Policy as code allows you to define, version, and enforce security policies declaratively. Two popular tools for Kubernetes are OPA Gatekeeper and Kyverno.
OPA Gatekeeper
Gatekeeper uses Open Policy Agent with Rego policies.
Installation
BASH
kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper/master/deploy/gatekeeper.yamlCreating Constraints
First, define a template:
YAML
apiVersion: templates.gatekeeper.sh/v1
kind: ConstraintTemplate
metadata:
name: k8srequiredlabels
spec:
crd:
spec:
names:
kind: K8sRequiredLabels
validation:
openAPIV3Schema:
properties:
labels:
type: array
items:
type: string
targets:
- target: admission.k8s.gatekeeper.sh
rego: |
package k8srequiredlabels
violation[{"msg": msg}] {
provided := {label | input.review.object.metadata.labels[label]}
required := {label | label := input.parameters.labels[_]}
missing := required - provided
count(missing) > 0
msg := sprintf("Missing labels: %v", [missing])
}Then create a constraint:
YAML
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRequiredLabels
metadata:
name: require-team-label
spec:
match:
kinds:
- apiGroups: [""]
kinds: ["Namespace"]
parameters:
labels: ["team", "environment"]Kyverno
Kyverno uses Kubernetes-native YAML for policies.
Installation
BASH
kubectl create -f https://github.com/kyverno/kyverno/releases/latest/download/install.yamlExample Policies
YAML
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: require-requests-limits
spec:
validationFailureAction: Enforce
rules:
- name: validate-resources
match:
resources:
kinds:
- Pod
validate:
message: "CPU and memory requests/limits are required"
pattern:
spec:
containers:
- resources:
requests:
memory: "?*"
cpu: "?*"
limits:
memory: "?*"
cpu: "?*"Comparison
| Feature | Gatekeeper | Kyverno |
|---|---|---|
| Language | Rego | YAML |
| Learning Curve | Steeper | Gentler |
| Mutation | Limited | Full |
| Generation | No | Yes |
Essential Policies
- Require resource limits
- Deny privileged containers
- Require labels
- Restrict image registries
- Enforce network policies
Policy as code brings consistency and auditability to security enforcement.