►
From YouTube: Webinar: K8s with OPA Gatekeeper
Description
If your organization has been operating Kubernetes, you probably have been looking for ways to control what end-users can do on the cluster and ways to ensure that clusters are in compliance with company policies. With Kubernetes, how do you ensure compliance without sacrificing development agility and operational independence? Gatekeeper is a customizable admission webhook for Kubernetes that enforces policies executed by the Open Policy Agent (OPA), a policy engine for Cloud Native environments hosted by CNCF.
Presenters:
Sertaç Özercan, Software Engineer @Microsoft
Lachie Evenson, Principal Program Manager @Microsoft
A
A
All
right
we're
gonna
go
ahead
and
get
started.
I'd
like
to
thank
you
for
going
who's
joining
us
today.
Welcome
to
today's
cncs
webinar,
ensuring
compliance
without
sacrificing
development,
agility
and
operational
independence
in
kubernetes,
with
OPA
gatekeeper,
I'm,
Karen,
Chiu
community
program
manager
at
Microsoft
and
CN
CF,
ambassador
I'll
be
moderating
today's
webinar
and
we'd
like
to
welcome
our
presenters
today.
A
Yes,
sir
Tasha
sure
John
software
engineer
at
Microsoft
and
lock
watching
Vincent
principal
program
manager
at
Microsoft,
just
a
few
housekeeping
items
before
we
get
started
during
the
webinar,
you
will
not
be
able
to
talk
as
an
attendee
you.
There
is
a
Q&A
box
at
the
bottom
of
your
screen.
Please
feel
free
to
drop
in
your
questions
there
and
we'll
get
to
as
many
as
we
can.
At
the
end.
This
is
an
official
webinar
of
the
CNC
F
and,
as
such
is
subject
to
the
CNC
f
code
of
conduct.
A
Please
do
not
add
anything
to
the
chat
or
questions
that
would
be
in
violation
of
the
code
of
conduct.
Basically,
please
be
respectful
to
all
of
your
fellow
participants
and
presenters.
Please
also
note
that
the
recording
and
slides
will
be
posted
later
today
to
the
CNC
F
up
in
our
page,
at
CNCs,
Iowa,
slash,
webinars
and
with
that
I
will
hand
it
over
to
sir
Tasha
Maki
to
kick
off
today's
presentation.
B
Wonderful,
thank
you
very
much.
Karen
hello,
everybody
and
welcome.
You
are
in
for
a
real
treat
today
today
we're
talking
about
OPA
gatekeeper
and
for
those
of
you
who've,
never
heard
of
OPA
or
gatekeeper,
we're
going
to
walk
you
through
everything,
everything
you
need
to
know
about
policy
and
governance
for
your
kubernetes
cluster.
B
So
today
we're
gonna
go
on
a
journey
telling
you
what
OPA
gatekeeper
does
sharing
how
you
would
use
it
walking
through
a
real-world
scenario
from
end
to
end
in
both
personas,
both
admins
and
developers
alike,
share
some
demos
with
you
and
then
tell
you
how
you
can
connect
get
connected
into
OPA
gatekeeper.
Now
it's
worth
noting
that
OPA
gatekeeper
is
a
sub-project
of
open
policy.
B
So
when
I
say
OPA
I'm
speaking
about
open
policy
agent,
which
is
a
CN
CF
project,
gatekeepers,
specifically
about
how
we
implement
OPA
into
kubernetes
using
the
kubernetes
api
and
Ciardi,
so
we're
going
to
go
through
the
whole
thing,
how
you
can
create
policy
and
how
you
can
make
sure
that
all
your
kubernetes
resources
are
in
compliance
to
that
policy.
You
can
see
the
link
there
down
the
bottom
on
github.
So,
if
you're
interested
in
following
along
everything,
we're
going
to
be
sharing
today
is
available
at
that
github
link.
B
So
we're
excited
to
get
started
here.
First
next
slide,
so
toes.
First
we're
going
to
share
what
gatekeeper
actually
is
under
the
hood.
Gatekeeper
is,
as
it
states
there
are
customizable
kubernetes
admission
webhook.
So
if
you're
not
familiar
with
admission
web
hooks,
you
can
actually
create
pieces
of
software
and
for
each
request
that
comes
into
the
kubernetes
api.
You
can
send
them
over
to
this
web
book
to
make
a
decision
to
whether
admit
to
admit
that
request
or
deny
that
request.
B
So
we
can
actually
create
policy
behind
that
back
by
OPA
and
decide
on
whether
we
should
admit
or
deny
each
request
that
comes
into
the
kubernetes
api,
and
why
would
we
want
to
do
this?
It's
to
enforce
policies
and
strengthen
governance,
so
we're
going
to
dig
into
exactly
what
that
means
and
how
it
affects
you
next
slide.
B
So
really,
we
want
to
understand
why
people
would
be
interested
in
using
gatekeeper
and
the
problems
it
tries
to
solve.
So
if
you've
been
or
using,
kubernetes
and
operating
kubernetes
you've
probably
been
looking
at
ways
for
end-users
to
actually
have
a
great
experience
and
control
what
end-users
can
do,
whether
they're
creating
any
types
of
resources?
