gatekeeper

🐊 Gatekeeper - Policy Controller for Kubernetes

3,612

740

3,612

149

View on GitHub

Top Related Projects

datree

6,384

Prevent Kubernetes misconfigurations from reaching production (again 😤 )! From code to cloud, Datree provides an E2E policy enforcement solution to run automatic checks for rule violations. See our docs: https://hub.datree.io

kyverno

5,533

Cloud Native Policy Management

vcluster

6,264

vCluster - Create fully functional virtual Kubernetes clusters - Each vcluster runs inside a namespace of the underlying k8s cluster. It's cheaper than creating separate full-blown clusters and it offers better multi-tenancy and isolation than regular namespaces.

trivy

22,801

Find vulnerabilities, misconfigurations, secrets, SBOM in containers, Kubernetes, code repositories, clouds and more

Quick Overview

Gatekeeper is an open-source policy engine for Kubernetes that enforces policies and strengthens governance. It extends Kubernetes using Open Policy Agent (OPA) and custom resource definitions (CRDs) to validate, mutate, and generate configurations based on custom policies.

Pros

Enhances Kubernetes security and compliance with customizable policies
Integrates seamlessly with existing Kubernetes workflows and tools
Supports both admission control and audit functionality
Provides a declarative approach to policy management using OPA's Rego language

Cons

Steep learning curve for those unfamiliar with OPA and Rego
Can introduce additional complexity to Kubernetes cluster management
May impact cluster performance if policies are not optimized
Limited built-in policies, requiring custom development for specific use cases

Code Examples

Creating a constraint template:

apiVersion: templates.gatekeeper.sh/v1beta1
kind: ConstraintTemplate
metadata:
  name: k8srequiredlabels
spec:
  crd:
    spec:
      names:
        kind: K8sRequiredLabels
  targets:
    - target: admission.k8s.gatekeeper.sh
      rego: |
        package k8srequiredlabels
        violation[{"msg": msg}] {
          provided := {label | input.review.object.metadata.labels[label]}
          required := {label | label := input.parameters.labels[_]}
          missing := required - provided
          count(missing) > 0
          msg := sprintf("you must provide labels: %v", [missing])
        }

Applying a constraint:

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRequiredLabels
metadata:
  name: deploy-must-have-owner
spec:
  match:
    kinds:
      - apiGroups: ["apps"]
        kinds: ["Deployment"]
  parameters:
    labels: ["owner"]

Defining a mutation policy:

apiVersion: mutations.gatekeeper.sh/v1alpha1
kind: Assign
metadata:
  name: demo-annotation
spec:
  applyTo:
  - groups: [""]
    kinds: ["Pod"]
    versions: ["v1"]
  location: "metadata.annotations.mycompany.com/demo"
  parameters:
    assign:
      value: "true"

Getting Started

Install Gatekeeper in your Kubernetes cluster:

kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper/release-3.7/deploy/gatekeeper.yaml

Create a constraint template (use the example from the "Code Examples" section).
Apply a constraint based on the template (use the example from the "Code Examples" section).
Test the policy by attempting to create a resource that violates the constraint:
```
kubectl apply -f violating-deployment.yaml
```
Observe the policy enforcement and adjust as needed.

Competitor Comparisons

datree

6,384

Pros of Datree

Simpler setup and configuration process
Built-in policy library with pre-defined rules
User-friendly CLI interface for easy integration into CI/CD pipelines

Cons of Datree

Limited customization options compared to Gatekeeper's flexibility
Primarily focused on Kubernetes manifests, while Gatekeeper can be used for broader policy enforcement
Smaller community and ecosystem support

Code Comparison

Datree policy definition:

customRules:
  - name: Ensure resource limits are set
    rule: resource_limits
    schema:
      type: object
      required: [limits]

Gatekeeper constraint template:

apiVersion: templates.gatekeeper.sh/v1beta1
kind: ConstraintTemplate
metadata:
  name: k8srequiredresourcelimits
spec:
  crd:
    spec:
      names:
        kind: K8sRequiredResourceLimits

Both tools aim to enforce policies in Kubernetes environments, but they differ in their approach and scope. Datree offers a more straightforward experience with pre-defined rules, making it easier for teams to get started quickly. Gatekeeper, on the other hand, provides greater flexibility and customization options, allowing for more complex policy enforcement scenarios across various resources.

kyverno

5,533

Cloud Native Policy Management

Pros of Kyverno

Simpler policy definition using YAML, making it more accessible for users familiar with Kubernetes manifests
Native Kubernetes resources for policies, allowing easier integration with existing K8s workflows
Built-in mutation capabilities without additional components

