Enforce Security and Governance in Kubernetes using OPA Gatekeeper

As a Platform Team, when you host Kubernetes Cluster for the rest of application teams to run their services, there are few things that you expect the Teams to follow to make everyone’s life easier. For instance — you expect every team to define —

1. CPU/Memory requirement for their application pods [Governance Policy]
2. The minimum set of labels as per Organization standard. Like — application name, cost center, etc. [Governance Policy]
3. Image repository should be from the approved list and not just any public repository [Security Policy]
4. On Development environment, the replica count should always be set to 1 — may be to save on the cost [Governance Policy, to save on Cost]
5. And the list goes on and on…

This is a fair ask from Teams to follow the best practices, but we all know, based on prior experience, until you enforce these rules, things will not be in place. And this blogs talks exactly about this —

How to enforce Security and Governance policies to have fine grain control on the services running in a Kubernetes Cluster

Logically, here is what we would need to achieve it —

Step #1 — A component which can understand the Governance and/or Security related policies and apply them as…