You
want
a
way
to
actually
understand
and
create
policy
and
say
whether
those
resources
can
be
created.
For
example,
can
you
label
two
deployments
a
specific
way?
B
Can
you
create
specific
objects
with
specific
specifications
in
those
objects,
so
at
object
creation
time
in
the
kubernetes
cluster?
We
can
actually
control
what
we
will
admit
based
on
some
criteria
there
that
weekend.
So
we
can
create
policy
here
to
meet
governance
and
legal
requirements
and
also
just
to
enforce
best
practices.
For
example,
I've
seen
some
policies
out
there
to
say:
hey
you're
using
a
deprecated,
kubernetes
api,
you
could
send
a
message
back
to
your
user
so
that
they
can
be
enticed
to
move
to
a
stable
API.
B
That's
just
an
example:
we're
going
to
walk
through
some
other
examples
of
how
you
might
actually
use
gatekeeper.
So,
let's
get
into
a
real-world
example
here
now
the
way
we're
going
to
break
this
example
down
is
we're
going
to
do
it
in
the
perspective
of
two
different
personas
in
a
fictitious
company
called
agile
Bank.
B
So,
of
course,
agile
Bank
is
building
the
greatest
p2p
money
transfer
ever
created,
but
more
to
the
point,
is
they're
in
a
highly
regulated
industry,
so
they
need
to
ensure
that
their
cluster
resources
on
a
kubernetes
cluster
are
compliant
with
some
governance
that
they've
defined
for
those
resources.
Now
I,
like
the
last
point
here,
both
admins
and
Davila
and
developers,
are
unhappy.
Let's
see
how
we
can
use
gatekeeper
to
make
of
both
of
those
personas
happy
and
how
we
can
actually
not
get
in
the
way
of
the
great
experience.
Kubernetes
haves.
B
So
first
of
all,
I'm
gonna
be
wearing
the
admin
hat.
I'm
gonna
pass
it
to
Sir
Charles
to
where
the
developer
hat.
But
let's
take
a
look
at
the
admin
persona,
specifically
so
I'm
an
admin
I
can't
keep
up
with
infrastructure
changes.
People
need
new
resources.
People
want
access
to
different
types
of
things.
You
have
persistent
volume
secrets:
different
backends,
different
networks,
load
balancers,
for
example.
B
Everybody
keeps
making
the
same
mistakes
so
we
actually
need
everything
labeled
a
very
specific
way,
so
that
is
compliant,
but
some
development
teams
aren't
labeling
things
the
way
that
we
need
them
to
so
can
we
take
an
action
on
that
and
figuring
out
what
resources
belong
to?
What
groups
is
hard?
Does
this
sound
familiar?
Can
we
actually
solve
this
problem
with
gate
keeper
and
make
my
life
and
out
my
team's
life
much
easier
now
we're
going
to
pass
it
over
to
the
developer
persona,
so
Tash
I.
C
Undid
all
over
here
cannot
make
changes.
I
am
ready
to
go,
I
know
exactly
what
I
want
I
want
to
test.
My
app
I
want
to
deploy
to
production.
I,
don't
have
any
permissions
to
do
it,
because
I
need
to
wait
for
admin
to
give
me
access
to
the
resources,
so
I
need
to
I.
Keep
waiting
for
admin
make
these
changes,
and
sometimes
it
takes
a
long
time.
Sometimes
turnaround
is
really.
It
was
really
long,
so
I
just
keep
waiting
for
for
these
changes,
family
and
then,
when
I
do
something
it's
hard
to
know.
C
If
that
changes
conformance.
Sometimes
these
conforming
see
changes.
So
it's
really
hard
to
keep
track
of
what
changes
over
time,
while
I
just
want
to
focus
on
the
app
I
wanna
focus
on
my
code.
I
also
need
to
know
about
all
these
conformance
changes
that
happens
an
agile
back
all
the
time.
These
changes
are
proposed,
rejected,
updated
re
proposed,
so
it's
very
hard
to
keep
up
with
overtime
and
in
turnaround
time
is.
Is
it
this
a
day?
So
it
takes
a
long
time
for
to
keep
up
with
all
the
changes
that
happens.
B
Okay,
before
we
go
into
the
user
requirements,
I
see
some
great
questions
that
I
would
love
to
answer
live
so
I'm
going
to
take
a
moment.
Please
keep
the
questions
coming.
We
are
here
to
answer
those
questions
and
thank
you
for
asking
them.
First
question
is
we'll
the
demo
code
samples
be
made
available
afterwards.
B
Absolutely
so,
if
you
go
to
the
gatekeeper
repository
on
the
first
slide
that
we
had
there,
which
is
open
policy
agent
gatekeeper,
there
is
a
directory
called
demo
in
that
directory
is
a
script
where
we
are
going
to
run
through
the
demo
later
in
this
webinar,
and
you
can
recreate
it
on
your
own
afterwards,
so
you
should
be
able
to
get
access
to
the
complete
demo,
so
don't
worry
about
typing
or
taking
screenshots.
Also,
this
will
be
recorded
and
we
have
recordings
of
the
demos
as
well.
