersion: v1 fieldPath: metadata.namespace - name: SECRET_NAME - value: kpc-webhook-server-secret - image: docker.io/nikhilbh/kubernetes-policy-controller:latest + value: gatekeeper-webhook-server-secret + image: docker.io/nikhilbh/gatekeeper:latest imagePullPolicy: Always ports: - containerPort: 9876 @@ -148,7 +148,7 @@ spec: - --replicate-cluster=v1/namespaces - --replicate=extensions/v1beta1/ingresses - --replicate=v1/pods - - --policies=kpc-system + - --policies=gatekeeper-system image: openpolicyagent/kube-mgmt:0.6 imagePullPolicy: Always resources: {} @@ -157,10 +157,10 @@ spec: - name: cert secret: defaultMode: 420 - secretName: kpc-webhook-server-secret + secretName: gatekeeper-webhook-server-secret --- apiVersion: v1 kind: Secret metadata: - name: kpc-webhook-server-secret - namespace: kpc-system \ No newline at end of file + name: gatekeeper-webhook-server-secret + namespace: gatekeeper-system \ No newline at end of file diff --git a/deploy/kubernetes-policy-controller.kubeconfig b/deploy/kubernetes-policy-controller.kubeconfig index 0269f298a3e..441feeeb90c 100644 --- a/deploy/kubernetes-policy-controller.kubeconfig +++ b/deploy/kubernetes-policy-controller.kubeconfig @@ -1,7 +1,7 @@ clusters: - name: webhook cluster: - certificate-authority: /etc/kubernetes/pki/kubernetes-policy-controller.ca + certificate-authority: /etc/kubernetes/pki/gatekeeper.ca server: https://localhost:7925/v1/authorize users: - name: webhook diff --git a/deploy/kubernetes-policy-controller.yaml b/deploy/kubernetes-policy-controller.yaml index 0c8057dbbe6..cdb87efee2c 100644 --- a/deploy/kubernetes-policy-controller.yaml +++ b/deploy/kubernetes-policy-controller.yaml @@ -2,22 +2,22 @@ apiVersion: v1 kind: Pod metadata: labels: - component: kubernetes-policy-controller - app: kubernetes-policy-controller + component: gatekeeper + app: gatekeeper tier: control-plane - name: kubernetes-policy-controller + name: gatekeeper namespace: kube-system spec: hostNetwork: true priorityClassName: system-cluster-critical containers: - - name: kubernetes-policy-controller - image: docker.io/nikhilbh/kubernetes-policy-controller + - name: gatekeeper + image: docker.io/nikhilbh/gatekeeper imagePullPolicy: Always args: - --addr=https://127.0.0.1:7925 - - --tls-cert-file=/etc/kubernetes/pki/kubernetes-policy-controller.crt - - --tls-private-key-file=/etc/kubernetes/pki/kubernetes-policy-controller.key + - --tls-cert-file=/etc/kubernetes/pki/gatekeeper.crt + - --tls-private-key-file=/etc/kubernetes/pki/gatekeeper.key - --opa-url=http://localhost:8181/v1 - --authorization-mode volumeMounts: diff --git a/docs/design/design.md b/docs/design/design.md index ef34ecd34ea..2e2c91232a0 100644 --- a/docs/design/design.md +++ b/docs/design/design.md @@ -19,7 +19,7 @@ The following are basic components of policy controller at the cluster level ![Components](./k8s-policy-design.png) -### kubernetes-policy-controller +### gatekeeper This is a kubernetes service which exposes the `audit`, `admit` and `authorize` TLS http methods for the cluster. The `admit` functionality is used as `MutatingWebhookConfiguration` by the kubernetes apiserver. The `audit` functionality exposes the current evaluation state of the cluster. In addition the controller is responsible to validate the correctness of the policies that are being added for the cluster e.g. checking for conflicting patches; making sure that the policies are valid `rego` documents. The `authorize` functionality can be used as [webhook authorization module](https://kubernetes.io/docs/reference/access-authn-authz/authorization/#authorization-modules). In this case the APIServer sends a SubjectAccessReview for every request made to the APIServer to kubernetes policy controller and the controller can deny these requests based on OPA policies. @@ -30,7 +30,7 @@ The evaluation is a call to `OPA`. This call produces one or more decisions. Eac ### open-policy agent(OPA) -open-policy-agent(OPA) service is the policy engine for the kubernetes policy controller. It performs evaluations as called by `kubernetes-policy-controller`. For our `audit` requirement OPA can not be used as a standalone. We also chose to use OPA as a service (instead of using as a lib) as it allows to +open-policy-agent(OPA) service is the policy engine for the kubernetes policy controller. It performs evaluations as called by `gatekeeper`. For our `audit` requirement OPA can not be used as a standalone. We also chose to use OPA as a service (instead of using as a lib) as it allows to 1. Decouple the kubernetes admission controller logic from the policy engine. 