►
From YouTube: Open Policy Agent Gatekeeper: Centralized Policy and Governance - Jaya Ramanathan (Red Hat)
Description
Open Policy Agent (OPA)Gatekeeper: Centralized Policy and Governance
Security and Governace Strategy and Architecture
Advanced Cluster Management for Kubernetes
Guest Speakers:
Jaya Ramanathan (Red Hat)
Yu Cao (Red)
Moderator: Kirsten Newcomer (Red Hat)
A
Hi
everyone.
Thank
you
for
this
opportunity.
I
am
nothing.
I'm
the
chief
security
and
governance
architect
for
our
advanced
cluster
management
offering-
and
I
have
with
me
youtau.
He
is
the
squad
lead
for
our
security
and
governance
capabilities
within
both
of
us
work
on
this
project
called
advanced
cluster
management
for
kubernetes
within
red
hat,
and
we
also
have
an
upstream
community
called
open
cluster
management.
A
So
we
are
here
to
talk
about
just
some
underlying
principles
and
overall
architecture
of
our
security
and
governance
capability,
and
then
we
will
delve
deep
into
oppa
and
gatekeeper
and
how
that
integrates
with
acm.
Okay,
this
chart
basically
talks
about
the
various
security
and
compliance
challenges
that
customers
face
when
they
adopt
cloud
specifically.
A
The
key
thing
I
wanted
to
highlight
here
is
customers
generally
have
to
meet
various
enterprise
standards,
as
well
as
industry
standards,
for
example,
if
they
are
in
regulated
industries
like
financial
healthcare,
etc,
they
have
to
meet
standards
like
pci,
hipaa,
etc,
and
they
also
want
to
adopt
open
technologies,
and
they
typically
have
to
deal
with
more
than
one
cloud
provider,
and
they
also
need
to
go
through
multiple
audits.
A
So
our
approach
to
achieve
that
goal
of
continuous
security
and
audit
readiness
is
policy-based
governance.
So
what
do
we
mean
by
that?
A
Typically,
if
you
take
a
particular
cloud
environment,
say
red
hat,
openshift
cloud
platform,
and
you
want
to
secure
it
you,
the
customer,
would
enable
various
security
capabilities
that
openshift
provides
out
of
the
box,
and
they
may
also
want
to
use
some
capabilities
provided
by
third
party
and
some
homegrown
capabilities
as
well
and
and
what
they
would
like
to
do
is
to
ensure
that
all
these
security
controls
are
configured
to
industry,
best
practices
or
their
enterprise
standards,
and
these
standards
could
include
standards
from
nist
lightness,
csf
nest,
853
and
also,
like
I
mentioned
industry
segment
standards
like
pci,
hipaa,
etc.
A
A
A
A
Now
this
authoring
point
could
be
either
the
console
or
it
could
be
a
cli
or
it
could
be
githubs.
Our
preferred
methodology
is
githubs,
the
reason
being
that
allows
you
to
manage
policies.
Just
like
you
will
manage
source
code,
so
you
define
all
the
policies
in
git
and
then
within
our
acm
product
you
can
define
a
subscription
to
pull
those
policies
and
deploy
them
onto
the
managed
clusters.
A
So
that
is
our
policy
management
point.
So
this
distributes
the
policy.
It
consolidates
policy
violations
across
a
fleet
of
clusters.
It
also
allows
you
to
enter
integrate
with
enterprise
tools
from
a
central
point,
because
that
is
how
customers
view
the
cloud
as
just
an
extension
of
the
of
their
existing
id
infrastructure.
So
they
want
the
management
to
integrate
with
their
incident
management
systems,
security,
operation
center,
their
enterprise,
grc
tools,
etc.
A
And
then,
when
the
policy
gets
distributed
to
the
managed
cluster
on
the
manage
cluster,
you
have
policy
enforcement
points
and
these
these
consume
the
policy
and
they
return
the
violations.
So
an
example
of
enforcement
point
would
be
the
kubernetes
admission
web
hooks
and
also
the
runtime
controllers.
Communities
controllers
themselves,
as
well
as
several
controllers
that
we
provide
the
configuration
policy
controller
and
the
certificate
management
controller,
as
well
as
any
operator
that
runs
on
openshift.
A
So
and
then
the
policy
enforcement
point
can
optionally
invoke
a
policy
decision
point
to
check
whether
a
specified
policy
matches
how
control
is
configured
now.
In
some
cases,
the
policy
enforcement
point
may
itself
do
this
check,
but
in
other
cases
you
could
invoke
a
pdp
and
the
gatekeeper
oppa
integration
is
one
such
example
and
cubano
is
another
example.
A
So,
based
on
this
terminology,
here
is
the
overall
architecture.
So,
as
you
can
see
here
on
the
management
hub,
this
is
where
the
policies
are
defined
and,
as
I
mentioned,
it
can
come
through
from
git
or
it
could
be
through
ui
or
cli,
and
then
from
here
it
gets
distributed
to
the
managed
clusters.
And
then
here
you
have
the
various
policy
consumers.
These
are
essentially
the
policy
enforcement
points
that
I
talked
about
and
then
the
these
results
are
then
collated
back
and,
and
so
you
have
everything
available
in
a
central
manner.
A
There
are
a
few
roadmap
items
that
we
are
highlighted
here,
where
we
want
the
policy
framework
to
associate
ansible
playbooks
to
trigger
automation,
automated
playbooks,
for
policy
violations,
and
we
also
want
to
integrate
the
policy
violations
and
generate
alerts
to
the
observability
component,
which
can
then
integrate
with
enterprise
incident
management
tools,
and
we
also
want
to
route
audit
logs
to
sims
for
the
security
operations
center.
A
These
are
all
the
orange
items
in
this
chart
are
things
that
are
roadmap
items
so
now
I
want
to
drill
down
into
details
of
how
we
have
integrated
with
gatekeeper
and
oppa.
So
let
me
start
with
the
quick
overview
of
gatekeeper
and
oppa,
so
gatekeeper
allows
you
to
evaluate
compliance
of
kubernetes
resources
to
specified
policies
and
what
it
leverages
under
the
covers
is
oppa
and
oppa
is
the
policy
engine
that
it
uses
now.
