Policy-as-Code с Open Policy Agent Gatekeeper: автоматизация compliance в Kubernetes
Меня зовут Семёнов Евгений Сергеевич, директор АйТи Фреш. Policy-as-Code с OPA Gatekeeper — стандарт для governance в enterprise Kubernetes. Zero-trust security требует автоматической policy enforcement на каждом этапе SDLC. Разбираю production внедрение Gatekeeper для автоматизации GDPR compliance: от admission control до continuous monitoring для 50+ микросервисов.
Open Policy Agent Gatekeeper: Policy-as-Code для K8s
Gatekeeper расширяет OPA для Kubernetes admission control:
- Declarative Policies — Rego language для описания constraints
- Kubernetes-native — CRD-based policy management
- Template System — переиспользуемые policy templates
- Audit Mode — continuous compliance monitoring
- Violation Reporting — detailed compliance dashboards
Установка и настройка Gatekeeper
# 1. Установка через Helm
helm repo add gatekeeper https://open-policy-agent.github.io/gatekeeper/charts
helm install gatekeeper gatekeeper/gatekeeper \
--namespace gatekeeper-system \
--create-namespace \
--set auditInterval=60 \
--set constraintViolationsLimit=100 \
--set audit.replicas=2
# 2. Проверка установки
kubectl get pods -n gatekeeper-system
kubectl get crd | grep gatekeeperConstraint Templates для security policies
# Security Constraint Template
apiVersion: templates.gatekeeper.sh/v1beta1
kind: ConstraintTemplate
metadata:
name: k8srequiredsecuritycontext
spec:
crd:
spec:
names:
kind: K8sRequiredSecurityContext
validation:
properties:
runAsNonRoot:
type: boolean
requiredCapabilities:
type: array
items:
type: string
forbiddenCapabilities:
type: array
items:
type: string
targets:
- target: admission.k8s.gatekeeper.sh
rego: |
package k8srequiredsecuritycontext
violation[{"msg": msg}] {
container := input.review.object.spec.containers[_]
not container.securityContext.runAsNonRoot
msg := "Container must run as non-root user"
}
violation[{"msg": msg}] {
container := input.review.object.spec.containers[_]
required := input.parameters.requiredCapabilities[_]
not required in container.securityContext.capabilities.add
msg := sprintf("Missing required capability: %v", [required])
}
violation[{"msg": msg}] {
container := input.review.object.spec.containers[_]
forbidden := input.parameters.forbiddenCapabilities[_]
forbidden in container.securityContext.capabilities.add
msg := sprintf("Forbidden capability detected: %v", [forbidden])
}Production security constraints
# Применение security constraint
apiVersion: config.gatekeeper.sh/v1beta1
kind: K8sRequiredSecurityContext
metadata:
name: security-must-run-as-non-root
spec:
match:
kinds:
- apiGroups: ["apps"]
kinds: ["Deployment", "DaemonSet", "StatefulSet"]
namespaces: ["production", "staging"]
excludedNamespaces: ["kube-system", "gatekeeper-system"]
parameters:
runAsNonRoot: true
requiredCapabilities: []
forbiddenCapabilities:
- "SYS_ADMIN"
- "NET_ADMIN"
- "SYS_TIME"
- "SYS_MODULE"GDPR compliance automation
# GDPR Data Processing Policy Template
apiVersion: templates.gatekeeper.sh/v1beta1
kind: ConstraintTemplate
metadata:
name: gdprdataprocessing
spec:
crd:
spec:
names:
kind: GDPRDataProcessing
validation:
properties:
requiredAnnotations:
type: array
items:
type: string
allowedDataTypes:
type: array
items:
type: string
targets:
- target: admission.k8s.gatekeeper.sh
rego: |
package gdprdataprocessing
# Проверка наличия GDPR аннотаций
violation[{"msg": msg}] {
required := input.parameters.requiredAnnotations[_]
not input.review.object.metadata.annotations[required]
msg := sprintf("Missing required GDPR annotation: %v", [required])
}
# Проверка типа обрабатываемых данных
violation[{"msg": msg}] {
data_type := input.review.object.metadata.annotations["gdpr.data-type"]
not data_type in input.parameters.allowedDataTypes
msg := sprintf("Data type %v not allowed for processing", [data_type])
}
# Проверка retention period
violation[{"msg": msg}] {
retention := input.review.object.metadata.annotations["gdpr.retention-days"]
to_number(retention) > 730 # GDPR max 2 years
msg := sprintf("Data retention period %v days exceeds GDPR limit", [retention])
}Network policy enforcement
# Network Policy Constraint Template
apiVersion: templates.gatekeeper.sh/v1beta1
kind: ConstraintTemplate
metadata:
name: k8srequirednetworkpolicy
spec:
crd:
spec:
names:
kind: K8sRequiredNetworkPolicy
validation:
properties:
message:
type: string
targets:
- target: admission.k8s.gatekeeper.sh
rego: |
package k8srequirednetworkpolicy
violation[{"msg": msg}] {
input.review.kind.kind == "Deployment"
namespace := input.review.object.metadata.namespace
# Проверяем существование NetworkPolicy в namespace
not has_network_policy(namespace)
msg := sprintf("Namespace %v must have NetworkPolicy defined", [namespace])
}
has_network_policy(namespace) {
# Эта функция проверяется через external API calls в production
# Здесь упрощенная версия
namespace != "default"
}Нужна помощь с Policy-as-Code?
