►
From YouTube: OCB AMA: OPA Gatekeeper: Centralized Policy and Governance - Jaya Ramanathan (Red Hat)
Description
Join us for this Ask Me Anything (AMA) Session on Kubernetes centralized policy management.
Red Hat’s Jaya Ramanathan and Yu Cao will talk about using policy-based governance for admission and audit scenarios across multiple clusters and demo how this can be done using OPA Gatekeeper with the Red Hat Advanced Cluster Management (ACM) policy engine.
Guest Speaker(s):Jayashree Ramanathan, Yu Cao and Kirsten Newcomer (Red Hat)
Hosted by Paul Morie and Diane Mueller (Red Hat)
B
A
All
right,
hello,
hello,
everybody
and
welcome
to
yet
another
openshift
commons
briefing
today
as
we
like
to
do
on
mondays,
we
like
to
have
ama,
ask
me
anything
questions
about
different
aspects:
technology
initiative,
different
upstream
projects,
and
today
we
have
jaya,
ram
ramathan
and
who
work
on
our
governance
and
security,
work
at
red
hat
and
they're,
going
to
talk
a
little
bit
about
open
policy
agent,
how
and
gatekeeper
and
how
all
that
works
within
the
context
of
some
of
our
advanced
cluster
management
product
offerings,
but
we're
gonna
have
live
q
a
at
the
end
too.
A
So,
wherever
you
are,
please
ask
questions
in
the
chat.
It'll
get
relayed
back
to
the
speakers
and
we'll
have
some
live
q
a
at
the
end.
So
with
that
jaya,
could
you
introduce
yourself
and
you
and
take
it
away.
A
And
you
are
on
mute
jaya
there
you
go,
try
that
again,
still
on
mute,
you
just.
C
Hi
everyone.
Thank
you,
diane
hi
everyone.
Thank
you
for
this
opportunity.
I
am
jaya
ramanathan.
I
am
the
chief
security
and
governance
architect
for
our
advanced
cluster
management
offering,
and
I
have
with
me
youth.
He
is
the
squad
lead
for
our
security
and
governance
capabilities
within
both
of
us
work
on
this
project
called
advanced
cluster
management
for
kubernetes
within
red
hat,
and
we
also
have
an
upstream
community
called
open
cluster
management.
C
So
we
are
here
to
talk
about
just
some
underlying
principles
and
overall
architecture
of
our
security
and
governance
capability,
and
then
we
will
delve
deep
into
oppa
and
gatekeeper
and
how
that
integrates
with
acm.
C
Okay,
this
chart
basically
talks
about
the
various
security
and
compliance
challenges
that
customers
face
when
they
adopt
cloud
specifically.
The
key
thing
I
wanted
to
highlight
here
is:
customers
generally
have
to
meet
various
enterprise
standards,
as
well
as
industry
standards,
for
example,
if
they
are
in
regulated
industries
like
financial
healthcare,
etc,
they
have
to
make
standards
like
pci,
hipaa,
etc,
and
they
also
want
to
adopt
open
technologies,
and
they
typically
have
to
deal
with
more
than
one
cloud
provider,
and
they
also
need
to
go
through
multiple
audits.
A
You
can
continue.
I
can
grab
that
last,
the
first
bit
from
from
the
live
stream.
C
Okay,
awesome,
so
our
approach
to
achieve
that
goal
of
continuous
security
and
audit
readiness
is
policy-based
governance.
So
what
do
we
mean
by
that?
C
Typically,
if
you
take
a
particular
cloud
environment,
say
redhat
openshift
cloud
platform,
and
you
want
to
secure
it
you,
the
customer,
would
enable
various
security
capabilities
that
openshift
provides
out
of
the
box,
and
they
may
also
want
to
use
some
capabilities
provided
by
third
party
and
some
homegrown
capabilities
as
well
and
and
what
they
would
like
to
do
is
to
ensure
that
all
these
security
controls
are
configured
to
industry,
best
practices
or
their
enterprise
standards,
and
these
standards
could
include
standards
from
nist,
likeness
csf
nest,
853
and
also,
like
I
mentioned
industry
segment
standards
like
pci,
hipaa,
etc.
C
C
C
So
that's
kind
of
the
overall
approach
of
policy-based
governance,
so
I
want
to
introduce
some
terminology
here
just
to
level
set
what
we
are
talking
about
here.
So
if
you
think
about
policy
based
governance
right,
so
there
is
a
policy
authoring
point
where
the
policy
is
specified.
Now
this
authoring
point
could
be
either
the
console
or
it
could
be
a
cli
or
it
could
be
githubs.
C
Our
preferred
methodology
is
githubs,
the
reason
being
that
allows
you
to
manage
policies
just
like
you
will
manage
source
code,
so
you
define
all
the
policies
in
git
and
then
within
our
acm
product
you
can
define
a
subscription
to
pull
those
policies
and
deploy
them
onto
the
managed
clusters.
So
that
is
our
policy
management
point.
So
this
distributes
the
policy.
It
consolidates
policy
violations
across
a
fleet
of
clusters.
C
It
also
allows
you
to
enter
integrate
with
enterprise
tools
from
a
central
point,
because
that
is
how
customers
view
the
cloud
as
just
an
extension
of
the
of
their
existing
id
infrastructure.
So
they
want
the
management
to
integrate
with
their
incident
management
systems,
security
operations,
center,
their
enterprise,
grc
tools,
etc.
C
So
an
example
of
enforcement
point
would
be
the
kubernetes
admission
web
hooks
and
also
the
runtime
controllers
communities
controllers
themselves,
as
well
as
several
controllers
that
we
provide
the
configuration
policy
controller
and
the
certificate
management
controller,
as
well
as
any
operator
that
runs
on
openshift
manage
cluster
can
also
serve
as
a
policy
enforcement
point
and
one
one
of
the
examples
of
the
operator
is
the
compliance
operator
that
allows
you
to
implement
security
profiles
on
your
openshift
clusters.
C
So
and
then
the
policy
enforcement
point
can
optionally
invoke
a
policy
decision
point
to
check
whether
a
specified
policy
matches
how
control
is
configured
now.
In
some
cases,
the
policy
enforcement
point
may
itself
do
this
check,
but
in
other
cases
you
could
invoke
a
pdp
and
the
gatekeeper
oppa
integration
is
one
such
example
and
kubernetes
is
another
example.