So
hopefully
that
answers
your
question.
C
B
Thank
you,
sir
touch.
Second,
a
second
question:
I'm
going
to
take
a
stab
at
at
some
point.
It
would
be
good
to
understand
the
difference
between
OPA,
gatekeeper
and
Cheever
know,
which
is
a
similar
project.
Unfortunately,
I
don't
have
all
the
knowledge
of
qivana
I'd
have
heard
of
it.
So
I
can't
speak,
authoritative,
the
differences
so
touch.
Do
you
know
Isis.
B
So
unfortunately
we
can't
speak
to
it.
Hopefully
we
will
give
you
enough
of
the
equation
today
to
answer
what
gatekeeper
dozen
how
it
operates,
and
then
we
can
take
a
look
at
key
burner.
Thank
you
for
asking
that
question
last
question
is:
does
OPA
allow
specific
cluster
role
allowed
or
not
to
a
cluster
and
by
who
is
there
a
github
repository
to
give
useful
rules
to
be
set
inside
a
github
inside
a
kubernetes
cluster?
B
So
there
are
two
parts
for
this
question
I'm
going
to
answer
the
second
part
we
have
links
later
in
this,
where
we
have
policy,
libraries
and
example,
policies
that
you
can
apply
to
a
kubernetes
cluster
for
the
most
common
use
cases.
You
are
also
free
to
write
your
own
policies
and
PR
them
up
as
well,
but
we
have
covered
many
things
that
we'll
cover
in
this
webinar.
The
first
part
of
that
question:
do
you
can
you
answer
that
so
does
it?
C
Using
gatekeeper
you
can
set
up
rules
to
be
able
to
allow
certain
things
could
be
like
images.
It
could
be
labels.
It
could
be
anything
even
not.
Basically,
in
those
things
we
are
going
to
show
some
of
the
libraries
in
this
webinar,
so
you'll
be
able
to
try
those
out
and
then
see
if
those
work
for
you
or
not,
and
then
we
also
have
these
security
policy
equivalent
sort
of
policies
that
you
can
try
out.
Indian
see
see
if
they
work
for
your
use
case.
B
B
B
Slow
down
slow
down,
yeah,
okay,
there
we
are
okay,
so
we're
at
user
requirements,
so
remember
we're
going
through
the
requirements
of
azure
bank
from
the
perspective
of
the
admin
and
the
developer.
So
now
what
we're
going
to
do
is
just
codify
exactly
what
those
requirements
are.
So
we
want
to
free
up
admins
time,
allow
them
to
have
audit
and
enforcement
and
have
that
automated
for
them
make
sure
they
have
common
best
practices.
B
So
we
just
had
a
question
about
what
a
common
best
practices
will
show
you
how
to
enforce
common
best
practices
for
kubernetes
clusters
and
all
resources
have
a
key,
a
clear
owner.
So
that's
just
for
our
add
our
administrative
team,
our
operational
team
to
understand
who
owns
what
resources
and
from
the
developer
side,
we
want
to
unblock
developers,
so
admins
are
no
longer
standing
in
the
way
of
all
the
changes
they
need
to
make
to
their
specific
application.
B
So
self-service
is
no
longer
a
risk
to
conformance
and
fail-fast
means
that
developers
we
can
actually
implement
ways
to
give
developers
instant
feedback.
Okay,
so
from
here,
let's
take
a
look
at
some
specific
government's
policies
that
we're
going
to
create.
So
here
are
some
policies
that
agile
Bank
would
like
us
to
create.
All
namespaces
must
have
a
label
that
points
to
a
portal
point
of
contact.
All
pods
must
have
an
upper
bound
for
resource
usage.
Everybody
knows
having
no
resource
usage
on
your
pods
can
cause
all
kinds
of
fun.
B
This
is
a
great
way
to
actually
make
sure
that
everything
has
a
resource
limit.
All
images
must
be
from
an
approved
repository,
so
your
container
repository
you
have
an
internal
corporate
container
repository.
How
do
you
make
sure
that
everything
deployed
to
this
kubernetes
cluster
only
comes
from
that
repository?
Super-Important
I
hear
that
one
very
often,
services
must
have
globally
unique
selectors.
Have
you
ever
typo'd
a
label
selector
on
your
service
and
actually
pointed
to
the
wrong
service
on
the
back
end?
Also
very
common
I
know
I've
done
so.
B
I
would
love
to
have
a
way
to
make
sure
that
label
selectors
are
globally
unique
and
ensure
all
ingress
host
names
are
unique.
This
is
also
a
fun
one.
If
you
reuse
ingress
host
names
unbeknownst
to
somebody
else
in
some
other
namespace,
you
can
have
weird
and
wonderful
effects
on
your
ingress
controller,
so
you
can
actually
enforce
that
out
of
the
gate
and
make
sure
that
all
your
ingress
is
are
globally
unique.
B
C
So
defined
constraint
properties
as
things
we
want
to
end
together.
So
in
this
sense
that
we
want
to
express
intent
by
ending
them
together,
we
only
make
the
cluster
more
constraints
sit
and
in
removing
can
only
lose
in
these
constraints.
