RealTheory can notify you if OPA Gatekeeper is a required component in your environment that is not present on your cluster or if the version of OPA Gatekeeper that is installed is not in compliance with organizational standards.
If OPA Gatekeeper is a required component in your Kubernetes environment, it is most likely that the manifest files needed for the installation or an OPA Gatekeeper Helm chart already exist. Contact your Operations or DevOps team to determine if there are company resources for installing OPA Gatekeeper BEFORE using either of the following procedures.
To install OPA Gatekeeper:
helm repo add gatekeeper https://open-policy-agent.github.io/gatekeeper/charts helm repo updatekubectl create namespace gatekeeper-systemhelm install gatekeeper gatekeeper/gatekeeper --namespace gatekeeper-systemhelm install gatekeeper gatekeeper/gatekeeper --namespace gatekeeper-system --version <version> <version> is the version number of OPA Gatekeeper you want to install.kubectl get pods -n gatekeeper-system1apiVersion: constraints.gatekeeper.sh/v1beta12kind: K8sRequiredLabels3metadata:4name: test-constraint5spec:6match:7kinds:8- apiGroups: [""]9kinds: ["Pod"]10parameters:11labels:12required:13- key: environment14values: ["production"]
kubectl apply -f test-constraint.yaml1apiVersion: v12kind: Pod3metadata:4name: test-pod5labels:6app: nginx7spec:8containers:9- name: nginx10image: nginx:latest
kubectl apply -f pod-without-label.yaml To install OPA Gatekeeper:
kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper/release-3.7/deploy/crds/gatekeeper.openpolicyagent.org_constraintpodstatuses.yaml kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper/release-3.7/deploy/crds/gatekeeper.openpolicyagent.org_constrainttemplatepodstatuses.yaml kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper/release-3.7/deploy/crds/gatekeeper.openpolicyagent.org_constraints.yamlkubectl create namespace gatekeeper-systemkubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper/release-3.7/deploy/gatekeeper.yamlkubectl get pods -n gatekeeper-system1apiVersion: constraints.gatekeeper.sh/v1beta12kind: K8sRequiredLabels3metadata:4name: test-constraint5spec:6match:7kinds:8- apiGroups: [""]9kinds: ["Pod"]10parameters:11labels:12required:13- key: environment14values: ["production"]
kubectl apply -f test-constraint.yaml1apiVersion: v12kind: Pod3metadata:4name: test-pod5labels:6app: nginx7spec:8containers:9- name: nginx10image: nginx:latest
kubectl apply -f pod-without-label.yaml If a specific version of OPA Gatekeeper is required in your Kubernetes environment, it is most likely that the manifest files or an OPA Gatekeeper Helm chart already exist. Contact your Operations or DevOps team to determine if there are company resources for installing OPA Gatekeeper BEFORE using either of the following procedures.
To upgrade OPA Gatekeeper:
helm upgrade gatekeeper gatekeeper/gatekeeper --namespace gatekeeper-systemhelm upgrade gatekeeper gatekeeper/gatekeeper --namespace gatekeeper-system --version <version> <version> is the version number of OPA Gatekeeper you want to upgrade to.kubectl get pods -n gatekeeper-systemTo upgrade OPA Gatekeeper:
kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper/release-3.7/deploy/crds/gatekeeper.openpolicyagent.org_constraintpodstatuses.yaml kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper/release-3.7/deploy/crds/gatekeeper.openpolicyagent.org_constrainttemplatepodstatuses.yaml kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper/release-3.7/deploy/crds/gatekeeper.openpolicyagent.org_constraints.yamlkubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper/release-3.7/deploy/gatekeeper.yamlkubectl get pods -n gatekeeper-systemSearch for a command to run...