C
So,
based
on
this
terminology,
here
is
the
overall
architecture.
So,
as
you
can
see
here
on
the
management
hub,
this
is
where
the
policies
are
defined
and,
as
I
mentioned,
it
can
come
through
from
git
or
it
could
be
through
ui
or
cli,
and
then
from
here
it
gets
distributed
to
the
managed
clusters.
And
then
here
you
have
the
various
policy
consumers.
These
are
essentially
the
policy
enforcement
points
that
I
talked
about
and
then
the
these
results
are
then
collated
back
and,
and
so
you
have
everything
available
in
a
central
manner.
C
There
are
a
few
roadmap
items
that
we
are
highlighted
here,
where
we
want
the
policy
framework
to
associate
ansible
playbooks
to
trigger
automation,
automated
playbooks,
for
policy
violations,
and
we
also
want
to
integrate
the
policy
violations
and
generate
alerts
to
the
observability
component,
which
can
then
integrate
with
the
enterprise
incident
management
tools,
and
we
also
want
to
route
audit
logs
to
sims
for
the
security
operations
center.
C
These
are
all
the
orange
items
in
this
chart
are
things
that
are
roadmap
items
so
now
I
want
to
drill
down
into
details
of
how
we
have
integrated
with
gatekeeper
and
oppa.
So
let
me
start
with
the
quick
overview
of
gatekeeper
and
oppa,
so
gatekeeper
allows
you
to
evaluate
compliance
of
cube,
rented
resources
to
specified
policies
and
what
it
leverages
under
the
covers
is
oppa
and
oppa
is
the
policy
engine
that
it
uses
now.
C
Oppa
itself
accepts
policies
in
a
language
called
rego,
so
think
of
gatekeeper
as
providing
the
bridge
from
oppa
to
kubernetes
to
the
humanities
world.
So
it
allows
you
to
specify
the
policies
as
kubernetes
constraints,
which
can
which
can
in
turn
contain
the
rego
constructs
and
gatekeeper
can
then
consume
those
and
because
it
registers
itself
as
a
policy
enforcement
point
through
the
web
hook,
and
so
it's
now
able
to
pass
on
those
regular
constructs
to
oppa
and
use
opa
to
do
the
actual
checks
of
whether
the
policy
is
complied
to.
C
So
two
scenarios
to
consider
here
one
is
the
admission
scenario,
so
this
is
executed
whenever
a
cumulative
resource
is
created
or
updated,
and
so
so
think
of
it.
As
once,
the
gatekeeper
policy
is
in
place,
then
any
new
resources
that
get
created
will
be
governed
by
this
admission
control.
C
C
So
in
order
to
complete
the
picture,
there
were
a
couple
of
things
we
had
to
do
in
in
terms
of
how
we
integrated
gatekeeper
and
opa
into
acm.
First
of
all,
we
deliver.
We
are
delivering
going
to
deliver
operator
that
can
deploy
gatekeeper
and
oppa,
and
so
this
is
this.
Work
is
actually
progressing
in
the
upstream
community
and
what
we
have
done
is
we
have
forked
the
community
and
made
it
part
of
our
open
cluster
management
downstream.
C
C
Now
the
deployment
of
operators
itself
is
represented
as
a
cr,
so
by
delivering
gatekeeper
opa
as
an
operator
now
you
can
just
define
a
acm
policy
that
ensures
that
this
operator
is
deployed
on
the
managed
clusters.
So
that's
so
that's
so
we
are
going
to
provide
that.
In
addition,
we
also
you
can
also
use
acm
to
define
policies
to
on
what
gatekeeper
itself
is
enforcing
right.
So
the
constraints
that
I
talked
about
so
those
can
be
also
authored
within
rackham
and
propagated
to
the
managed
clusters.
C
C
So
in
the
case
of
the
admission
scenario,
we
just
we
have
a
rackham
config
policy
that
can
process
the
events
that
are
generated
by
the
gatekeeper
webhook
and
in
the
case
of
audit
scenario,
we
look
for
the
status
field
in
the
gatekeeper
constraints.
So
so
we
are
able
to
pull
both
this
information
back,
as
I
showed
in
the
architecture
into
the
central
acm
hub
and
display
the
results
there.
C
So
this
architecture
diagram
pictorially,
depicts
what
I
talked
about.
So
you
have
the
rackham
hub
and
then,
which
is
distributing
policies
to
your
managed
cluster
and
within
the
manage
cluster
you
have
the
config
policy
controller
and
because
we
have
this
built-in
config
policy
controller,
the
whole
integration
with
gatekeeper
oppa
is
happening
just
through
the
authoring
of
these
policies.
So
you
really
don't
have
to
write
any
code.
C
So
so
we
have
a
policy
that
we
have
authored
to
deploy
the
gatekeeper
operator.
So
that
operator
is
then
watches
over
this
gatekeeper,
cr
and
and
then
it
registers
this
webhook
that
monitors
the
audit
its
admission
scenarios
and
then
you
will
also
have
a
policy
to
deploy
the
gatekeeper
constraints.
C
So
you
is
going
to
give
us
a
demo
on
on
these
capabilities,
but
before
I
hand
it
over
to
you,
I
also
want
to
highlight
that
we
have
also.
We
also
have
integration
in
place
with
acm
for
the
openshift
compliance
operator,
which
is
another
an
example
of
an
operator
that
can
be
deployed
on
the
managed
cluster
and
through
a
raccoon
policy.
C
C
That
kind
of
is
the
quick
short
overview
and
I'm
I
have
in
this
chart
a
link
to
our
open
cluster
management
community,
and
you
can
connect
with
us
there
and
and
ask
any
questions
etc
before
I
turn
it
over
to
you.
I
also
want
to
give
you
a
quick
demo
of
our
open
cluster
management
community.
C
So,
as
I
mentioned
when
I
provided
the
overview
of
policy
based
governance,
typically,
you
have
various
controls
in
place
and
the
controls
could
be
for
security
could
be
for
resiliency
could
be
for
software
engineering,
and
you
want
to
ensure
that
all
these
controls
are
configured
properly
to
industry,
standards
and
enterprise
standards,
and
in
order
to
do
that,
our
goal
is
to
codify
those
standards
as
policies,
and
so
it's
very
clear
that
red
hat
on
our
own
cannot
produce
all
the
policies
needed
by
all
our
customers.