So
by
that
there
should
be
no
weird
interaction
between
adding
one
constraint
that
happens
that
something
happens
over
there.
C
We
only
want
to
make
it
more
constrained
and
by
adding
more
constraints
in
removing,
can
only
loosen
them,
and
then,
if,
since
these
are
all
ended
together,
one
rejection
should
end
up
being
the
whole
request
being
rejected.
So
in
this
way
we
can
keep
track
of
like
hey
when
I
end
these
together
and
then,
if
any
of
them
is
not
true,
then
we
request
reject
requests
and
then
we
also
want
to
define
a
schema
where
we
can
write
constraints
that
gives
the
intent
of
like
hey.
C
This
is
the
this
is
the
name
that
we
want,
or
this
is
the
regex
that
that
we
are
looking
for
in
this
way
it's
going
to
be
less
error-prone.
In
this
slide,
we
are
going
to
see
an
example
of
an
constraint,
so
this
this
one
is
bi
type
constraints,
gatekeeper
that
SH
and
then
it
is
kind
required
labels.
So
this
is
the
agile
banks.
All
namespaces
must
have
an
older
use
case.
So
in
this
case
we
are
just
looking
for
the
namespaces
kinds
since
namespaces
are
in
the
core.
Ip
I
grew
up.
C
So
the
message
is:
is
a
nicer
message
that
user
you
gets
when
their
request
is
rejected.
So
all
namespaces
are
several
on
the
label
that
points
to
your
company
username.
So
this
way
you
failed,
but
at
the
same
time
you
you
get
a
message
that
saying
why
you
failed.
So
this
is
a
cogniser
way
of
knowing
like
hey
I
need
to
do
these
actions,
and
then
here
is
the
for
the
HL
bank
says
you
use
case
here:
is
they
allow
reg
X
that
users
can
add
their
user
names
or
whatever?
C
B
C
Still
constraints
are
it's
basically
and
so
in
later,
they're
gonna
see
constraint,
templates.
So
in
constraint,
templates
you
define
the
logic
of
what
happens
of
like
is
the
Renko
code
that
executes
when
you
wanna,
when
you
want
to
run
some
of
the
policy
engine
are
basically
constraints,
give
some
of
the
parameters
to
those
to
those
templates.
So
if.
C
C
B
B
B
C
C
So,
basically
you
in
our
issues
this,
if
you
go
and
look
for
the
labels
blocking
GA
you'll,
see
exactly
what
needs
to
be
done
so
for
GA.
We
want
to
define
H
a
like
high
availability,
but
so
just
in
case,
so
you
want
to
have
the
at
least
like
the
definition
of
AI
availability
and
then
some
other
items.
If
you
go
to
the
issues,
you'll
see
what
needs
to
be
done,
so
it's
one
example
isn't,
for
example,
cash
warming.
C
So,
for
example,
when
when
you
a
keeper
starts,
it
should
look
at
the
existing
constraints
and
constrain
templates
in
the
system
and
then
put
those
into
a
gatekeeper
in
you,
know,
pH
and
then
start
serving
after
these
are
all
processed
and
then
have
the
ready
check.
After
all,
of
these
are
process.
Okay,.
B
Two
more
questions:
do
you
think
that
OPA
that
with
OPA
we
can
manage
to
obtain
a
multi-tenancy
kubernetes
called
secure
cluster
I
would
I
were
to
have
a
touch
I
I
think
this
can
be
used
as
a
piece
of
the
puzzle.
Security
has
many
layers.
This
can
be
one
of
them
to
enforce
how
resources
are
created
and
how
they're
an
allowed
access.
B
So
it
would
be
one
piece:
I
wouldn't
go
as
far
to
say
that
if
you
implement
this,
you
would
have
a
multi-tenant
secure,
kubernetes
cluster,
only
because
multiple
layers,
even
then,
a
container
runtimes
authorization.
There
are
many
pieces
to
that
puzzle,
but
this
is
can
be
used
to
complement
your
security
model
in
kubernetes.
B
This
one
I
think
I
can
answer,
but
I'll
read
it
out
for
cert,
as
if
OPA
gatekeeper
is
down,
does
it
block
active
deployments?
Does
it
run
in
a
chain
mode?
So,
as
I
was
saying,
the
definition
of
hey
che
is
one
of
the
blockers
to
get
v3
to
GA.
So
at
the
moment
it
depends
on
how
you
configure
your
validating
webhook
configuration.
B
You
can
either
have
it
fail,
open
or
fail
close
meaning
that
if
gatekeeper
is
down,
will
you
allow
the
request
or
will
you
block
it,
and
that
is
part
of
your
validating
webhook
configuration
on
the
kubernetes
cluster?
So
you
can
do
it
in
both
ways,
but
obviously
we
want
it
to
always
run,
which
is
why
we
would
like
to
have
a
a
che
option.
Yeah.
C
C
So
in
the
next
topic
is
basically
audits,
so
audits.
We
want
to
look
at
the
resources
in
the
last
cluster
and
then
periodically
evaluate
if
the
how
these
are
doing
against
constraints
if
these
are
in
violation
or
if
they
are,
if
they're,
in
compliance.