A
Oppa
itself
accepts
policies
in
a
language
called
rego,
so
think
of
gatekeeper
as
providing
the
bridge
from
oppa
to
kubernetes
to
the
kubernetes
world.
So
it
allows
you
to
specify
the
policies
as
kubernetes
constraints,
which
can
which
can
in
turn
contain
the
rego
constructs
and
gatekeeper,
can
then
consume
those
and
because
it
registers
itself
as
a
policy
enforcement
point
through
the
web
hook,
and
so
it's
now
able
to
pass
on
those
regular
constructs
to
oppa
and
use
oppa
to
do
the
actual
checks
of
whether
the
policy
is
complied
to.
A
So
two
scenarios
to
consider
here
one
is
the
admission
scenario,
so
this
is
executed
whenever
a
cumulative
resource
is
created
or
updated,
and
so
so
think
of
it.
As
once,
the
gatekeeper
policy
is
in
place,
then
any
new
resources
that
get
created
will
be
governed
by
this
admission
control,
but
what
if
some
resources
already
exist
before
you
put
that
policy
in
place?
So
that
is
the
second
scenario,
which
is
the
audit
scenario.
So
the
audit
scenario
allows
you
to
periodically
evaluate
existing
resources
against
policies
to
detect
any
non-compliances.
A
So
in
order
to
complete
the
picture,
there
were
a
couple
of
things
we
had
to
do
in
in
terms
of
how
we
integrated
gatekeeper
and
opa
into
acm.
First
of
all,
we
deliver.
We
are
delivering
going
to
deliver
a
operator
that
can
deploy
gatekeeper
and
oppa,
and
so
this
is
this.
Work
is
actually
progressing
in
the
upstream
community
and
what
we
have
done
is
we
have
for
the
community
and
made
it
part
of
our
open
cluster
management
downstream.
A
So
we
will
deliver
this
as
part
of
the
acm
product.
So
one
of
the
cool
things
about
the
acm
product
is
our
built-in
policy
controller.
Config
policy
controller
can
pretty
much
distribute
any
kubernetes
crs.
Now
the
deployment
of
operators
itself
is
represented
as
a
cr,
so
by
delivering
gatekeeper
opa
as
an
operator
now
you
can
just
define
a
acm
policy
that
ensures
that
this
operator
is
deployed
on
the
managed
clusters,
so
that
so
that's
so
we
are
going
to
provide
that.
A
In
addition,
we
also
you
can
also
use
acm
to
define
policies
to
on
what
gatekeeper
itself
is
enforcing
right.
So,
though,
the
constraints
that
I
talked
about
so
those
can
be
also
authored
within
rackham
and
propagated
to
the
managed
clusters.
And
then,
as
I
mentioned,
there
are
two
scenarios
admission
and
audit
scenarios.
So
in
both
cases
we
want
to
be
able
to
detect
policy
violations.
A
So
in
the
case
of
the
admissions
scenario
we
just,
we
have
a
rackham
config
policy
that
can
process
the
events
that
are
generated
by
the
gatekeeper
webhook
and
in
the
case
of
audit
scenario,
we
look
for
the
status
field
in
the
gatekeeper
constraints.
So
so
we
are
able
to
pull
both
this
information
back,
as
I
showed
in
the
architecture
into
the
central
acm
hub
and
and
display
the
results
there.
A
So
this
architecture
diagram
pictorially,
depicts
what
I
talked
about.
So
you
have
the
rackham
hub
and
then,
which
is
distributing
policies
to
your
managed
cluster
and
within
the
manage
cluster
you
have
the
config
policy
controller
and
because
we
have
this
built-in
config
policy
controller,
the
whole
integration
with
gatekeeper
opa
is
happening
just
through
the
authoring
of
these
policies.
So
you
really
don't
have
to
write
any
code.
A
So
so
we
have
a
policy
that
we
have
authored
to
deploy
the
gatekeeper
operator,
so
that
operator
is
then
watches
over
this
gatekeeper,
cr
and
and
then
it
registers
this
webhook
that
monitors
the
audit
the
admission
scenarios
and
then
you
will
also
have
a
policy
to
deploy
the
gatekeeper
constraints.
A
So
you
is
going
to
give
us
a
demo
on
on
these
capabilities,
but
before
I
hand
it
over
to
you,
I
also
want
to
highlight
that
we
have
also.
We
also
have
integration
in
place
with
acm
for
the
openshift
compliance
operator,
which
is
another
an
example
of
an
operator
that
can
be
deployed
on
the
managed
cluster
and
through
a
rackham
policy.
A
A
That
kind
of
is
the
quick
short
overview
and
I'm
I
have
in
this
chart
a
link
to
our
open
cluster
management
community,
and
you
can
connect
with
us
there
and
and
ask
any
questions
etc
before
I
turn
it
over
to
you.
I
also
want
to
give
you
a
quick
demo
of
our
open
cluster
management
community.
A
So,
as
I
mentioned
when
I
provided
the
overview
of
policy
based
governance,
typically,
you
have
various
controls
in
place
and
the
controls
could
be
for
security
could
be
for
resiliency
could
be
for
software
engineering,
and
you
want
to
ensure
that
all
these
controls
are
configured
properly
to
industry,
standards
and
enterprise
standards,
and
in
order
to
do
that,
our
goal
is
to
codify
those
standards
as
policies,
and
so
it's
very
clear
that
red
hat
on
our
own
cannot
produce
all
the
policies
needed
by
all
our
customers.
A
A
A
So
you
have
various
controls
within
this
security
controls
within
this
catalog
and
and
then
for
each
of
the
controls
you
can
see,
we
have
defined
policies
so,
and
you
is
going
to
show
us
a
demo
of
the
compliance
operator
policy
that
can
deploy
the
compliance
operator
and
also
this
essentially
security
profile
policy
that
allows
you
to
scan
the
managed
cluster
for
this
particular
security
profile
and
then
for
gatekeeper
and
opa.
We
have
policies
as
well,
and
then
there
is
the
other
folder
here,
which
is
the
community
folder.