Cons of Kyverno

Less expressive policy language compared to Rego used in Gatekeeper
Smaller ecosystem and community support than Gatekeeper/OPA

Code Comparison

Kyverno policy example:

apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: require-labels
spec:
  validationFailureAction: enforce
  rules:
    - name: check-for-labels
      match:
        resources:
          kinds:
            - Pod
      validate:
        message: "label 'app.kubernetes.io/name' is required"
        pattern:
          metadata:
            labels:
              app.kubernetes.io/name: "?*"

Gatekeeper constraint template example:

apiVersion: templates.gatekeeper.sh/v1beta1
kind: ConstraintTemplate
metadata:
  name: k8srequiredlabels
spec:
  crd:
    spec:
      names:
        kind: K8sRequiredLabels
  targets:
    - target: admission.k8s.gatekeeper.sh
      rego: |
        package k8srequiredlabels
        violation[{"msg": msg}] {
          provided := {label | input.review.object.metadata.labels[label]}
          required := {label | label := input.parameters.labels[_]}
          missing := required - provided
          count(missing) > 0
          msg := sprintf("you must provide labels: %v", [missing])
        }

vcluster

6,264

Pros of vcluster

Creates fully functional virtual Kubernetes clusters within a host cluster, allowing for better resource isolation and multi-tenancy
Enables running multiple virtual clusters on a single physical cluster, reducing infrastructure costs
Provides a lightweight solution for development, testing, and CI/CD environments

Cons of vcluster

May introduce additional complexity in cluster management and networking
Potential performance overhead due to the virtualization layer
Limited support for certain advanced Kubernetes features in virtual clusters

Code Comparison

vcluster:

apiVersion: v1
kind: ConfigMap
metadata:
  name: vcluster-config
data:
  sync: |
    ingresses: {}
    storageclasses: {}

Gatekeeper:

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRequiredLabels
metadata:
  name: ns-must-have-gk
spec:
  match:
    kinds:
      - apiGroups: [""]
        kinds: ["Namespace"]

The vcluster code snippet shows a ConfigMap used to configure synchronization settings for the virtual cluster, while the Gatekeeper example demonstrates a constraint template for enforcing label requirements on Kubernetes resources.

trivy

22,801

Find vulnerabilities, misconfigurations, secrets, SBOM in containers, Kubernetes, code repositories, clouds and more

Pros of Trivy

Comprehensive vulnerability scanning for containers, filesystems, and Git repositories
Easy to use and integrate into CI/CD pipelines
Supports multiple operating systems and package managers

Cons of Trivy

Limited policy enforcement capabilities compared to Gatekeeper
Focuses primarily on vulnerability scanning rather than broader security policies
May require additional tools for complete Kubernetes security coverage

Code Comparison

Trivy scan command:

trivy image alpine:3.10

Gatekeeper constraint template:

apiVersion: templates.gatekeeper.sh/v1beta1
kind: ConstraintTemplate
metadata:
  name: k8srequiredlabels
spec:
  crd:
    spec:
      names:
        kind: K8sRequiredLabels

Trivy excels in vulnerability scanning and is easier to integrate into existing workflows. Gatekeeper, on the other hand, provides more robust policy enforcement capabilities for Kubernetes clusters. While Trivy focuses on identifying vulnerabilities, Gatekeeper allows for the creation and enforcement of custom policies across various Kubernetes resources.

Convert designs to code with AI

Introducing Visual Copilot: A new AI model to turn Figma designs to high quality code using your components.

Try Visual Copilot

README

Gatekeeper

How is Gatekeeper different from OPA?

Compared to using OPA with its sidecar kube-mgmt (aka Gatekeeper v1.0), Gatekeeper introduces the following functionality:

An extensible, parameterized policy library
Native Kubernetes CRDs for instantiating the policy library (aka "constraints")
Native Kubernetes CRDs for extending the policy library (aka "constraint templates")
Native Kubernetes CRDs for mutation support
Audit functionality
External data support

Getting started

Check out the installation instructions to deploy Gatekeeper components to your Kubernetes cluster.

Documentation

Please see the Gatekeeper website for more in-depth information.

Policy Library

See the Gatekeeper policy library for a collection of constraint templates and sample constraints that you can use with Gatekeeper.

Community & Contributing

Please refer to Gatekeeper's contribution guide to find out how you can help.

Code of conduct

This project is governed by the CNCF Code of conduct.

Security

For details on how to report vulnerabilities and security release process, please refer to Gatekeeper Security for more information.

Top Related Projects

Convert designs to code with AI

Introducing Visual Copilot: A new AI model to turn Figma designs to high quality code using your components.

Try Visual Copilot