So
in
this
one
is
good,
so
developers
or
admins
can
look
at
cluster
States
and
then
compliancy
of
the
resources
that
are
running
in
the
cluster.
As
it
happens.
Basically
Indian.
C
You
can
always
take
action
against
these
audit
results,
so
these
audits
are
exposed
where
the
status
field
of
constraint,
we're
gonna,
see
in
the
next
slide.
So
basically,
this
is
like
a
really
nice
way
to
just
look
at
the
state
of
the
cluster
and
then
a
recent
change
in
the
gatekeeper
is.
We
are
now
allowing
the
keeper
audit
as
a
separate
deployment,
so
for
it
you
don't
have
to
have
their
validating
web
poke
deployed
to
run
audit.
C
So
this
is
like
a
very
you
ask
for
use
case
because
some
people-
just
they
they
just
want
to
start
with
audits-
and
you
see
like
what
are
compliance
without
actually
deploying
the
web
book
and
then
seeing
rejections.
So
this
is
like
a
really
good
way
to
see
like
what
are
the
this
stuff
that
is
in
compliant
or
not
compliant
in
your
cluster.
C
So
this
is
the
basically
the
the
constraint
we
just
deployed
earlier
that
maybe
just
saw
it
earlier.
So
in
the
in
the
status
field,
like
I
mentioned,
you'll
see
there
are
at
times
them.
So
this
is
the
last
time
that
all
it
happens
and
then
under
violations
you'll
see
what
namespaces
are
are
in
violation
of
this
rule.
So
in
this
case
we
have
default
gatekeeper,
system,
Q,
public
subsystem
and
then
because
of
resource
constraints
in
the
cluster.
We
are
keeping
these
violations
limited
by
default
that
believe,
it's
20,
but
you
can
always
increase
it.
C
C
Yeah,
like
I,
like
I,
mentioned
earlier,
we
want
to
test
these
without
enforcing
them.
This
is
where
the
dry
run
comes
in.
So
just
just
like
audits,
I
mean
this
is
part
about.
It,
you'll
see
the
evaluations
in
the
status,
but
in
this
case
they
are
not
actually
enforced,
but
they're
only
seen
in
the
cluster
as
violations.
So
similarly,
if
you
add
a
enforcement
action,
dry
run
you'll
get
into
the
dry
run
mode
for
that
constraint
by
default
enforcement
action
is
denied.
C
B
Yeah
I
just
want
everybody
to
take
a
moment
to
understand,
ordered
and
dry
run,
specifically
so
I
think
the
use
case
here
is
I.
Have
a
cluster
with
a
lot
of
resources
and
I
want
to
bring
that
cluster
into
compliance.
So
I
haven't
installed
a
brand
new
cluster
or
created
a
brand
new
cluster
and
put
gatekeeper
on
it.
I
have
a
lot
of
resources.
I
want
to
bring
them
into
compliance
so
with
dry,
run
and
audit.
B
It
allows
you
to
actually
get
visibility
and
pass
through
that
loop
of
all
your
policies
and
see
what's
out
of
compliance
and
then
take
action
to
fix
things,
and
you
would
eventually
have
this
status
field
empty
once
everything
is
in
compliance.
So
now
I
want
to
pass
that
answer
back
through
a
question
we
have
here.
Is
it
possible
to
crash
or
block
your
kubernetes
cluster?
B
If
you
have
a
bad
rule,
it
is
absolutely
possible
to
do
that,
which
is
why
we
create
a
dry
run
and
Aude
it
to
allow
you
to
actually
say
I,
want
to
test
this
policy
and
see
if
it's
catching
the
things
that
I
want
it
to
catch
and
then
clean
them
up
without
having
the
risk
of
actually
blocking
admission
to
the
cluster.
So
that's
one
one
question
keep
going
so.
C
Indeed,
one
of
the
other
agile
biases
scenarios
is
B,
wanna
enforce
global,
unique
English
host
names
for
the
only
uniqueness.
This
is
in
use
case
because
we
wanted
to
define
some
constraints
that
compare
things
to
each
other
and
then
to
make
sure
that
they
are
unique,
and
some
of
these
constraints
are
impossible
to
write
without
access
to
two
estate
more
than
just
the
object
under
test.
So
because
we
want
to
see
the
other
objects
in
the
cluster
and
then
by
default
or
audit
will
request
each
resource
from
the
communities
API
server.
C
So
it
uses
the
discovery
client
to
chat
with
the
communities
API
server
in
each
cycle
of
the
audit,
but
and
we
have
a
flag
called
audit
from
from
cache.
It
goes
through.
So
if
you
set
this
flag,
the
source
of
truth
will
be
the
open
cash,
so
so
PA
will
have
had
the
cash
so
in
and
it's
defined
by
this
config
object
on
the
right.
You'll
see
here
so
it'll
basically
charge
things
that
I
can
escape
service
pod,
name
space.
You
could
have
like
ingress
or
service,
and
in
here
in
English,
for
example.
C
Here,
whatever
things
you
want,
so
if
you
want
to
compare
objects
against
each
other
things
like
this,
you
need
in
this
case
you
would
need
data
replication
and
the
config
object,
but
but
by
default
it
will
use
the
kubernetes
api
server.