A
So
the
community
folder
is
where
we
invite
contributions
from
the
community,
and
these
policies
are
also
organized
in
terms
of
the
nest.
853
standard
and
the
gatekeeper
policies
currently
are
in
the
community,
and
the
reason
is
because
we
are
currently
working
on
an
acm
release
where
we
are
productizing
this
capability,
so
they
write
down
sit
in
the
community,
so
you
have
a
gatekeeper
operator
policy
that
allows
you
to
deploy
the
gatekeeper
operator
and
then
we
also
have
other
policies
for
gatekeeper,
contributed
here
as
well.
A
So
so
you
can
see
here,
we
also
have
third-party
contributing
policies
here.
So
you
will
see
here
a
policy
from
cystic.
They
have
contributed
a
policy
for
their
operators.
So
the
reason
I
wanted
to
highlight
this
is
to
invite
contributions
from
the
community,
so
we
are
also
working
with
various
customers
to
have
them
contribute
here
as
well.
A
Yes,
we
have
started
the
community.
The
open
cluster
management
has
a
community
meeting
that
happens
weekly
and
definitely
you
know,
invite
participation
in
that
as
well.
So
I
can
include
that
link
as
well
into
the
chart.
B
Okay,
that
would
be
great
and
there's
there's
one
quick
question
here
before
we
go
to
the
demo.
Tobias
is
asking:
if,
if
the
gatekeeper
community
would
announce
mutating
admission
controller,
will
you
integrate
such
an
option
into
rackham.
A
Yes,
so
we
are
active
participants
of
the
gatekeeper
community.
You
who
is
here
on
the
call
with
me,
along
with
a
couple
of
others
from
red
hat,
are
active
contributors
there
as
well,
so
we
are
watching
the
space
there
and
our
goal
is
to
keep
up
with
any
enhancements
that
are
made
in
gatekeeper
and
associate
policies
and
track
them
to
adopt
those.
Yes,
that
circle.
B
I
am
so
grateful
that
you
finally
said
that
acronym
out
loud
and
it's
rackham,
because
I
have
that's-
that's
a
wonderful
way
to
pronounce
it,
so
I'm
going
to
use
that
going
for
it.
So
thank.
A
B
A
I'm
going
to
stop
sharing
now
and
turn
it
over
to
you.
Perfect
yeah,
welcome,
further
questions
as
well.
Thank
you.
C
All
right,
let
me
share
my
screen.
First.
C
Okay,
all
right
so
hi
everybody,
my
name
is
yuzhou,
so
I'm
the
dev
lee
for
welcome
security
and
compliance
team.
So
today
I'm
going
to
do
a
quick
demo
for
how
you
can
use
rackham
policy
to
install
gatekeeper
and
then
apply
a
gatekeeper
constraint
on
the
manage
cluster
and
then
report
any
violations
it
detects.
So,
first
of
all,
let
me
recap
a
little
bit
about
the
the
governance
and
risk
architecture
in
rackham
products.
So
if
you
go
to
our
product
documentation,
there's
an
overall
architecture
diagram
here.
C
So
if
you
click
on
it,
you'll
see
a
large
diagram,
so
the
the
governance
policy
framework
we
put
in
place.
It
really
consists
consists
of
multiple
piece
right.
So
there's
a
one
piece
on
the
top
and
there's
a
few
piece
on
the
manage
cluster
so
on
the
left
so
on
hub.
So
we
have
policy
prop
data
which
responsible
for
propagating
the
policy
from
hub
to
manage
cluster,
so
how
it
how
it
does
is
so
when
you
create
a
policy,
you
need
to
also
create
a
placement
binding
and
placement
rule.
C
So
if,
if
you
look
at
a
sample
here,
so
we
have
a
policy
crd,
which
is
the
crd
that
we
use
to
embed
your
embed,
your
the
real
policy.
So
if
you
look
at
the
crd
definition
here,
so
we
have
a
field
called
policy
templates,
so
inside
templates
you
define
the
actual
policy.
You
want
to
apply
on
your
manage
cluster,
so
you
can
you
can
you
can
create
a
policy
with
multiple
policy
templates
using
different
policy
language
and
then,
once
this
is
created,
you
create
also
create
a
placement
rule.
C
So
since
recom
is
managing
the
purp.
Is
a
control
plane
that
managing
multiple
clusters
right?
So
so,
when
you
import
a
cluster,
you
can
label
your
cluster,
so
the
placement
simply
here
is
you
can
select
a
class
cluster
either
you
using
the
the
label
selector,
so
we
call
custom
selected.
But
what
really
does
is
it's
using
labels
on
the
cluster
so
that
you
can?
C
This
policy
needs
to
be
applied
to
these
clusters,
so
this
is
how
we
propagate
policy
to
manage
cluster.
So
the
reason
I
explained
this
is
so.
This
is
the
framework
that
to
distribute
policies
and
the
actual
actual
the
actual
policy
that
is
being
executed
or
evaluated
on
the
manage
cluster
is
we
call
it
policy
controllers
or
policy
consumers
on
the
manage
clusters,
so
the
framework
propagates,
the
policy
to
manage
cluster,
distribute
them
to
manage
cluster
and
then
hand
it
over
to
the
actual
policy
consumer
installed.
On
your
manage
cluster,
for
example,
the
gate
gatekeeper.
C
Policy,
consumer
or
compliance
operator
or
the
out-of-box
policy
controller
that
we
ship
reconship,
for
example
the
configuration
policy
controller.
So
once
it
is,
it
reached
the
magic
cluster.
The
the
actual
policy
consumer
on
the
magic
cluster
will
will
apply,
evaluates
the
the
policy
past
passed
in
and
then
return
and
then
generate
results
and
the
policy
framework
will
retrieve
those
results
and
return
it
to
the
hub.
So
that
you
can
you
can
view
the
results
through
single
control
plane
using
recon
console.
C
So
that's
the
governance
framework
policy
framework
and
we
put
in
place
for
blackcom
so
in
terms
of
gatekeeper
policy.
So
from
this
big
picture,
so
gatekeeper
controller
is
one
of
one
of
the
policy
consumer
from
recon
policy
policy
framework
perspective.