C
C
C
So
you
have
various
controls
within
this
security
controls
within
this
catalog
and
and
then
for
each
of
the
controls
you
can
see,
we
have
defined
policies
so,
and
you
is
going
to
show
us
a
demo
of
the
compliance
operator
policy
that
can
deploy
the
compliance
operator
and
also
this
essentially
security
profile
policy
that
allows
you
to
scan
the
manage
cluster
for
this
particular
security
profile
and
then
for
gatekeeper
and
oppa.
We
have
policies
as
well,
and
then
there
is
the
other
folder
here,
which
is
the
community
folder.
C
So
the
community
folder
is
where
we
invite
contributions
from
the
community,
and
these
policies
are
also
organized
in
terms
of
the
nest.
853
standard
and
the
gatekeeper
policies
currently
are
in
the
community,
and
the
reason
is
because
we
are
currently
working
on
an
acm
release
where
we
are
productizing
this
capability,
so
they
write
down
sit
in
the
community,
so
you
have
a
gatekeeper
operator
policy
that
allows
you
to
deploy
the
gatekeeper
operator
and
then
we
also
have
other
policies
for
gatekeeper,
contributed
here
as
well.
C
So
so
you
can
see
here.
We
also
have
third
party
contributing
policies
here.
So
you
will
see
here
a
policy
from
cystic.
They
have
contributed
a
policy
for
their
operators.
So
the
reason
I
wanted
to
highlight
this
is
to
invite
contributions
from
the
community,
so
we
are
also
working
with
various
customers
to
have
them
contribute
here
as
well.
A
If
people,
I
think
the
ocm
team
group
is
meeting
on
a
semi-regular
basis
now
have
they
started
the
community
meetings.
C
Yes,
we
have
started
the
community.
The
open
cluster
management
has
a
community
meeting
that
happens
weekly
and
definitely
you
know,
invite
participation
in
that
as
well.
So
I
can
include
that
link
as
well
into
the
chart.
A
Okay,
that
would
be
great
and
there's
there's
one
quick
question
here
before
we
go
to
the
demo.
Tobias
is
asking:
if,
if
the
gatekeeper
community
would
announce
mutating
admission
controller,
will
you
integrate
such
an
option
into
rackham.
C
Yes,
so
we
are
active
participants
of
the
gatekeeper
community.
You
who
is
here
on
the
call
with
me,
along
with
a
couple
of
others
from
red
hat,
are
active
contributors
there
as
well,
so
we
are
watching
the
space
there
and
our
goal
is
to
keep
up
with
any
enhancements
that
are
made
in
gatekeeper
and
associate
policies
and
track
them
to
adopt
those.
Yes,
that's
circle.
A
I
am
so
grateful
that
you
finally
said
that
acronym
out
loud
and
it's
rackham,
because
I
have
that's-
that's
a
wonderful
way
to
pronounce
it,
so
I'm
going
to
use
that
going
for
it.
So
thank.
C
A
And
ginny
just
shared
a
link
in
the
chat
for
the
open
cluster
management
community.
There's
a
projects
page
in
the
repo
that
you
can
find
the
agenda
and
things
like
that
for
the
upcoming.
C
Meetings,
I'm
going
to
stop
sharing
now
and
turn
it
over
to
you.
Perfect
yeah,
welcome,
further
questions
as
well.
Thank
you.
D
All
right,
let
me
share
my
screen.
First.
D
Okay,
all
right
so
hi
everybody,
my
name
is
utau,
so
I'm
the
dev
lee
for
welcome
security
and
compliance
team.
So
today
I'm
going
to
do
a
quick
demo
for
how
you
can
use
record
policy
to
install
gatekeeper
and
then
apply
a
keeper
constraint
on
the
manage
cluster
and
then
report
any
violations
it
detects.
So,
first
of
all,
let
me
recap
a
little
bit
about
the
the
governance
and
risk
architecture
in
recon
products.
So
if
you
go
to
our
product
a
documentation,
there's
an
overall
architecture
diagram
here.
D
So
if
you
click
on
it,
you'll
see
a
large
diagram,
so
the
the
governance
policy
framework
we
put
in
place.
It
really
consists
consists
of
multiple
piece
right.
So
there's
a
one
piece
on
the
top
and
there's
a
few
piece
on
the
manage
cluster
so
on
the
left
so
on
hub.
So
we
have
policy
propagator,
which
responsible
for
propagating
the
policy
from
hub
to
manage
cluster,
so
how
it
how
it
does
is
so
when
you
create
a
policy,
you
need
to
also
create
a
placement
binding
and
placement
rule.
D
So
if,
if
you
look
at
that
example
here,
so
we
have
a
policy
crd,
which
is
the
crd
that
we
use
to
embed
your
embed,
your
the
real
policy.
So
if
you
look
at
the
crd
definition
here,
so
we
have
a
field
called
policy
templates,
so
inside
templates
you
define
the
actual
policy.
You
want
to
apply
on
your
manage
cluster,
so
you
can
you
can
you
can
create
a
policy
with
multiple
policy
templates
using
different
policy
language
and
then,
once
this
is
created,
you
create
a
also
create
a
placement
rule.
D
So
since
rackham
is
managing
the
purp,
is
a
control
plane
then
managing
multiple
clusters
right.
So
so,
when
you
import
a
cluster,
you
can
label
your
cluster
so
the
place
more
simply
here
is
you
can
select
a
class
cluster
either
you
using
the
the
label
selector,
so
we
call
custom
selected.
But
what
really
does
is
it's
using
labels
on
the
cluster
so
that
you
can?
D
You
can
select
a
a
subset
of
cluster
of
a
device,
for
example,
in
this
case
it's
all
your
dev
clusters
and
then
create
a
placement
binding
that
us
find
the
policy
and
placement
together.
Basically
tell
our
policy
propagator:
this
policy
needs
to
be
applied
to
these
clusters,
so
this
is
how
we
propagate
policy
to
manage
cluster.
So
the
reason
I
explained
this
is
so.