So
you
would
not
need
this
unless
you
are
handling
uniqueness
cases.
C
And
then
we
talked
about
constraint
templates
earlier
so
red
always
the
is
the
language
for
OPA.
I
mean
this.
The
constraint
template
contains
the
regular
old
signature,
so
it
basically
contains
all
the
logic
of
what
happens
when,
like
gatekeeper
executes
these
constraints
and
then,
if
the
rule
matches
the
constraint
is
violated,
and
then
we
also
talked
about
the
schema
for
the
constraints,
and
this
is
where
the
the
schema
is
defined.
This
is
little
small.
Hopefully
you
can
see
this
one.
C
So
this
is
this
for
the
same
example
for
the
case
required
labels
you'll
see
the
the
schema
defined
here,
and
this
is
the
exact
one
we
looked
at
earlier.
So
this
is
where
you
define
your
schema,
while
the
constraints
contains
your
parameters.
So
in
this
case
we
are
defining
things
like
the
message,
which
is
of
type
string
or
allowed
reg
X,
which
is
also
a
third
string.
It
is
this
is
the
schema
of
the
constraint
in
then
under
the
targets
in
the
red
oak.
This
is
where
the
the
reg-
oh,
like
the
logical.
C
A
C
Deny
basically
so
in
in
this
is
where
you
define
your
different
logic
and
then
we're
going
to
see
on
the
library.
You
can
take
a
look
at
it.
We
have
some
of
the
common
use
cases
and
ensure
you
can
always
get
started
with
those
things.
So
you
don't
have
to
come
up
with
all
these
for
yourself,
but
in
the
library
we
have
most
of
the
common
use
cases,
and
then
you
can
also
define
things
like
helper
libraries
or
anything
in
heroes.
C
C
This
is
what
you
see
here,
so
you
would
see
like
how
many,
how
many
denies
have
you
seen
how
many
dry
runs
of
these
violations,
so
you
could
track
over
time
what
happens
in
your
cluster,
but
if
you
are
going
to
see
them
also
a
total
number
of
constraint,
templates
and
constraints.
The
when
was
last
audits.
How
long
did
the
audit
take.
B
Continue
we'll
take
questions
in
a
moment,
so
I
think
one
of
the
one
of
the
biggest
values
that
gatekeeper
brings
to
OPA
is
allows
for
code
reuse.
So
if
you've
worked
with
open
policy
agent,
building
your
own
reg
o
policies
to
actually
do
the
thing
that
you
intend
to
do
can
be
complex
and
you
need
to
understand
it.
B
But
one
of
the
things
gatekeeper
brings
is
a
structured
schematized
version
of
that
by
constraint,
templates
and
constraints
using
kubernetes,
so
that
you
can
actually
share
these
things
around
put
them
in
your
CI
CD
pipelines,
test
them
make
assertions
on
the
scheme
of
the
types.
So
you
can
actually
build
some
really
good
safeguards
using
kubernetes
api
s
around
what
you're
putting
into
that
reg
o,
which
is
the
native
language
policy,
language
of
OPA.
B
So
the
good
thing
about
constraints
and
constraint,
templates
and
gatekeeper
is
we
can
build
policy
libraries
and
share
them
and
bring
your
own
parameters,
which
is
absolutely
fantastic.
So
what
I'm
going
to
do
is
take
a
moment
to
answer
a
few
questions
here
and
then
we're
going
to
move
into
a
time
of
demos.
B
So
a
couple
of
questions-
and
this
is
one-
that's
probably
interest
to
you-
interesting-
that
the
violations
are
kept
in
the
custom
resource
for
the
rule,
how
about
generating
events
for
the
concerned
resources
so
that
it
also
shows
up
on
the
violating
resources?
Does
this
make
sense,
Soto's
so
I'm,
guessing
that
you
would
annotate
in
the
status
field
of
a
deployment?
If
it
was
in
violation,
is
what
the
question
is:
yeah.
C
B
That's
interesting
at
the
moment
we
wanted
to
coalesce
them
into
one
place
around
the
policy,
so
you
didn't
have
to
go
and
look
in
many
places,
but
that's
that's.
An
interesting
thing
feel
free
to
raise
an
issue.
If
you
want
to
discuss
that
further
I
think
there's
one
more
related:
the
violations
can
either
be
viewed
in
the
constraints
status
or
sent
to
logs.
Is
there
an
alerting,
integrations
ie,
send
the
violations
to
slack
or
how
can
we
implement
with
any
community
tool?
So
do
we
have
an
event
in
system?
You
just
said
no.
C
B
C
C
C
B
C
C
B
B
Can
you
well
there's
a
few
more
questions
here?
Go
to
the
next
slide,
please
so
towers.
So
we
have
some
demos
they're
going
to
they're
pre-recorded
we're
going
to
walk
through
them
now.
Can
you
just
pull
up
the
first
demo
and
I'm
going
to
quickly
answer
just
a
few
more
questions,
so
it
has
our
first
one
is:
is
there
any
existing
repository
hub
for
constraint
templates
that
has
regular
generic
policy?