C
Now
so
now,
let's
take
a
look
at
the
actual
gatekeeper
policy,
so
we've
talked
about
that.
We
can
use
that
raccoon
policy
to
install
gatekeeper
and
we
can
also
use
a
record
policy
to
apply
gatekeeper
constraints
and
then
collect
the
results
back
to
the
hub.
So
this
is
done
through
defining
record
policy.
So,
as
jr
mentioned
in
this
policy
collection
repo,
you
can
find
you
can
find
the
gatekeeper
operator
policy
and
also
some
a
few
other
gatekeeper
policy
that
actually
deliver
applying
certain
constraints
on
your
clusters.
C
So
let
me
take
a
sample
here.
Let
me
go
through
in
details.
For
example,
the
first
the
gatekeeper
operator,
gatekeeper
operator
is,
is
an
f
as
an
effort
that
we
will
be
actually
involved
in
the
upstream
community,
so
the
geek.
What
the
keeper
operator
does
is
it
packs
it
packages
the
gatekeeper
as
a
openshift
operator,
the
operator
responsible
for
the
life
cycle
of
gatekeeper,
so
it
can
install
gatekeeper,
it
can
delete
gatekeeper.
You
know,
of
course
we
are.
We
will.
C
We
are
also
working
on
upgrading
those
kind
of
stuff,
so
it
controls
the
whole
lifecycle
gatekeeper.
It
simply
makes
installing
gatekeeper
easier,
with
gatekeeper
being
delivered
as
a
gatekeeper
operator
in
orm
or
in
ocp
catalog.
You
can
use
a
raccoon
policy
to
to
insta
to
to
install
gatekeeper
across
all
your
manage
cluster.
So
what
you
need
to
do
here
is
you
define
a
policy
crd
policy
cr
here
and
then
it
includes
multiple
templates.
So
just
very
similar
to
how
how
you
install
an
operator
from
om,
so
you
create
a
namespace.
C
We
defined
a
catalog
source.
Currently
the
gatekeeper
operator
is
not
published
yet
so
we
have
to
define
a
custom
catalog
source,
and
then
you
create
a
operator
group
to
tell
operator
which
namespace
to
operate
on
and
then
the
subscription
to
subscribe,
the
the
catalog
to
pull
down
the
gatekeeper
images
and
and
so
and
then
and
then
you
create
this
gate,
gatekeeper
cr.
This
keeps
it.
Keepers
is
part
of
gatekeeper
operator,
so
it
tells
you
how
to
configure
gatekeeper.
C
So
if
you
create
this
cr8,
the
gatekeeper
operator
will
install
the
gatekeeper
based
on
the
spec.
The
configuration
provide.
If
you
delete
this
gamepcr,
the
gatekeeper
operator
will
delete
the
gatekeeper
instance
on
your
cluster.
So
here,
as
you
can
see,
we
are
pulling
an
image
from
from
upstream
gatekeeper
as
this
is,
and
then
we
enable
the
admission
events
flag
so
that
we
can.
We
can
so
that
when
there's
a
violation
january
for
ford
for
any
new,
when
there's
a
violation
generated
generally
for
any
new,
is
the
new
resource
cr
created
unmatched
cluster?
C
That
being
that
was,
that's
is
blocked
by
the
skate
keeper.
It
will
generate
equipment,
kubernetes
events,
so
this
is
for
the
purpose.
This
is
for
the
purpose
for
raccoon
to
be
able
to
collect
the
result
for
a
diminishing
admission
scenario.
So
then,
so,
once
this
this,
this
policy
is
created,
you
will
and
created.
Then
it
will
based
on
the
cluster,
is
selected
here
right,
so
it
will
install
the
the
gatekeeper
operator
on
manage
cluster
so
for
this
is
the
raccoon
console.
So
I
have
a
gatekeeper
operator
policy
installed
here.
C
So,
as
you
can
see,
this
policy
currently
is
being
applied
to
this.
This
managed
cluster.
So
if
you
go
to
this
manage
cluster
here,
it
was
so
this
is
currently
being
this
part,
is
being
forced
and
is
compliant.
So
this
means
the
operator
has
been
installed
on
your
manage
cluster.
So
if
you
go
to
the
ocp
console
here
on
this
manage
cluster,
this
is
not
a
managed
cluster.
Let
me
open.
C
This
is
the
match
cluster
and
then,
if
you
go
to
operator
here,
go
to
install
operator,
you'll
see
gatekeeper
operator
here,
so
it
is
so
very
simple.
So
the
you
just
need
to
use
this
operator.
You
just
need
to
use
raccoon
to
install
this
operator
for
you
and
then
the
gatekeeper
is
installed
on
manage
cluster.
C
So
now,
let's
take
a
look
at
how
you
can
apply
gatekeeper
constraints
and
then
report
report
violation
back.
So
installing
gatekeeper
is
just
the
first
step
right.
What
was
really
what
really
has
value
is
you
want
to
apply
gatekeeper,
constraint
and
constraint,
template
and
then
collect
results
back
so
here
we
I
create
a
sample.
C
I
create,
I
create
a
gatekeeper
sample
policy
here,
so
I
think
it's
easier
to
look
at
in
here
in
vs
code,
so
gatekeeper.
So
this
is
from
the
gatekeeper.
This
is
from
the
policy
collection
input
you
can
find
it.
You
can
find
it
in
collection.
Repo,
so
same
here
we
are
using
the
same
policy
cr
to
distribute
the
gatekeeper
constraint,
constraint,
template
as
you
can
see.
We
have
three
templates
here.
C
If
we
look
at
the
details
right
this,
this
is
actually
leveraging
the
configuration
policy,
which
is
the
out
of
box
policy
consumership
in
recon.
So
what
it
does
is
what
it
does
is.
It
can
create
update,
delete
resources
on
the
cluster
based
on
the
template
object,
the
definition
you
provide.
So
if
you
look
at
the
sr
cr
fields
here,
so
you
create
a
configuration
policy,
it
has
object
templates
inside
the
spec.
So
in
this
object
templates
anything
defined
in
this
object.
