Policy and governance using OPA Gatekeeper
In this section of the chapter, we will learn how to enforce policy and governance on EKS cluster resources using OPA. We will create a policy that denies the creation of resources that don't have a specific label.
OPA is an open source, general-purpose policy engine that is part of the CNCF, unifying policy enforcement across the stack. OPA is used for making policy decisions and can be run in different ways, for example, as a language library or as a service. We can write OPA policies in a domain-specific language called Rego.
OPA Gatekeeper provides the following functionality:
- A parameterized policy library
- Constraint templates, which use native Kubernetes CRDs for extending the policy library
- Constraints, which use native Kubernetes CRDs for instantiating the policy library
- Audit capabilities
The following diagram illustrates how OPA enforce policies on a Kubernetes cluster:
