The gatekeeper component facilitates the management and enforcement of policies executed by Open Policy Agent (OPA) in Kubernetes clusters. This component allows you to manage the labels of namespaces. This topic describes the features, usage notes, and release notes for gatekeeper.
Overview
OPA is an open source policy engine that is commonly used to implement policies in stacks in a standardized and context-aware manner. You can use the gatekeeper component to manage and implement OPA policies, and manage labels of namespaces in Container Service for Kubernetes (ACK) clusters. For more information about OPA, see Open Policy Agent. The following figure shows the architecture of gatekeeper.
For more information about how to install gatekeeper, see Manage components.
Usage notes
You can use gatekeeper to constrain pod deployments in specific namespaces based on labels. In this example, a constraint is defined to declare that all pods that are created in a specific namespace must be labeled with gatekeeper-test-label. For more information about how to use gatekeeper, see How to use Gatekeeper.
Run the following command to create a test namespace named test-gatekeeper and add the name=test-gatekeeper label to the namespace:
kubectl create ns test-gatekeeper kubectl label ns test-gatekeeper name=test-gatekeeper
Run the following command to create a constraint template that can be used to define constraints on pod labels:
kubectl apply -f - <<EOF apiVersion: templates.gatekeeper.sh/v1beta1 kind: ConstraintTemplate metadata: name: k8srequiredlabels spec: crd: spec: names: kind: K8sRequiredLabels validation: openAPIV3Schema: properties: labels: type: array items: type: string targets: - target: admission.k8s.gatekeeper.sh rego: | package k8srequiredlabels violation[{"msg": msg, "details": {"missing_labels": missing}}] { provided := {label | input.review.object.metadata.labels[label]} required := {label | label := input.parameters.labels[_]} missing := required - provided count(missing) > 0 msg := sprintf("you must provide labels: %v", [missing]) } EOF
It requires about 10 seconds to initialize the constraint template.
Run the following command to create a constraint from the preceding constraint template. The constraint declares that all pods to be created in a namespace that has the name=test-gatekeeper label must be labeled with gatekeeper-test-label.
kubectl apply -f - <<EOF apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sRequiredLabels metadata: name: pod-must-have-gatekeeper-test-label spec: match: kinds: - apiGroups: [""] kinds: ["Pod"] namespaceSelector: matchExpressions: - key: name operator: In values: ["test-gatekeeper"] parameters: labels: ["gatekeeper-test-label"] EOF
It requires about 10 seconds to initialize the constraint.
Check whether the namespace is constrained.
Run the following command to create a pod that is not labeled with
gatekeeper-test-label
in the test-gatekeeper namespace. The test-gatekeeper namespace has thename=test-gatekeeper
label.kubectl -n test-gatekeeper run test-deny --image=nginx --restart=Never
Expected output:
Error from server ([denied by pod-must-have-gatekeeper-test-label] you must provide labels: {"gatekeeper-test-label"}): admission webhook "validation.gatekeeper.sh" denied the request: [denied by pod-must-have-gatekeeper-test-label] you must provide labels: {"gatekeeper-test-label"}
The test-gatekeeper namespace has the
name=test-gatekeeper
label. The pod is created without thegatekeeper-test-label
label. Therefore, the pod creation fails.Run the following command to create a pod that is labeled with
gatekeeper-test-label
in the test-gatekeeper namespace. The test-gatekeeper namespace has thename=test-gatekeeper
label.kubectl -n test-gatekeeper run test-pass -l gatekeeper-test-label=pass --image=nginx --restart=Never
Expected output:
pod/test-pass created
The test-gatekeeper namespace has the
name=test-gatekeeper
label. The pod is created with thegatekeeper-test-label
label. Therefore, the pod creation succeeds.Run the following command to create a pod that is not labeled with
name=test-gatekeeper
in a namespace that is not subject to the constraint:kubectl -n default run test-deny --image=nginx --restart=Never
Expected output:
pod/test-deny created
The namespace is not subject to the constraint. Therefore, the pod creation succeeds. The created pod does not have the
name=test-gatekeeper
label.
The preceding steps show that gatekeeper can be used to constrain pod creations in a specific namespace. In this example, the pod to be created in the namespace must have the gatekeeper-test-label label.