C
Template
template
field
is
the
actual
cr
you
want
to
create
in
this
example.
So
currently
we
are,
we
are
using.
Compliance
type
must
have,
which
means
you
must
have
an
object
with
this
cr.
So
look
at
this,
so
this
is
a
gatekeeper
constraint,
template
right,
so
basically,
how
we
integrate
is.
You
are
if
you
have
constraint,
template
and
constraint
cr
already,
so
you
can
use
configuration
policy
to
create
an
unmanaged
cluster.
C
So
what
you
just
need
to
do
is
you
just
need
to
embed
the
constraint
template
inside
the
configuration
policy
and
then
put
it
into
policy
cr
which
is
responsible,
distributed
across
automatic
cluster?
That
so
that's
how?
How
the
constraint
template
is
delivered
to
manage
cluster,
so
you
don't
you
don't
have
to
write
any
code.
You
just
need
to
create
this
policy
and
embed
your
constraint
template
same
for
the
constraint
here.
C
Then,
the
raccoon
policy
framework
will
create
these
two
crs
on
the
cluster
you
on
the
cluster
and
then
and
then
gatekeeper
is
gatekeeper
instance.
The
controllers
were
taken
over
and
and
evaluate
these,
these
two
cr.
So
if
you
look
at
details
of
this
cr,
this
is
a
sample
name.
Space
constraint,
template
constraint.
I
took
from
from
gate
gatekeeper
website,
so
what
it
does
is
it
requires
any
any
names.
Any
this
regal
basic
defines
any
input.
C
Resource
resource
needs
to
have
a
field
called
label
and
inside
that
label
field
you
need
to
have
a
you
need
to
have
a
have:
a
have
a
label
with
name
with
name
with
certain
name,
so
the
name
is
being
exposed
as
a
configurable
parameter
called
labels
and
in
inside
the
constraints.
C
So
you
you're,
basically
basically
applying
this
constraint,
template
I'm
here,
I'm
applying
on
any
namespace
and
also
I
restrict
the
namespace
to
be
these
two,
these
these,
these
two
namespace,
because
I
I
didn't
want
to
apply
all
want
to
apply
to
ordinary
space.
C
But
if
you
remove
these
it
will
will
it
will
be
all
namespace
and
and
then
I
want
the
actual
labels
to
be
gatekeeper,
so
so
for
so,
for
example,
if
if,
if
so,
if
we
want
to
test
this
at
this
policy
that
this
gatekeeper
constraint,
basically,
we
can
just
go
ahead
and
create
a
namespace
without
label
gatekeeper.
Then
it
will
be
blocked.
C
C
C
So
that's
how
we
distribute
and
apply
a
gatekeeper
constraints,
train
template
from
raccoon
console
by
using
a
recom
policy.
You
don't
have
to
log
into
each
managed
cluster
and
apply
it.
You
just
need
to
do
it
essentially
through
right
through
raccoon
control,
plane
the
then
it's
the
the
violation
part.
We
want
to
be
able
to
collect
violations.
C
So
if
you
look
at
look
at
the
the
other
two
templates
that
we
are
embedding
in
this
policy
cr,
so
here
as
you
can
see,
we
create
a
another
configuration
policy
right.
This
is
for
all
this
scenario.
We
we
name
it
possibly
gatekeeper
audit.
So
what
it
does
is
it.
C
It
is
looking
for
any
cr
on
the
manage
cluster
called
ks
required
label.
This
is
the
constraint
that
we
created
in
previous
object
template,
but
additionally,
we
are
adding
additional
fields
to
it.
So
what
it
means
is
we
want
we
want
it
is.
We
are
using
must-have
compliance
type
here.
So
what
it
does
is
we
require.
C
We
require
on
your
cluster.
You
need
to
have
a
cr
called
ns
must
have
gatekeeper
with
the
this
kind
and
api
version.
Additionally,
we
expect
the
status
field
with
total
violation
zero.
C
So
this
is
for
all
this
scenario,
so
the
way
it
works
is
so
once
this
is,
this
control
constraint
is
being
created
on
a
managed
cluster,
so
gatekeeper
audit
controller
will
start
to
scan
your
entire
cluster
and
then
try
to
figure
out
if
you
have
every
any
pre-existing
non-compliance
exist.
So
if
there
is
any,
it
will
actually
update
the
status
field.
To
tell
you,
oh,
there
are
some
some
violations
pre-exist,
so
it
will
increment
the
number
here
so
currently
we
expect
the
number
to
be
zero.
C
So
if
it's
not
zero,
then
this
this
policy
will
return.
Non-Compliant,
that's
how
we
collect
the
result.
So
if
for
for
that's
how
we
collect
result
for
audit
and
then
let's
look
at
the
dimension
scenario
for
the
dimension
scenario
same,
we
are
creating
another
configuration
policy
and
we
are
looking
for
event.
C
Events
for
this
constraint,
template
for
this
constraint,
ks,
require
labels
and
then
was
named.
Ns
must
have
gold
gatekeeper,
so
basically,
so,
as
you
can
see
here,
we
are
using.
Conspiracy.
Type
must
not
have
so
we
expect
there
shouldn't
be
any
events
with
these
annotation
unmanaged
cluster
exist
on
the
manage
cluster
if
it
exists.
That
means
there's
violations.
C
There's
there's
something
wrong,
so
this
policy
will
return
non-compliant.
So
now,
let's
come
back
to
the
console
here.
So
as
I
did
as
previously,
I
did
this
right.
I
tried
to
create
namespace
without
label.
So
now,
as
you
can
see
here,
it
is
for
this.
This
admission
template
is
reported,
reporting,
non-compliant
and
it
tells
oh
there's
an
event
exist
in
the
gatekeeper
namespace
system.
C
We
can
click
on
view,
details
and
take
a
look
at
what
what
exactly
it
is.
So,
oh
there's
a
this
is
this
is
what
is
violating
this
part
of
this
policy,
so
this
event
exists,
but
it
should
it
shouldn't,
and
if
you
click
on
your
ymo,
it
is
going
to
pull
the
the
details
of
this
event.