Внедрили OPA Gatekeeper для 40+ enterprise проектов. Поможем с policy design, compliance automation, audit reporting.
Continuous compliance monitoring
# Grafana dashboard для policy violations
# Prometheus queries
# Total policy violations
sum(rate(gatekeeper_violations_total[5m])) by (violation_kind)
# Violations by namespace
sum(gatekeeper_violations_total) by (namespace)
# Compliance score
(
sum(gatekeeper_audit_last_run_evaluations_total) -
sum(gatekeeper_violations_total)
) / sum(gatekeeper_audit_last_run_evaluations_total) * 100CI/CD интеграция с policy testing
# GitHub Actions для policy testing
name: Policy Validation
on:
pull_request:
paths:
- 'policies/**'
- 'manifests/**'
jobs:
policy-test:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
# Конфтест для policy validation
- name: Install Conftest
run: |
wget https://github.com/open-policy-agent/conftest/releases/download/v0.46.0/conftest_0.46.0_Linux_x86_64.tar.gz
tar xzf conftest_0.46.0_Linux_x86_64.tar.gz
sudo mv conftest /usr/local/bin
# Тестирование policies
- name: Test Policies
run: |
conftest test --policy policies/ manifests/
# Dry-run с Gatekeeper
- name: Gatekeeper Dry Run
run: |
kubectl apply --dry-run=server -f manifests/
kubectl get constraints -o yamlAdvanced Rego patterns
# Сложная policy для cost optimization
package costoptimization
import future.keywords.in
import future.keywords.if
# Проверка resource limits
violation[result] if {
container := input.review.object.spec.containers[_]
not container.resources.limits.cpu
result := {
"msg": "Container must have CPU limits defined",
"details": {
"container": container.name,
"recommendation": "Add resources.limits.cpu"
}
}
}
# Проверка right-sizing
violation[result] if {
container := input.review.object.spec.containers[_]
cpu_limit := container.resources.limits.cpu
memory_limit := container.resources.limits.memory
# Конверсия в numeric values
cpu_cores := parse_cpu(cpu_limit)
memory_gb := parse_memory(memory_limit)
# Cost efficiency rules
ratio := memory_gb / cpu_cores
ratio > 8 # More than 8GB per CPU core
result := {
"msg": "Inefficient resource allocation detected",
"details": {
"cpu_cores": cpu_cores,
"memory_gb": memory_gb,
"ratio": ratio,
"recommendation": "Reduce memory or increase CPU"
}
}
}
parse_cpu(cpu_string) := cores if {
endswith(cpu_string, "m")
cores := to_number(trim_suffix(cpu_string, "m")) / 1000
}
parse_memory(mem_string) := gb if {
endswith(mem_string, "Gi")
gb := to_number(trim_suffix(mem_string, "Gi"))
}Заключение
Policy-as-Code с OPA Gatekeeper обеспечивает automated governance для enterprise Kubernetes. Declarative policies, continuous compliance monitoring, CI/CD integration — полная автоматизация security и regulatory requirements. В 2026 это must-have для любого production кластера с compliance требованиями.