Yes,
we
have
a
link
in
the
deck
a
little
bit
later,
so
we
will
you'll
see
that.
B
C
B
B
B
C
B
Yeah,
it's
certainly
doable
I
would
just
caution.
Obviously
your
failure.
Failure
scenario
is
when
you
use
a
web
hook
that
points
off
cluster
or
to
another
cluster.
Obviously
you
need
to
really
understand
the
paths
there
to
understand
how
it's
going
to
operate
if
it
fails,
but
we've
been
co-locating
it
and
testing
with
colocation.
Currently,
okay.
So
thank
you
for
all
those
questions.
This
first
demo
we're
actually
going
to
step
through
those
policies
that
we've
created
for
agile,
Bank
and
show
you
how
they
look
for
not
only
an
admin
but
for
a
developer.
C
B
Absolutely
so
you
can
install
gatekeeper
on
any
kubernetes
cluster
right
right,
whether
that's
local,
using
kind
or
whether
that's
a
cloud
provider
or
something
that
you
are
running
on
Prem,
okay,
so
we're
just
gonna
get
pods
I!
Think
we're
gonna
run
through
the
install
right
now.
I've
got
a
pair
and
get
it
on
with
a
cluster
okay,
so
we're
just
applying
the
gatekeeper
set
of
manifest,
which
creates
and
sets
up
gatekeeper
and
installs
it
on
this
cluster.
So
we
can
see
that
that
has
happened.
B
B
C
B
So
I
want
to
understand
as
an
admin
here
who
created
this
namespace,
and
how
can
I
trace
it
back
to
the
person
that
created
all
the
team
that
created
it?
Okay,
so
before
I
delete
it
I
have
I,
can
go
and
create
a
policy
to
make
sure
that
I
make
sure
that
there's
never
happens
again.
So
here
we
have
some
constraint
templates
that
are
just
applied
to
the
cluster.
The
interesting
one
is
required
labels
for
this
specific
demo.
B
You,
okay,
we're
going
to
have
a
look
at
those
constraints
and
we're
going
to
apply
the
constraints
which
provide
the
parameters
to
those
constraint
templates
and,
as
we
can
see
here,
that
all
must
have
all
namespaces
must
have
an
owner
and
that
which
means
that
there
must
be
a
key
owner
with
a
value
that
meets
that
regex.
For
it
to
be
allowed.
C
C
It's
all
my
old
name:
spaces
must
have
an
older
label,
but
I
don't
have
it
because
I
just
created
try
to
create
the
namespace
production
directly
in
your
CTL.
Oh
wait
and
here's
what
a
good
resource
looks
like
so
I'm,
including
this
owner
label,
into
my
production
in
space.
Oh
wait:
it's
created,
that's
nice!
C
So
now
anybody
can
identify
it
and
then
I
want
to
deploy
some
pods.
Would
that
I
define
no
limits
and
then
I
get
another
error
from
server
saying
like
that,
my
my
pod
doesn't
specify
any
resource
limits,
so
I
should
maybe
I
should
specify
some
resource
limits.
So
communities
would
know
how
to
take
care
of
so.
C
C
And
in
here
and
I
want
to
deeply
I
change
it
a
lot
of
repos
to
open
policy
agent
in
this
case
and
then
like
as
you
can
see,
the
error
messages
are
like
instructable
I
mean
make
actionable,
so
you
can
take
action
immediately
based
on
the
error.
So
in
the
end,
when
I
deployed
they
at
the
OPA
one
it
it.
B
Right
so
now
we're
looking
through
the
audit
news
case.
How
do
I
actually
look
at
resources
that
already
exists
that
are
non-compliant
with
that
policy,
so
we're
going
to
go
check
the
audits,
because
we
have
some
pods
without
resource
limits.
How
do
we
actually
look
at
that?
Of
course,
we
take
a
look
at
the
Cates
container
limits
customer
resource
and
we
can
go
and
take
a
look
at
specific
in
the
status
section.
We
can
see
the
pods
that
don't
have
any
limits,
so
you
can
see
down
here
in
status.
B
B
Okay,
so
we've
rolled
out
this
new
policy
to
production
I
can
now
guarantee
that
everything
is
in
compliance.
We
also
want
to
make
sure
that
all
ingress
names
are
unique.
So
this
is
a
common
one.
That
causes
a
lot
of
failures.
Now
we're
taking
a
look
at
introducing
new
policies
can
be
dangerous.
We
had
a
question
about
this
earlier.
How
do
we
gain
poll?
How
do
we
gain
confidence
that
a
policy
that
we've
defined
is
actually
doing
what
we
need
and
doesn't
break
our
kubernetes
cluster
or
bring
down
the
entire
stack?
B
B
B
B
Yes,
so,
as
you
can
see,
there
here
is
another
ingress
host
two
with
the
same
host
name
as
the
other
and
that's
being
allowed.
It
should
show
up
in
the
order
to
say
that
we
indeed
have
a
that
example.
Okay,
so
soup-to-nuts,
that
is
the
the
whole
flow
from
admin
to
developer.
Soto's
is
also
going
to
show
you
what
the
metrics
look
like
Soto's,
which
is
the
second
then
I,
go
ahead.