So,
as
you
can
see,
it
tells
you
admission
webhook,
the
the
the
basically,
the
the
request
is
being
denied
by
this
constraint
from
gatekeeper.
C
So
this
is
exactly
the
same
error
you've
seen
here
in
the
command
line,
so
this
is
how
we
implement
gatekeeper
with
recom.
So
we
implement
we
integrate
gatekeeper,
not
only
just
installing
the
gatekeeper
and
then
creating
the
gatekeeper
constraint,
constraint,
template,
but
we
also
collect
the
result
for
both
an
audit
and
animation
scenario.
C
Okay,
that's
my
part
for
the
gatekeeper
demo,
just
to
quick
mention
thanks
to
the
power
of
the
outer
box,
configuration
policy
controller
shipped
with
raccoon,
so
we
are
able
to
also,
of
course,
install
any
operator
so,
for
example,
compliance
operator
here
so
compliance
operator.
So
if
you
look
at
the
ammo
here
this,
this
policy
is
also
you
can
also
find
it
in
positive
collection
repo.
So
you
can
find
here
so
a
very
similar
concept.
We
use
configuration
policy
to
create
namespace,
create
operator
group
and
create
subscription.
C
So
then
the
compliance
operator
is
installed
on
your
manage
cluster
and
then
you
can
trigger
you
can
trigger
a
scan
so
from
using
certain
profiles.
So
here,
if
you
look
at
the
ea
scan
policy
here,
basically
this
policy
triggers
trigger
this
policy
triggers
an
essential,
a
security
profile
scan
on
your
manage
cluster,
and
we
are
also
using
configuration
policy
to
achieve
that
so
by
just
create
using
configuration
policy
to
create
a
scan,
set,
binding
compliance
with
suite
and
then
collect
result
back.
C
D
That's
great
thanks
you,
and,
and
if
I
could,
this
is
kirsten
newcomer
if
I
could
chime
in
just
for
a
minute.
At
the
end
of
our
conversation
about
the
client
compliance
operator,
there
was
in
chat
a
conversation
about
the
difference
between
the
compliance
operator
and
and
gatekeeper,
and
I
think
both
jaya
and
I
weighed
in
and-
and
you
did
a
nice
job
also
summarizing
that
here,
so
the
compliance
operator
is
specifically
focused
on
on
regulatory
controls,
technical
controls
that
map
to
regulatory
frameworks.
D
I
just
want
to
share
just
because
we're
really
excited
in
addition
to
the
e8
profile,
which
is
an
essential
8
profile
from
australia.
There
are
some
the
the
compliance
profiles
available
with
the
openshift
compliance
operator
include
some
controls
that
meet
nist
853
regulatory
requirements,
including
at
rel
core
os,
not
just
the
kubernetes
layer,
and
we
just
shipped
a
profile
for
that
is
inspired
by
the
cis
kubernetes
benchmark
so
check
that
out.
D
If,
when
you
get
a
chance-
and
I
don't
know
if
there
are
other
questions-
I
I've
kind
of
been
thinking
of
a
few-
that
I
wondered
if
that,
whether
they
might
be
helpful
to
folks
and
they
kind
of
tie
back
to
oppa
versus
gatekeeper
versus
the
compliance
operator
jaya.
You
mentioned
kind
of
three
types
of
policies:
policy
categories-
you
mentioned
security
resiliency.
You
also
mentioned
software
engineering.
D
I
think
we
have.
I
I
think
maybe
it
would
be
useful
to
give
some
examples
of
each
of
them.
Does
that
make
sense.
A
So
this
is
the
policy
collection,
repo
and
then,
if
you
go
down
to
the
bottom
of
this
repo
this
this
page,
we
have
a
lot
of
blogs
here,
and
one
of
the
blogs
I
wanted
to
highlight
here
is
this
blog.
A
And
this
blog
talks
about
how
you
can
implement
policy-based
governance,
using
our
configuration
management
capabilities
right
and-
and
here
we
talk
about
like
kristen-
you
were
asking
there-
are-
there-
are
best
practices
for
three
areas
that
I
outlined,
which
is
security,
resiliency
and
software
engineering,
and
this
blog
goes
into
the
details
of
how
you
can
of
of
examples
in
each
of
these
categories
right
so,
for
example,
for
security,
security
and
regulatory
compliance
of
the
first
one.
We
list,
obviously,
is
the
compliance
operator
right.
A
So
we
talk
about
how
that
can
be
configured
using
rackham,
and
then
we
talk
about
the
hcd
encryption,
so
there's
a
policy
that's
available
to
ensure
that
the
kubernetes
hct
database
is
encrypted
right
and
and
also
you
can
remove
the
cube
admin,
because
the
best
practice
obviously
is
to
not
use
a
single
administrative
account
right.
You
want
to
be
able
to
use
different
accounts
for
different
users
to
have
accountability
and
then
policies
for
role-based
access,
control
and
sec
security,
cost
constraints,
etc
right.
A
So
these
are
examples
of
security,
oriented
policies,
but
you
can
also
have
policies
for
resiliency.
So,
for
example,
if
you
want
to
make
sure
that
the
logging
operator
is
installed
because
you
want
to
be
able
to
collect
logs
to
check
the
health
of
clusters
etc.
So
so
you
can
do
that
and
many
of
the
gatekeeper
policies
that
we
have
as
examples
here.
A
A
These
are
all
resiliency
related
policies
right,
so
so
those
are
examples
of
that
and
then
and
then
you
can
also
set
up
policies
for
software
engineering,
which
is
things
like
you
know,
making
making
sure
that
kafka
is
in
place,
because
that
is
your
standard
for
streaming
right.
A
A
The
point
is,
all
of
these
policies
can
be
put
in
place
without
programming,
and
I
I
wanted
to
really
highlight
that,
because
our
built-in
config
policy
controller,
as
I
mentioned
earlier,
can
distribute
any
cr.
So
as
long
as
you
are
able
to
represent
a
capability
say,
for
example,
as
an
operator,
an
operator
can
be
deployed
using
a
cr
right
and
then
you
can
configure
the
operator
as
long
as
it
takes
configuration
as
given.
