-
Resolve "Update documentation to reflect Kyverno (not gatekeeper) as core supported solution for policy enforcement in bigbang"
Resolve "Update documentation to reflect Kyverno (not gatekeeper) as core supported solution for policy enforcement in bigbang"
OPA-Gatekeeper
DEPRECATED: Kyverno is the preferred method to enforce policies within Big Bang as of version >=2.0.0
Overview
Gatekeeper is an auditing tool that allows administrators to see what resources are currently violating any given policy.
Big Bang Touch Points
graph LR
subgraph "OPA Gatekeeper"
collector("Collector") --> auditor{{Auditor}}
end
subgraph "Metrics"
auditor{{Auditor}} --> metrics("Metrics")
end
subgraph "Kubernetes API"
api("Kubernetes API") --> collector("Collector")
auditor{{Auditor}} --> api("Kubernetes API")
end
subgraph "kubectl"
ctl("kubectl") --> api("Kubernetes API")
end
Storage
Data from gatekeeper is not stored is provided via metrics.
Database
Gatekeeper doesn't have a database.
Istio Configuration
When deploying to k3d, istio-system should be added from excludedNamespaces under the allowedDockerRegistries violations. This can be done by modifying chart/values.yaml file or passing an override file with the values set as seen below. This is for development purposes only: production should not allow containers in the istio-system namespace to be pulled from outside of Registry1.
gatekeeper:
values:
violations:
allowedDockerRegistries:
match:
excludedNamespaces:
- istio-system # allows creation for loadbalancer pods for various ports and various vendor loadbalancersHigh Availability
High availability is accomplished by ensuring the replicas in the values file of this helm chart are > 1. By default, this chart is configured for high availability with replicas: 3.
gatekeeper:
values:
replicas: 3Single Sign on (SSO)
None. This service doesn't have a web interface.
Licensing
Dependencies
None.