D
This
is
the
framework
that
to
distribute
policies
and
the
actual
actual
the
actual
policy
that
is
being
executed
or
evaluated
on
the
manage
cluster
is
we
call
it
policy
controllers
or
policy
consumers
on
the
managed
clusters,
so
the
framework
propagates,
the
policy
to
manage
cluster,
distribute
them
to
manage
cluster
and
then
hand
it
over
to
the
actual
policy
consumer
installed.
On
your
manage
cluster,
for
example,
the
gate
gatekeeper.
D
Policy,
consumer
or
compliance
operator,
or
the
outer
box
policy
controller
that
we
ship
raccoon
ship,
for
example
the
configuration
policy
controller.
So
once
it
is,
it
reached
the
magic
cluster.
The
the
actual
policy
consumer
on
the
magic
cluster
will
will
apply,
evaluates
the
the
policy
passed
passed
in
and
then
return
and
then
generate
results
and
the
policy
framework
will
retrieve
those
results
and
return
it
to
the
hub.
So
that
you
can
you
can
view
the
results
through
a
single
control
plane
using
recom
console.
D
So
that's
the
governance
framework
policy
framework
and
we
put
in
place
for
broadcom
so
in
terms
of
gatekeeper
policy.
So
from
this
big
picture,
so
gatekeeper
controller
is
one
of
one
of
the
positive
consumer
from
ratcom
policy
policy
framework
perspective.
D
Now
so
now,
let's
take
a
look
at
the
actual
gatekeeper
policy,
so
we've
talked
about
that.
We
can
use
the
raccoon
policy
to
install
gatekeeper
and
we
can
also
use
a
record
policy
to
apply
gatekeeper
constraints
and
then
collect
the
results
back
to
hub.
So
this
is
done
through
defining
record
policy.
So,
as
jaina
mentioned
in
this
policy
collection
repo,
you
can
find
you
can
find
the
gatekeeper
operator
policy
and
also
some
a
few
other
gatekeeper
policy
that
actually
deliver
applying
certain
constraints
on
your
clusters.
D
For
example,
the
first
the
gatekeeper
operator,
gatekeeper
operator
is,
is
an
f
as
an
effort
that
we
will
be
actually
involved
in
the
upstream
community,
so
the
geek.
What
gatekeeper
operator
does?
Is
it
packs
it
packages
the
gatekeeper
as
a
open
shift
operator,
the
operator
responsible
for
the
life
cycle
of
gatekeeper,
so
it
can
install
gatekeeper,
it
can
delete
gatekeeper.
You
know,
of
course
we
are.
We
will.
We
are
also
working
on
upgrading
those
kind
of
stuff,
so
it
controls
the
whole
lifecycle
gatekeeper.
D
It
simply
makes
installing
gatekeeper
easier,
with
gatekeeper
being
delivered
as
a
gatekeeper
operator
in
orm
or
in
ocp
catalog.
You
can
use
a
rackon
policy
to
to
insta
to
to
install
gamekeeper
across
all
your
managed
cluster.
So
what
you
need
to
do
here
is
you
define
a
policy
crd
policy
cr
here
and
then
it
includes
multiple
templates.
So
just
very
similar
to
how
how
you
install
an
operator
from
om,
so
you
create
a
namespace.
D
We
defined
a
catalog
source.
Currently
the
gatekeeper
operator
is
not
published
yet
so
we
have
to
define
a
custom
catalog
source,
and
then
you
create
a
operator
group
to
tell
operator
which
namespace
to
operate
on
and
then
the
subscription
to
subscribe,
the
the
catalog
to
pull
down
the
gatekeeper
images
and
and
so
and
then
and
then
you
create
this
gate
keeper
cr.
This
keeps
it
keepers
here
is
part
of
gatekeeper
operator,
so
it
tells
you
how
to
configure
gatekeeper.
So
if
you
create
this
cr8,
the
gatekeeper
operator
will
install
the
gatekeeper
based
on
the
spec.
D
The
configuration
provide
if
you
delete
the
state
pvcr,
the
gatekeeper
operator
will
delete
the
gatekeeper
instance
on
your
cluster.
So
here,
as
you
can
see,
we
are
pulling
in
an
image
from
from
upstream
gatekeeper
as
this
is,
and
then
we
enable
the
admission
events
flag
so
that
we
can.
We
can
so
that
when
there's
a
violation
january
for
for
for
any
new,
when
there's
a
violation
generated
generally
for
any
new,
is
the
new
resource
cr
created
on
language
cluster?
That
being
that
was,
that's
is
blocked
by
the
skate
keeper.
D
It
will
generate
equipment,
kubernetes
events,
so
this
is
for
the
purpose.
This
is
for
the
purpose
for
raycom
to
be
able
to
collect
the
result
for
a
diminishing
admission
scenario.
So
then,
so,
once
this
this,
this
policy
is
created,
you
you
will
and
create
it.
Then
it
will
based
on
the
cluster
selected
here
right,
so
it
will
install
the
the
gatekeeper
operator
on
manage
cluster.
So
for
this
is
the
rackham
console.
So
I
have
a
gatekeeper
operator
policy
installed
here.
D
D
This
is
the
match
cluster
and
then,
if
you
go
to
operator
here,
go
to
installer
here,
you'll
see
gatekeeper
operator
here,
so
it
is
so
very
simple.
So
the
you
just
need
to
use
this
operator.
You
just
need
to
use
raccoon
to
install
this
operator
for
you
and
then
the
gatekeeper
is
installed
on
a
managed
cluster.
D
So
now,
let's
take
a
look
at
how
you
can
apply
gatekeeper
constraints
and
then
report
report
violation
back.
So
installing
gatekeeper
is
just
the
first
step
right.
What
was
really
what
really
has
value
is
you
want
to
apply
gatekeeper,
constrain
and
constrain
template
and
then
collect
results
back
so
here
we
I
create
a
sample.
I
create.
I
create
a
gatekeeper,
somehow
policy
here,
so
I
think
it's
easier
to
look
at
in
here
in
vs
code,
so
gatekeeper.
D
So
this
is
from
the
gatekeeper.
This
is
from
the
policy
collection
input
you
can
find
it.
You
can
find
it
in
positive
collection.
Repo,
so
same
here
we
are
using
the
same
policy
cr
to
distribute
the
gatekeeper
constraint,
constraint,
template
as
you
can
see.
We
have
three
templates
here.