Release notes
September 2024
Version | Image address | Release date | Description | Impact |
v3.16.3.158-g5e73c0ad-aliyun | registry-cn-hangzhou.ack.aliyuncs.com/acs/gatekeeper:v3.16.3.158-g5e73c0ad-aliyun | 2024-09-25 | This version is in canary release. OPA Gatekeeper is updated to 3.16.3. The gatekeeper component depends on OPA Gatekeeper. For more information about the OPA gatekeeper 3.16.3, see v3.16.3. | If exceptions occur during the component update, changes to cluster resources may fail. We recommend that you perform the update during off-peak hours. |
March 2024
Version | Image address | Release date | Description | Impact |
v3.15.1.150-g29b8b2a8-aliyun | registry-cn-hangzhou.ack.aliyuncs.com/acs/gatekeeper:v3.15.1.150-g29b8b2a8-aliyun | 2024-03-27 | OPA Gatekeeper is updated to 3.15.1. The gatekeeper component depends on OPA Gatekeeper. For more information about the OPA Gatekeeper 3.15.1, see v3.15.1. | If exceptions occur during the component update, changes to cluster resources may fail. We recommend that you perform the update during off-peak hours. |
October 2023
Version | Image address | Release date | Description | Impact |
v3.12.0.138-g1ee37e37-aliyun | registry-cn-hangzhou.ack.aliyuncs.com/acs/gatekeeper:v3.12.0.138-g1ee37e37-aliyun | 2023-10-09 |
| If exceptions occur during the component update, changes to cluster resources may fail. We recommend that you perform the update during off-peak hours. |
April 2023
Version | Image address | Release date | Description | Impact |
v3.10.0.130-g0e79597d-aliyun | registry.cn-hangzhou.aliyuncs.com/acs/gatekeeper:v3.10.0.130-g0e79597d-aliyun | 2023-04-18 |
| If exceptions occur during the component update, changes to cluster resources may fail. We recommend that you perform the update during off-peak hours. |
June 2022
Version | Image address | Release date | Description | Impact |
v3.8.1.113-geb7947ef-aliyun | registry.cn-hangzhou.aliyuncs.com/acs/gatekeeper:v3.8.1.113-geb7947ef-aliyun | 2022-06-08 |
| If exceptions occur during the component update, changes to cluster resources may fail. We recommend that you perform the update during off-peak hours. |
April 2022
Version | Image address | Release date | Description | Impact |
v3.7.1.93-gaf375989-aliyun | registry.cn-hangzhou.aliyuncs.com/acs/gatekeeper:v3.7.1.93-gaf375989-aliyun | 2022-04-02 | The Mutation feature can be enabled on the Add-ons page of the ACK console. By default, the Mutation feature is disabled. For more information about the Mutation feature, see Mutation. | If exceptions occur during the component update, changes to cluster resources may fail. We recommend that you perform the update during off-peak hours. |
February 2022
Version | Image address | Release date | Description | Impact |
v3.7.0.84-gf5fd3ffd-aliyun | registry.cn-hangzhou.aliyuncs.com/acs/gatekeeper:v3.7.0.84-gf5fd3ffd-aliyun | 2022-02-15 | The performance of the component is optimized. The issue of abnormal CPU utilization in extreme cases is fixed. | If exceptions occur during the component update, changes to cluster resources may fail. We recommend that you perform the update during off-peak hours. |
January 2022
Version | Image address | Release date | Description | Impact |
v3.7.0.82-gafe4391b-aliyun | registry.cn-hangzhou.aliyuncs.com/acs/gatekeeper:v3.7.0.82-gafe4391b-aliyun | 2022-01-14 |
| If exceptions occur during the component update, changes to cluster resources may fail. We recommend that you perform the update during off-peak hours. |
September 2021
Version | Image address | Release date | Description | Impact |
v3.6.0.62-g156146d-aliyun | registry.cn-hangzhou.aliyuncs.com/acs/gatekeeper:v3.6.0.62-g156146d-aliyun | 2021-09-20 |
| If exceptions occur during the component update, changes to cluster resources may fail. We recommend that you perform the update during off-peak hours. |
March 2021
Version | Image address | Release date | Description | Impact |
v3.3.0.24-8e68abc-aliyun | registry.cn-hangzhou.aliyuncs.com/acs/gatekeeper:v3.3.0.24-8e68abc-aliyun | 2021-03-16 |
| If exceptions occur during the component update, changes to cluster resources may fail. We recommend that you perform the update during off-peak hours. |
August 2020
Version | Image address | Release date | Description | Impact |
v3.1.0.11-24bab09-aliyun | registry.cn-hangzhou.aliyuncs.com/acs/gatekeeper:v3.1.0.11-24bab09-aliyun | 2020-08-20 | OPA Gatekeeper is updated to 3.1.0-beta.12. The gatekeeper component is dependent on OPA Gatekeeper. Note OPA Gatekeeper is an open source project based on which gatekeeper is developed. | If exceptions occur during the component update, changes to cluster resources may fail. We recommend that you perform the update during off-peak hours. |