A
It
is
the
resource
you
can
configure
it
and
if
it
returns
the
results
back
as
crs,
we
can
process
those
as
well.
That's
really
like
you
are
showing
in
this
demo.
We
were
able
to
integrate
with
gatekeeper
because
it
met
all
those
characteristics
right,
so
we
didn't
have
to
really
write
code.
We
just
had
to
author
policies,
so
I
think
that's
the
beauty
of
this
approach
is
it's
very
easy
to
put
these
best
practices
in
place
for
your
data
operations.
Without
writing
a
lot
of
code
exactly.
D
Yep
jaya
are
there
out
of
the
box
policies
that
I
are
available
that
that
in
the
gatekeeper
community,
I
know
you
showed
us
the
community
for
rackham
the
community
branch.
What
does
gatekeeper
provide
out
of
the
box.
A
I
think
many
of
the
policies
that
we
have
put
here
in
our
community
were
contributed
by
our
company
community
of
practitioners
right,
so
they
have
their
own
community
where
they
based
on
customer
requirements.
They
are
building
our
policies
right
and
then
once
they
feel
that
the
those
policies
are
stable
enough.
They
then
contribute
into
this
community
right,
okay
and
then
the
next
progression
is.
A
If
we
find
that
there
are
enough
customers
asking
us
for
a
fully
supported
version
of
that
policy,
then
we
promote
that
policy
to
stable
right
and
it
becomes
part
of
our
dracum
product.
So
that's
kind
of
the
threes
three-step
progression
of
how
we
are
building
our
policies
and
moving
them
into
fully
supported
versions.
D
That
sounds
good,
let's
see
so
you
answered
those
examples
and
another
thing
you
mentioned
early
on
in
the
conversation
you
kind
of
mentioned.
Well,
you
used
three
different
words
and
I
just
wanted
to
see.
If
there
was
clarity,
you
said
that
there
are,
of
course,
admission
controllers,
runtime
controllers,
and
then
later
you
talked
about
admission
and
audit,
so
I
wondered,
I
think
the
admission
controllers
were
fairly
clear.
Could
you
give
us
an
idea
of
what
some
of
the
runtime
controllers
are
yeah
or
is
that
the
audit
yeah.
A
Yeah,
let
me
go
back
to
my
to
sharing
my
deck.
A
Can
you
hear
me
now
yep?
Yes,
I
was
just
going
and
getting
my
deck
okay,
you
can
see
my
deck,
so
I
think
if
you
look
here,
let
me
go
okay,
so
the
policy
enforcement
points
right.
These
are
the
these
are
the
entities
that
consume
the
policy
and
return
violations.
A
So
this
is
where
you
know
you
have
the
admission
web
hook,
so
anything
that
is
plugged
in
into
that
vision.
Web
hook
now.
Gatekeeper
is
one
example
of
that
right
that
is
plugged
into
that
now.
Somebody
could
write
another
web
hook.
That
is
processing
policies,
for
example
right
as
long
as
those
that
entity
that
is
configured
as
a
web
hook
is
able
to
accept
its
configuration
or
policy
as
a
kubernetes
cr.
Then
you
can
use
our
built-in
config
policy
controller
to
distribute
that
to
that
right.
A
So
so
that
is
one
example
right
and
then
there
are
communities,
obviously
is,
has
its
own
runtime
controller.
So,
for
example,
when
we
propagate
a
policy
for
a
cd
encryption
that
is
actually
being
enforced
by
kubernetes
itself
right,
we
don't
have
to
do
an
external
controller
to
enforce
that
right.
But
then
you
have
certain
other
controllers,
like
the
certificate
management
controller
is
something
that
we
provide
and
that
allows
you
to
detect
whether
certificates
are
expiring,
whether
certificates
have
wild
card
certificates
are
being
used,
etc.
Right.
D
So,
okay,
I
had
thought
of
things
like
falco,
so
so
so
it
helps
me
to
understand
that
you
mean
it
more
broadly
right.
D
Thank
you
also
just
really
quickly,
because
I
know
you
and
I
responded
to
carolyn
in
chat,
but
but
maybe
we'll
just
verbalize
for
for
everybody
else
as
well.
Carolyn
had
asked
whether
openshift
is
required
on
all
clusters
in
order
to
use
policy-based
governance
and
no,
as
as
js
said
in
chat,
acm
itself
runs
on
an
open
shift
cluster,
but
acm
can
manage
other
kubernetes
distributions.
Besides
openshift
today,
the
compliance
operator
is
only
running
on
openshift.
D
It
is
designed
to
the
the
content
that's
available,
which
is
written
in
scaps,
secure
content,
automate
security
content,
automation
protocol.
This
is
a
a
standard,
that's
required
by
a
number
of
our
customers,
which
is
why
the
compliance
operator
is
written
in
scap
it.
Today
we
only
have
content
for
openshift
and
the
operator
mostly
works
on
on
openshift.
D
We
want
to
extend
it
to
other
coupe
clusters
in
the
future
likely
or
at
least
share
it
upstream,
to
make
it
easy
for
others
to
extend
it,
although
of
course
the
project
is,
is
open
source.
So
you
can
do
that
today,
but
again,
acm
itself
can
can
manage
both
openshift
and
other
kubernetes
clusters
with
other
kubernetes
distros.
C
Okay,
just
two
complements
so
the
the
policy
framework,
the
governance
policy
framework,
so
the
hub
piece
does
require
oc,
ocp
cluster,
but
the
the
piece
on
the
manage
cluster.
We
do
support
other
kubernetes,
kubernetes
flavor,
but
also
so,
but
the
outer
box
controllers,
for
example,
the
configuration
policy
controller.
It
also
supports
other
kubernetes
flavors.
C
So
that
means,
if
you
want
to
integrate
something
that
it's
not
running
on
on
kunis
cluster,
but
but
it
can
be
integrated
using
configuration
policy.
It
is
you
can
still
do
that,
and,
and
also
to
add,
the
gatekeeper
operator
also
works
on
non-kubernetes
in
work,
a
non-ocp
kubernetes
environment.
So,
of
course,
if
you
want
to
use
or
olm
way
to
install
it,
you
need
to
install
oem,
but
you
can
also
install
install
it
without
oim.