D
If
we
look
at
the
details
right
this,
this
is
actually
leveraging
the
configuration
policy,
which
is
the
outer
box
policy
consumership
in
gracom.
So
what
it
does
is
what
it
does
is.
It
can
create
update,
delete
resources
on
the
cluster
based
on
the
template.
Object
definition
you
provide.
So
if
you
look
at
the
the
sr
crcr
fields
here,
so
you
create
a
configuration
policy,
it
has
object
templates
inside
the
specs.
So
in
this
object
templates
anything
defining
this
object.
Template
template
field
is
the
actual
cr
you
want
to
create
in
this
example.
D
D
So
basically,
how
we
integrate
is.
You
are
if
you
have
constraint,
template
and
constraint
cr
already,
so
you
can
use
configuration
policy
to
create
an
unmanaged
cluster.
D
So
what
you
just
need
to
do
is
you
just
need
to
embed
the
constraint,
template
inside
a
configuration
policy
and
then
put
it
into
policy
cr
which
is
responsible,
distributed
across
automatic
cluster,
that
so
that's
how
how
the
constraint
template
is
delivered
to
manage
cluster.
So
you
don't
you
don't
have
to
write
any
code.
You
just
need
to
create
this
policy
and
embed
your
constraint
template
same
for
the
constraint
here.
D
Then
the
recom
policy
framework
will
create
these
two
crs
on
the
cluster
you
on
the
cluster
and
then
and
then
gatekeeper
is
gatekeeper
instance.
The
controllers
will
take
over
and
and
evaluate
these,
these
two
cr.
So
if
you
look
at
details
of
this
cr,
this
is
a
sample.
Namespace
constraint,
template
constraint.
I
took
from
from
gatekeep
gatekeeper
website,
so
what
it
does
is
it
requires
any
any
names.
Any
this
regal
basic
defines
any
input.
D
Resource
resource
needs
to
have
a
field
called
label
and
inside
that
label
field
you
need
to
have
a
you
need
to
have
a
have:
a
have
a
label
with
name
with
name
with
certain
name,
so
the
name
is
being
exposed
as
a
configurable
parameter
called
labels
and
in
the
inside
constraint.
So
you
you're
basically
basically
applying
this
constraint,
template
I'm
here,
I'm
applying
any
namespace,
and
also
I
restrict
the
namespace
to
be
these
two,
these
these.
D
D
If,
if
so,
if
we
want
to
test
this
this
policy,
this
gatekeeper
constraint,
basically
we
can
just
go
ahead
and
create
a
namespace
without
label
gatekeeper.
Then
it
will
be
blocked.
So
let
me
do
do
that
here.
I
believe
I've
already
logged
on
the
login
onto
the
gate,
the
the
manage
cluster.
So
let
me
double
check
so
here
on
my
manage
cluster
for
this.
This
deployment
I'm
actually
applying
to
these
two
namespace.
D
You
can
see
here
the
gatekeeper
actually
detect
that
and
block
the
creation
of
this
namespace.
So
that
means
the
gatekeeper
constraint
constraint,
template
that
we
are
that
we
are
apply
that
we
are
applied
using
recom
policy
is
actually
in
place
and
and
and
working.
D
So
that's
how
we
distribute
and
apply
a
gatekeeper,
constraint
and
strength
template
from
rackham
console
by
using
a
recom
policy.
You
don't
have
to
log
into
each
managed
cluster
and
apply
it.
You
just
need
to
do
it
essentially
through
right
through
raccoon
control,
plane
the
then
it's
the
the
violation
part.
We
want
to
be
able
to
collect
violations.
D
So
if
you
look
at
look
at
the
the
other
two
templates
that
we
are
embedding
in
this
policy
cr,
so
here
as
you
can
see,
we
create
a
another
configuration
policy
right.
This
is
for
all
this
scenario.
We
we
name
it
policy,
gatekeeper
audit.
So
what
it
does
is
it.
D
It
is
looking
for
any
cr
on
the
manage
cluster
called
ks
required
label.
This
is
the
constraint
that
we
created
in
previous
object
template,
but
additionally,
we
are
adding
additional
fields
to
it.
So
what
it
means
is
we
want
we
want
it
is.
We
are
using
must-have
compliance
type
here.
So
what
it
does
is
we
require.
D
We
require
on
your
cluster.
You
need
to
have
a
cr
called
ns
must
have
gatekeeper
with
this
kind
and
api
version.
Additionally,
we
expand
the
status
field
with
total
valuation
zero.
D
So
this
is
for
all
this
scenario,
so
the
way
it
works
is
so
once
this
is,
this
control
constraint
is
being
created
on
the
manage
cluster,
so
gatekeeper
audit
controller
will
start
to
scan
your
entire
cluster
and
then
try
to
figure
out
if
you
have
every
any
pre-existing
non-compliance
exist.
So
if
there
is
any,
it
will
actually
update
the
status
field.
To
tell
you,
oh,
there
are
there's
some
some
violations
pre-exist,
so
it
will
increment
the
number
here
so
currently
we
expect
the
number
to
be
zero.
D
So
if
it's
not
zero,
then
this
this
policy
will
return.
Non-Compliant,
that's
how
we
collect
the
result.
So
if
for
for
that's
how
we
collect
result
for
audit
and
then
let's
look
at
the
dimension
scenario
for
dimension
scenario
same,
we
are
creating
another
configuration
policy
and
we
are
looking
for
event.
D
Events
for
this
constraint,
template
afford
this
constraint.
Ks
require
labels
and
then,
and
was
named.
Ns
must
have
gold
gatekeeper.
So
basically,
so,
as
you
can
see
here,
we
are
using
conspiracy,
type
must
not
have
so
we
expect
there
shouldn't
be
any
events
with
this.
Annotation
unmanaged
cluster
exists
on
the
manage
cluster
if
it
exists.
That
means
there's
violations.
D
There's
there's
something
wrong,
so
this
policy
will
return
non-compliant.
So
now,
let's
come
back
to
the
console
here.
So
as
I
did
as
previously,
I
did
this
right.
I
tried
to
create
namespace
without
label.
So
now,
as
you
can
see
here,
it
is
for
this.
This
admission,
template
is
reported,
reporting,
non-compliant
and
it
tells
oh
there's
an
event
exist
in
the
gatekeeper
namespace
system.
D
We
can
click
on
view,
details
and
take
a
look
at
what
it.