2. When needed, the policy engine can be hosted outside of the cluster. diff --git a/docs/ingress-host-conflict.md b/docs/ingress-host-conflict.md index f28ea9ba2f5..8803b0e251d 100644 --- a/docs/ingress-host-conflict.md +++ b/docs/ingress-host-conflict.md @@ -1,14 +1,14 @@ -# kubernetes-policy-controller +# gatekeeper -Kubernetes compliance is enforced at the “runtime” via tools such as network policy and pod security policy. [kubernetes-policy-controller](https://github.com/Azure/kubernetes-policy-controller) extends the compliance enforcement at “create” event not at “run“ event, some of the examples are "Minimum replica count enforcement", "White listed/ black listed registries", "not allowing conflicting hosts for ingresses". Kubernetes allows decoupling complex logic such as policy decision from the inner working of API Server by means of "admission controllers”. Admission control is a custom logic executed by a webhook. `Kubernetes policy controller` is a mutating and a validating webhook which gets called for matching Kubernetes API server requests by the admission controller to enforce semantic validation of objects during create, update, and delete operations. It uses Open Policy Agent ([OPA](https://github.com/open-policy-agent/opa)) is a policy engine for Cloud Native environments hosted by CNCF as a sandbox level project. +Kubernetes compliance is enforced at the “runtime” via tools such as network policy and pod security policy. [gatekeeper](https://github.com/open-policy-agent/gatekeeper) extends the compliance enforcement at “create” event not at “run“ event, some of the examples are "Minimum replica count enforcement", "White listed/ black listed registries", "not allowing conflicting hosts for ingresses". Kubernetes allows decoupling complex logic such as policy decision from the inner working of API Server by means of "admission controllers”. Admission control is a custom logic executed by a webhook. `Kubernetes policy controller` is a mutating and a validating webhook which gets called for matching Kubernetes API server requests by the admission controller to enforce semantic validation of objects during create, update, and delete operations. It uses Open Policy Agent ([OPA](https://github.com/open-policy-agent/opa)) is a policy engine for Cloud Native environments hosted by CNCF as a sandbox level project. -The administrator of the cluster defines the policy which is enforced by the `kubernetes-policy-controller`. There are two type of policies namely `validation` e.g. white listed registries and `mutation` e.g. annotating objects created in a namespace. +The administrator of the cluster defines the policy which is enforced by `gatekeeper`. There are two type of policies namely `validation` e.g. white listed registries and `mutation` e.g. annotating objects created in a namespace. Lets lets look at the example below which implements a validation policy to ensure Ingress hostnames must be unique across Namespaces. -## deploy `kubernetes-policy-controller' on a kubernetes cluster +## deploy `gatekeeper' on a Kubernetes cluster -Prerequisites are that you have a kubernets cluster (e.g ACS Engine or Azure Kubernetes Cluster (AKS)) +Prerequisites are that you have a Kubernetes cluster To implement admission control rules that validate Kubernetes resources during create, update, and delete operations, you must enable the [ValidatingAdmissionWebhook](https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#validatingadmissionwebhook) when the Kubernetes API server is started. the admission controller is included in the [recommended set of admission controllers to enable](https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#is-there-a-recommended-set-of-admission-controllers-to-use) ### 1. create opa namespace @@ -17,7 +17,7 @@ To implement admission control rules that validate Kubernetes resources during c kubectl create ns opa ``` -### 2. create tls secret for `kubernetes-policy-controller` +### 2. create tls secret for `gatekeeper` ```bash openssl genrsa -out ca.key 2048 @@ -62,9 +62,9 @@ cat > ./validating-webhook-configuration.yaml <