OPA Gatekeeper: Globally restrict it's scope to selected namespaces

2 min read

To prevent OPA Gatekeeper to apply rules to some namespaces we can add exclusions at the rule level but this can be very inconvenient since we would need to add it to every single rule. A change on these exclusion list can be a pain as well.

We can configure the ValidatingWebhookConfiguration to restrict it globally to namespaces that have a some label.

23/11/2022

Exclude certain namespaces from a OPA gatekeeper rule

2 min read

While some policies can be safely applied to all the namespaces of a cluster, some other can become problematic since they can interfere with the normal operations of certain controllers. When we create a constrain rule we can exclude some namespaces using the spec.match.excludedNamespaces attribute

18/11/2022

Write constraints for OPA gatekeeper

3 min read

Once we have OPA gatekeeper installed we might want to start writing our own rules if we cannot find it in the gatekeeper library.

01/11/2022

Kubernetes: Enforcing policies using the OPA gatekeeper

6 min read

We might call it best-practices or policies but most organizations have some rules about how their applications should run, for example: Do not use the latest tag. Some others might even be required to meet certain compliance requirements to reach some security standard, for example: Do not use NodePort services.

To be able to enforce these policies we can use a policy engine like OPA.

29/03/2022