What
exactly
it
is.
So,
oh
there's
a
this
is
this
is
what
is
violating
this
part
of
this
policy,
so
this
event
exist,
but
it
should
it
shouldn't,
and
if
you
click
on
new
ymo,
it
is
going
to
pull
the
the
details
of
this
event.
So,
as
you
can
see,
it
tells
you
that
machine
webhook,
the
the
the
basically
the
the
request,
is
being
denied
by
this
constraint
from
gatekeeper.
D
So
this
is
exactly
the
same
error
you've
seen
here
in
the
command
line,
so
this
is
how
we
implement
gatekeeper
with
recom.
So
we
implement
we
integrate
gatekeeper,
not
only
just
installing
the
gatekeeper
and
then
creating
the
gatekeeper
constraint,
constraint,
template,
but
we
also
collect
the
result
for
both
an
audit
and
animation
scenario.
D
Okay,
that's
my
part
for
the
gatekeeper
demo,
just
to
quick
mention
thanks
to
the
power
of
the
outer
box,
configuration
policy
controller
shipped
with
raccoon,
so
we
are
able
to
also,
of
course,
install
any
operator
so,
for
example,
compliance
operator
here
so
compliance
operator.
So
if
you
look
at
the
ammo
here
this,
this
policy
is
also
you
can
also
find
it
in
positive
collection
repo.
So
you
can
find
it
here.
So
a
very
similar
concept.
We
use
configuration
policy
to
create
namespace,
create
operator
group
and
create
subscription.
D
So
then
the
compliance
operator
is
installed
on
your
manage
cluster
and
then
you
can
trigger
you
can
trigger
a
scan
so
from
using
certain
profiles.
So
here,
if
you
look
at
the
the
ea
scan
policy
here,
basically
this
policy
triggers
trigger
this
policy
triggers
an
essential,
a
security
profile.
Scanned
on
your
manage
cluster-
and
we
are
also
using
configuration
policy
to
achieve
that
so
by
just
create
using
configuration
policy
to
create
scan
static,
binding
compliance
with
suite
and
then
collect
result
back.
D
E
That's
great
thanks
you,
and,
and
if
I
could,
this
is
kirsten
newcomer
if
I
could
chime
in
just
for
a
minute.
At
the
end
of
our
conversation
about
the
client
compliance
operator,
there
was
in
chat
a
conversation
about
the
difference
between
the
compliance
operator
and
and
gatekeeper,
and
I
think
both
jaya
and
I
weighed
in
and-
and
you
did
a
nice
job
also
summarizing
that
here,
so
the
compliance
operator
is
specifically
focused
on
on
regulatory
controls,
technical
controls
that
map
to
regulatory
frameworks.
E
I
just
want
to
share
just
because
we're
really
excited
in
addition
to
the
e8
profile,
which
is
an
essential
8
profile
from
australia.
There
are
some
the
the
compliance
profiles
available
with
the
openshift
compliance
operator
include
some
controls
that
meet
nist
853
regulatory
requirements,
including
at
rel
core
os,
not
just
the
kubernetes
layer,
and
we
just
shipped
a
profile
for
that
is
inspired
by
the
cis
kubernetes
benchmark
so
check
that
out.
E
If,
when
you
get
a
chance-
and
I
don't
know
if
there
are
other
questions-
I
I've
kind
of
been
thinking
of
a
few-
that
I
wondered
if
that,
whether
they
might
be
helpful
to
folks
and
they
kind
of
tie
back
to
oppa
versus
gatekeeper
versus
the
compliance
operator
jaya.
You
mentioned
kind
of
three
types
of
policies:
policy
categories-
you
mentioned
security
resiliency.
You
also
mentioned
software
engineering.
E
I
think
we
have.
I
I
think
maybe
it
would
be
useful
to
give
some
examples
of
each
of
them.
Yeah.
Does
that
make
sense?
Yeah.
C
Okay,
so
this
is
the
policy
collection,
repo
and
then,
if
you
go
down
to
the
bottom
of
this
repo
this
this
page,
we
have
a
lot
of
blogs
here,
and
one
of
the
blogs
I
wanted
to
highlight
here
is
this
blog.
C
And
this
blog
talks
about
how
you
can
implement
policy-based
governance,
using
our
configuration
management
capabilities
right
and-
and
here
we
talk
about
like
kristen-
you
were
asking
there-
are-
there-
are
best
practices
for
three
areas
that
I
outlined,
which
is
security,
resiliency
and
software
engineering,
and
this
blog
goes
into
the
details
of
how
you
can
of
of
examples
in
each
of
these
categories
right
so,
for
example,
for
security,
security
and
regulatory
compliance
of
the
first
one.
We
list,
obviously,
is
the
compliance
operator
right.
C
So
we
talk
about
how
that
can
be
configured
using
rackham,
and
then
we
talk
about
the
hcd
encryption,
so
there's
a
policy
that's
available
to
ensure
that
the
kubernetes
hct
database
is
encrypted
right
and
and
also
you
can
remove
the
cube
admin,
because
the
best
practice
obviously
is
to
not
use
a
single
administrative
account
right.
You
want
to
be
able
to
use
different
accounts
for
different
users
to
have
accountability
and
then
policies
for
role-based
access,
control
and
sec
security,
cost
constraints,
etc
right.
C
So
these
are
examples
of
security,
oriented
policies,
but
you
can
also
have
policies
for
resiliency.
So,
for
example,
if
you
want
to
make
sure
that
the
logging
operator
is
installed
because
you
want
to
be
able
to
collect
logs
to
check
the
health
of
clusters
etc.
So
so
you
can
do
that
and
many
of
the
gatekeeper
policies
that
we
have
as
examples
here.
C
I
have
to
go
back
to
the
community,
so
there
are
gatekeeper
policies
for
ensuring
liveness
check
is
in
place
and
make
sure
you're
using
the
latest
container
image.
You
know
these
kinds
of
policies,
readiness
probe
is
in
place.
These
are
all
resiliency
related
policies
right,
so
so
those
are
examples
of
that
and
then
and
then
you
can
also
set
up
policies
for
software
engineering,
which
is
things
like
you
know,
making
making
sure
that
kafka
is
in
place,
because
that
is
your
standard
for
streaming
right.