This.
C
So
this
is
the
the
Prometheus
dashboard,
so
they're
going
to
see
them
we're
just
doing
this
locally
from
the
from
the
from
the
kind
cluster.
So
these
are
the
same
metrics
that
that
happen
during
the
demo.
Basically
I,
just
recorded
I
had
the
Prometheus
running.
So
you
see
in
this
case,
we
had
32
tree
deny
violations
in
24.
C
Then
so
that's
zero
and
then
you
can
graph
it.
So
you
can
over
time
you
can
see
like
how
much
changed
and
how
many
dry
run
changes.
You
add,
so
you
could
have
alerts
baby.
You
know
a
lot
manager
to
say
like
hey,
if
there's
any
drive-in
eating
they're
denying
alert
me
on
slack
or
whatever,
and
in
this
case
we
are
seeing
the
audit
lost
last
run.
So
this
does
the
nice
time
timestamp
of
the
audit
one
and
then
here
how
many
constraint
templates
we
had.
C
C
Then
you
can
see
that
the
values
there
too
and
then
these
are
the
requests
count.
As
you
know,
communities
always
does
requests
in
which
are
allowed,
so
the
red
one
you
see
are
the
the
requests
that
the
communities
does
to
herself
and
then
these
are
the
ones
that
we
did
it
and
then
that
got
denied.
So
those
are
four
forty
nice,
but
communities
keeps
doing
requests,
so
you
can
keep
track
of
those
as
well,
because.
B
Excellent,
thank
you
so
tears
I'm
going
to
power
through
the
rest
of
the
deck
here,
and
we
have
a
few
questions
so
just
a
status
on
the
project.
It's
in
beta,
which
we've
answered.
It's
looking
to
define
H
a
to
go
to
G
a
for
v3
of
gatekeeper.
If
this
is
something
that
interests
you
we're
interested
in
understanding
how
you
want
to
use,
it
feel
free
to
raise
issues.
B
I've
heard
a
lot
of
questions
on
different
things
that
we
haven't
thought
of
as
part
of
gatekeeper,
filtering
them
to
bring
them
to
the
community,
and
we
will
show
you
the
links
in
a
minute.
Keep
going
I
know
there
is
were
some
questions
about
policy
libraries
they're
all
in
the
upstream
repository,
so
there
are
predefined
constraint,
templates
and
even
a
pod
security
policy
equivalent
where
we've
modeled
effectively
what
the
pod
security
policy
API
does
in
a
gatekeeper
constraint
templates.
B
So
you
could
consider
using
that-
and
that
was
something
that
was
just
asked
generally
in
the
community.
So
the
main
Tanners
went
and
worked
on
that
okay
and
keep
going
potential
growth.
Here
we've
had
a
question
about
mutation.
Mutation
is
complex,
so
it's
a
lot
of
work
to
make
mutation
work
in
the
way
and
make
it
have
a
stable
outcomes,
so
feel
free
to
come
and
help
with
that.
B
If
you're
interested
external
data
sources
like
different
directories,
different
places
where
you
can
make
decisions
on
whether
you
admit
or
deny
a
request,
authorization
likely
a
separate
project,
but
kubernetes
allows
different
web
hooks
for
both
admin,
admission
and
authorization.
Could
it
be
used
for
authorization
as
well
developing
audit
features.
We
had
some
great
questions
about
that
where
we
could
support
audit
data
and
just
develop
a
tool
in
making
it
way
more
simple
to
use
and
integrate
into.
There
are
all
areas
we're
interested
in
getting
people
involved
in.
B
Finally
feel
free
to
come
and
join
us.
There
are
meetings
every
alternating
Wednesday
and
there
is
on
the
open
policy
agent
slack
at
kubernetes
policy
channel.
You
can
come
there
or
you
can
just
go
to
the
gatekeeper,
repository
and
start
getting
started
and
with
that
that
concludes
our
slide.
Deck
I
will
try
and
rush
through
these
final
three
questions
that
we
have
before
we
close
at
the
time.
Is
there
any
support
to
deploy
a
PA
GK
via
customized.
C
B
You
this
this
question
is
really
interesting.
I'll
take
it
if,
if
an
old
pond
pod
from
a
deployment
violates
a
new
rule,
I
understand
that
it
will
not
affect
what
will
happen
if
the
node,
where
the
pod
was
running
is
drained,
does
the
old
pod
get
re
recreated
on
another
node
or
deleted?
So
this
is
an
important
thing
to
remember
and
I'm
going
to
answer
this
very
quickly.
B
This
is
an
admission,
so
it
doesn't
change
values
at
runtime
if
a
node
is
drained
and
the
pod
needs
to
be
recreated
by
a
controller
like
a
deployment
controller.
If
it
now
violates
that
you're
going
to
see
an
error
on
that
replica
set,
saying,
I
cannot
create
this
anymore
and
you're
going
to
see
the
policy
violation
rule
at
the
replica
set
level
so
go
check
there,
but
it's
not
going
to
modify
things
at
runtime
only
it
admit
time.
So,
if
you
have
pods
running
that
are
now
in
violation,
you've
got
to
delete
them
yourself.