So
the
upstream
version
actually
supports
multiple
ways
to
install
gatekeeper.
A
Yeah,
those
are
all
excellent
points
you,
I
think,
yeah.
I
wanted
to
add
here
like
if
you
go
to
this
open
cluster
management
policy
collection
repo
at
the
very
bottom.
That's
where
we've
listed
all
our
blogs,
so
you
can
take
a
look
at
it.
Also.
This
is
the
open
customer
management
community.
A
So,
if
you're
interested
in
trying
out
this
capability,
that's
a
good
place
to
start
and
we
have
community
meetings,
so
you
can
definitely
get
engaged
there
and,
like
you
said,
you
know,
for
example,
if
you
want
to
try
this
out
on
a
non-open
shift
cluster,
at
least
on
the
managed
cluster
side.
Definitely
you're
welcome
to
do
that.
E
I
have
a
customer
who
is
running
currently
right
now,
311.,
I
notice
acm
rackham
supports
3.11.200
and
above
and
some
of
the
policies
when
I
install
it,
it
actually
require,
like,
let's
say
image,
vulnerabilities
and
it
will
require
container
security
operator
on
the
managed
cluster,
and
I
was
just
wondering
like
what
all
the
policies
will
install
operator
for
the
manage
cluster
if
there
isn't,
or
it
is
kind
of
a
prereqs-
depends
on
what
policies
that
you're
applying
to
the
to
the
cluster
you
want.
E
That
makes
sense
like
because
there
there
are
time
that
I
would
not
know
what
my
manage
cluster
has
as
an
admin.
I
will
want
policy
a
b
and
c,
and
then,
when
I
create
those
policy-
and
I
figure
out-
oh
those
clusters
doesn't
have
it
would
would
like
for
gatekeeper.
You
will
deploy
the
gate
keeper
for
the
cluster,
but
gatekeeper
is
actually
only
support,
1.14
and
above
and
so
therefore
isn't.
Does
that
mean
that
I
cannot
have
gay
keeper
policies
on
the
3.11
cluster.
C
So
yeah
I
can
take
that.
So
yes,
so,
as
I
mentioned
previously,
there's
two
pieces,
the
framework
itself
and
also
the
policy
consumer.
So
the
framework
does
work
on
ocp
on
ocp311.
E
C
The
policy
cons,
controller
or
consumer
on
match
class.
It
might
not
support
ocp311,
so
it's
really
case
by
case.
So
so,
if
you
try
to
create
a
gatekeeper
on
311,
then
since
it's
using
configuration
policy,
it
will
try
to
apply
the
those
crs.
But
since
those
cs
doesn't
exist
even
exist
on
311,
it
will
return
non-combined.
E
A
And
I
think
this
is
where
I
think
the
placement
rule
applies
right.
So
when
you,
when
you
are
applying
a
policy
to
a
managed
cluster,
you
do
that
by
using
this
concept,
called
placement,
and
one
of
the
things
that
you
can
use
is
you
can
assign
labels
to
your
clusters,
and
you
can
say
that
apply
these
this
policy
to
a
cluster
that
matches
this
label
right.
A
So
so
what
you
could
do
is
you
could
assign
labels
to
your
clusters
depending
upon
what
version
they
are,
etc
right
and
that
will
kind
of
determine
you
know
which
policies
get
applied
where.
E
Okay,
that's
a
good
idea.
Thank
you
just
thinking
out
loud
because
there's
real
customer
questions,
they
they
are
on
3
11..
I
just
want
to
kind
of
pick
your
brain
taking
the
three
last
three
minutes
opportunities,
and
so
they
they
want
to
follow
the
needs,
standard,
right
and
so
they're
running.
They
are
moving
to
four
but
they're,
not
yet
they're
still
on
three
eleven.
What
what
are
the
policies
that
you
would
recommend
them
to
start
on
doing
with
acm
if
there
is
any
documentation?
A
Yeah,
I
think
the
the
the
blog
that
I
was
sharing
could
be
a
good
place
to
start.
Let
me
I'll
put
that
link.
D
So
jail,
we
know
the
com.
The
compliance
operator
is
not
supported
on
openshift
311.,
there
is
a
hardening
guide
for
openshift
311,
but
there's
not
automation
that
I'm
aware
of
does
acm
have
checks
for
openshift
311
like
that
map
to
nist
853
or
some
other
nist
framework.
A
Encryption
policy
at
see
the
encryption
should
work
on
311
right.
Did
you
support
openshift4
support?
Sorry.
D
Yeah
both
openshift
311
and
you
can
encrypt
cd
in
both
up
and
shift
311
and
open
shift.
Four.
How
you
do
it
is
slightly
different.
However,
there
are
differences
in
implementation.
I
just
didn't
know
whether
any
of
your
other
checks
yeah.
A
And
the
other
check
is
the
certificate
expiration
that
definitely
should
work.
I
think
that
that's
another
area
that
you
could
look
at
yeah.
D
So
shauna,
if,
if
it's
for
311
feel
this
is
kirsten,
newcomer
feel
free
to
shoot
me
a
note.
Knewcomer
redhat.com
I'll
see
what
I
can
do
to
to
help
you
out.
Okay,.
E
B
A
The
gatekeeper
audit
scenario,
obviously
we
support
right,
meaning
when
I
say
support
that
should
work.
The
roadmap
item
related
to
audit
was
more
on
the
hub
being
able
to
generate
audit
logs
for
policy
lifecycle
events
and
have
them
routed
to
sims.
A
B
Use
that
this
was
really
really
good
and
we
definitely
sounds
like
we're.
Gonna
have
to
have
you
back
as
the
ocm
community
grows
and
more
of
these
policies
are
out
there.
This
is
just
a
deep
dive
here
and
very
good.
You
thanks
very
much
for
the
demo.
It
was
quite
quite
good,
so
thanks
thanks
again,
and
thank
you,
everybody
for
taking
the
time
and
asking
great
questions
so
that
I
didn't
have
to
this
was
this
was
good
and
thanks
kirsten
for
for
jumping
in
there
take
care.