C
C
The
point
is,
all
of
these
policies
can
be
put
in
place
without
programming,
and
I
I
wanted
to
really
highlight
that,
because
our
built-in
config
policy
controller,
as
I
mentioned
earlier,
can
distribute
any
cr.
So
as
long
as
you
are
able
to
represent
a
capability
say,
for
example,
as
an
operator,
an
operator
can
be
deployed
using
a
cr
right
and
then
you
can
configure
the
operator
as
long
as
it
takes
configuration
as
kubernetes
resource
you
can
configure
it
and
if
it
returns
the
results
back
as
crs,
we
can
process
those
as
well.
C
That's
really
like
you
are
showing
in
his
demo.
We
were
able
to
integrate
with
gatekeeper
because
it
met
all
those
characteristics
right,
so
we
didn't
have
to
really
write
code.
We
just
had
to
author
policies,
so
I
think
that's
the
beauty
of
this
approach
is
it's
very
easy
to
put
these
best
practices
in
place
for
your
data
operations.
Without
writing
a
lot
of
code
exactly.
E
Yep
jay
are
there
out-of-the-box
policies
that
I
are
available
that
that
in
the
gatekeeper
community,
I
know
you
showed
us
the
community
for
rack
the
community
branch.
What
does
gatekeeper
provide
out
of
the
box.
C
I
think
many
of
the
policies
that
we
have
put
here
in
our
community
were
contributed
by
our
community
of
practitioners
right,
so
they
have
their
own
community
where
they
based
on
customer
requirements,
they're
building
out
policies
right
and
then
once
they
feel
that
the
those
policies
are
stable
enough.
They
then
contribute
into
this
community
right,
okay
and
then
the
next
progression
is.
If
we
find
that
there
are
enough
customers
asking
us
for
a
fully
supported
version
of
that
policy,
then
we
promote
that
policy
to
stable
right
and
it
becomes
part
of
our
dracum
product.
E
Great,
that
sounds
good,
let's
see
so
you
answered
those
examples
and
another
thing
you
mentioned
early
on
in
the
conversation
you
kind
of
mentioned.
Well,
you
used
three
different
words
and
I
just
wanted
to
see.
If
there
was
clarity,
you
said
that
there
are,
of
course,
admission
controllers,
runtime
controllers,
and
then
later
you
talked
about
admission
and
audit,
so
I
wondered,
I
think
the
admission
controllers
were
fairly
clear.
Could
you
give
us
an
idea
of
what
some
of
the
runtime
controllers
are
yeah,
or
is
that
the
audit
yeah.
C
Yeah,
let
me
go
back
to
my
to
sharing
my.
C
Yep
perhaps
I
was
just
going
and
getting
my
deck
okay,
you
can
see
my
deck,
so
I
think
if
you
look
here
right,
let
me
go
into
prospect
mode,
okay,
so
the
policy
enforcement
points
right.
These
are
the
these
are
the
entities
that
consume
the
policy
and
return
violations.
C
So
this
is
where
you
know
you
have
the
admission
web
hook,
so
anything
that
is
plugged
in
into
that
vision.
Web
hook
now.
Gatekeeper
is
one
example
of
that
right
that
is
plugged
into
that
now.
Somebody
could
write
another
web
hook.
That
is
processing
policies,
for
example
right
as
long
as
those
that
entity
that
is
configured
as
a
web
hook
is
able
to
accept
its
configuration
or
policy
as
a
kubernetes
cr.
Then
you
can
use
our
built-in
config
policy
controller
to
distribute
that
to
that
right.
C
So
so
that
is
one
example
right
and
then
there
are
communities,
obviously
is,
has
its
own
runtime
controller.
So,
for
example,
when
we
propagate
a
policy
for
a
cd
encryption
that
is
actually
being
enforced
by
kubernetes
itself
right,
we
don't
have
to
do
an
external
controller
to
enforce
that
right.
But.
D
C
You
have
certain
other
controllers,
like
the
certificate
management
controller
is
something
that
we
provide
and
that
allows
you
to
detect
whether
certificates
are
expiring,
whether
certificates
have
wild
card
certificates,
are
being
used,
etc.
Right.
Those
are
policies
that
you
can
define
and
that
can
be
detected
using
that
specific
controller
and
compliance
operator
is
another
example
right.
So,
okay.
E
You
also
just
really
quickly,
because
I
know
you
and
I
responded
to
carolyn
in
chat,
but
but
maybe
we'll
just
verbalize
for
for
everybody
else
as
well.
Carolyn
have
asked
whether
openshift
is
required
on
all
clusters
in
order
to
use
policy-based
governance
and
no,
as
as
jay
said
in
in
chat,
acm
itself
runs
on
an
openshift
cluster,
but
acm
can
manage
other
kubernetes
distributions.
Besides
openshift
today,
the
compliance
operator
is
only
running
on
openshift.
E
It
is
designed
to
the
the
content
that's
available,
which
is
written
in
scaps,
secure
content,
automate
security
content,
automation
protocol.
This
is
a
standard,
that's
required
by
a
number
of
our
customers,
which
is
why
the
compliance
operator
is
written
in
scap
it.
Today
we
only
have
content
for
openshift
and
the
operator
mostly
works
on
on
openshift.
E
We
want
to
extend
it
to
other
coupe
clusters
in
the
future
likely
or
at
least
share
it
upstream,
to
make
it
easy
for
others
to
extend
it,
although
of
course
the
project
is,
is
open
source.
So
you
can
do
that
today,
but
again,
acm
itself
can
can
manage
both
openshift
and
other
kubernetes
clusters
with
other
kubernetes
distros.
D
Okay,
just
two
complements
so
the
the
policy
framework,
the
governance
policy
framework,
so
the
hub
piece
does
require
oc
ocp
cluster,
but
the
the
piece
on
the
manage
cluster.
We
do
support
other
kunes,
kubernetes
flavor,
but
also
so,
but
the
outer
box
controllers,
for
example,
the
configuration
policy
controller.
It
also
supports
other
kubernetes
flavors.
D
So
that
means,
if
you
want
to
integrate
something
that
is
not
running
on
on
kubernetes
cluster,
but
you
but
but
it
can
be
integrated
using
configuration
policy.
It
is
you
can
still
do
that
and,
and
also
to
add,
the
gatekeeper
operator
also
works
on
non-kubernetes
environment,
a
non-ocp
kubernetes
environment.
