Using Gatekeeper to Secure your Environment
Kubernetes is an extensible system, but also a very complex one. In enterprises, it is common to define a set of best practices about how to use Kubernetes as well as how to build software, and then to attempt to get everybody doing things the same way.
If you have ever tried to get multiple different teams to do things the same way, you know that that is hard. Once things are in production, nobody ever wants to change things because they are already focused on the next feature or next milestone.
So, what if there was a way to define the best practices (with code or otherwise) and then to report on how compliant teams are with your best practices? And what if you could even prevent things from being deployed that did not follow best practices?
That is essentially what Gatekeeper does. You can define your requirements using constraints, which are a combination of configuration details (constraints) as well as corresponding code in a language called rego (constraint templates). Together, the rego code and the configuration parameters allow you to define, measure, and enforce compliance with Kubernetes.
Gatekeeper Examples – Without M9sweeper
You can install Gatekeeper on a small cluster using a one-liner:
kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper/release-3.7/deploy/gatekeeper.yaml
However, in an enterprise environment we recommend using their helm chart and tuning it so that it is easier to perform upgrades as well as tune the proper CPU/RAM based upon your needs.
Once installed, you need to create a constraint template, such as this:
And a constraint, tying that particular requirement to a specific set of namespaces:
Gatekeeper Examples – With M9sweeper
With M9sweeper, you can install constraint templates from a library of prewritten constraint templates (based upon the official open source gatekeeper library):
Then, you can create constraints for specific namespaces or pod:
Conclusion
When you have multiple teams deploying software to Kubernetes, it is important that you make sure teams are doing so in a professional manner that prevents any one team from deploying software that might cause issue for another team at your company.
Gatekeeper helps you to configure rules that developers must follow when deploying software, or it lets you assess how well the team is doing when deploying software. And, as always, M9sweeper makes deploying and managing these tools easy for you and your team.