So,
of
course,
if
you
want
to
use.
C
D
C
Yeah,
those
are
all
excellent
points
you,
I
think,
yeah.
I
wanted
to
add
here
like
if
you
go
to
this
open
cluster
management
policy
collection
repo
at
the
very
bottom-
that's
where
we
have
listed
all
our
blogs,
so
you
can
take
a
look
at
it.
Also.
This
is
the
open
customer
management
community.
C
So,
if
you're
interested
in
trying
out
this
capability,
that's
a
good
place
to
start
and
we
have
community
meetings,
so
you
can
definitely
get
engaged
there
and,
like
you
said,
you
know,
for
example,
if
you
want
to
try
this
out
on
a
non-openshift
cluster,
at
least
on
the
marriage
cluster
side.
Definitely
you're
welcome
to
do
that.
F
I
have
one
question:
this
is
shaina.
I
have
a
customer
who
is
running
currently
right
now,
311,
I
noticed
acm
rackham
supports
3.11.200
and
above
and
some
of
the
policies.
When
I
install
it,
it
actually
require,
like,
let's
say
image,
vulnerabilities
and
it
will
require
container
security
operator
on
the
manage
cluster,
and
I
was
just
wondering
like.
F
F
That
makes
sense
like
because
there
there
are
time
that
I
would
not
know
what
my
managed
cluster
has
as
an
admin.
I
will
want
policy
a
b
and
c,
and
then,
when
I
create
those
policy-
and
I
figure
out-
oh
those
cluster
doesn't
have
it
would
would
like
for
a
gatekeeper.
You
will
deploy
the
gate
keeper
for
the
cluster,
but
gatekeeper
is
actually
only
support,
1.14
and
above
and
so
therefore
isn't.
Is
that
mean
that
I
cannot
have
gay
keeper
policies
on
the
3.11
cluster.
D
Yes,
so
yeah,
I
can
take
that.
So
yes,
so,
as
I
mentioned
previously,
there's
two
pieces,
the
framework
itself
and
also
the
policy
consumer.
So
the
framework
does
work
on
ocp
on
ocp311,
but
the
policy
cons,
controller
or
consumer
on
manchester.
It
might
not
support
ocp311.
F
C
And
I
think
this
is
where
I
think
the
placement
rule
applies
right.
So
when
you,
when
you
are
applying
a
policy
to
a
managed
cluster,
you
do
that
by
using
this
concept,
called
placement,
and
one
of
the
things
that
you
can
use
is
you
can
assign
labels
to
your
clusters,
and
you
can
say
that
apply
these
this
policy
to
a
cluster
that
matches
this
label
right.
C
So
so
what
you
could
do
is
you
could
assign
labels
to
your
clusters
depending
upon
what
version
they
are
etcetera,
right
and.
F
Okay,
that's
a
good
idea.
Thank
you
just
thinking
out
loud
because
there's
real
customer
questions,
they
they
are
on
3
11..
I
just
want
to
kind
of
pick
your
brain
taking
the
three
last
three
minutes
opportunities,
and
so
they
they
want
to
follow
the
needs,
standard,
right
and
so
they're
running.
They
are
moving
to
four
but
they're,
not
yet
they're
still
on
311..
F
What?
What
are
the
policies
that
you
would
recommend
them
to
start
on
doing
with
acm
if
there
is
any
documentation?
I
can
just
take
the
link
and
read
about
it.
C
Yeah,
I
think
the
the
the
blog
that
I
was
sharing
could
be
a
good
place
to
start.
Let
me
I'll
put
that
link.
B
E
So
jail,
we
know
the
com.
The
compliance
operator
is
not
supported
on
openshift
311,
there
is
a
hardening
guide
for
openshift
311,
but
there's
not
automation
that
I'm
aware
of
does
acm
have
checks
for
openshift
311
like
that
mapped
to
nist
853
or
some
other
nist
framework.
E
C
Think
the
encryption
policy
at
see
the
encryption
should
work
on
311
right
did
you
support,
did
openshift
4
support.
Sorry.
E
C
And
we're
gonna
check
is
the
certificate
expiration
that
definitely
should
work.
I
think
that
that's
another
area
that
you
could
look
at.
E
Yeah
so
shauna,
if,
if
it's
for
311
feel
this
is
kirsten,
newcomer
feel
free
to
shoot
me
a
note.
Knewcomer
redhat.com
I'll
see
what
I
can
do
to
to
help
you
out.
F
A
And
there's
one
question
from
tobias
in
the
in
the
chat
right
now:
a
question
regarding
the
road
map
item
in
terms
of
audit
etc.
Does
this
include
having
a
result
that
could
state
deny,
but
not
denying
the
actual
resource
creation
and
rather
just
firing
a
violation
alert
to
s-I-e-n,
meaning
yeah?
Okay,
you.
B
A
C
I
think
the
the
gatekeeper
audit
scenario.
Obviously
we
support
right,
meaning
when
I
say
support
that
should
work.
The
roadmap
item
related
to
audit
was
more
on
the
hub
being
able
to
generate
audit
logs
for
policy
lifecycle
events
and
have
them
routed
to
sims.
C
A
And
I'm
sure
both
paul
and
I
who
are
are
trying
to
follow
all
of
these
projects
in
the
cncf
and
the
new
ones.
Are
I'm
incredibly
grateful
for
you
guys
taking
the
time
to
explain
all
of
this,
and
it's
really
been
helpful.
I
will
upload
this
video
and
get
the
slides
from
jaya
and
put
them
together
and
and
tweet
them
out
shortly
and
put
them
somewhere,
maybe
we'll
put
them
in
a
blog
post
as
well
somewhere,
so
you
can
get
them.
A
This
was
really
really
good
and
we
definitely
sounds
like
we're.
Gonna
have
to
have
you
back
as
the
ocm
community
grows
and
more
of
these
policies
are
out
there.
This
is
just
a
deep
dive
here
and
very
good.
You
thanks
very
much
for
the
demo.
It
was
quite
quite
good,
so
thanks
thanks
again
and
thank
you,
everybody
for
taking
the
time
and
asking
great
questions
so
that
I
didn't
have
to
this
was
this
was
good
and
thanks
kirsten
for
for
jumping
in
there
take
care.