In the last several posts we explored building configurations with Config Connector. Config Connector is a Kubernetes extension that enables managing Google Cloud resources. It allows you to use Kubernetes resource model: declarative, idempotent, eventually consistent. In this post we’ll discuss Gatekeeper – open policy agent for Kubernetes. Using Gatekeeper you can create policies for GCP resources to ensure their compliance. To illustrate Gatekeeper integration with Config Connector, we will create a simple policy example.
Gatekeeper, just like Config Connector, is a Kubernetes extension. It registers CRDs that allow creating policies with constraint templates. Then, you can instantiate these policies by creating constraints.
First of all, let us provision a project, create a Kubernetes cluster and enable Config Connector. Below is the same script we used in the other posts. Don’t forget to substitute your [PROJECT_ID] and [BILLING_ACCOUNT]. You can also skip the part that is creating a project, if you already have one.
As the next step, we will install Gatekeeper library. The easiest way is with kubectl apply:
kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper/master/deploy/gatekeeper.yaml
Template
Now we will create a constraint template, that we will use in our example. This template restricts the types, that we are instantiating with Config Connector, to the allowed types:
apiVersion: templates.gatekeeper.sh/v1beta1
kind: ConstraintTemplate
metadata:
name: kccallowedresourcetypes
spec:
crd:
spec:
names:
kind: KCCAllowedResourceTypes
listKind: KCCAllowedResourceTypesList
plural: KCCAllowedResourceTypes
singular: KCCAllowedResourceTypes
validation:
openAPIV3Schema:
properties:
types:
type: array
items:
type: string
targets:
- target: admission.k8s.gatekeeper.sh
rego: |
package kccallowedresourcetypes
violation[{"msg": msg}] {
type := input.review.object.kind
apiVersion := input.review.object.apiVersion
isKccType := contains(apiVersion, "cnrm.cloud.google.com")
typeSatisfied := [good | allowedType = input.parameters.types[_] ; good = type == allowedType]
isKccType; not any(typeSatisfied)
msg := sprintf("using type <%v> is not allowed, allowed Config Connector types are %v", [type, input.parameters.types])
}
By the way, if you are looking for Gatekeeper language docs, this is the link. On the Gatekeeper github there are also simpler and more complex template examples.
Constraint
Now let’s create a constraint based on this template. Let’s say you would like to only allow creation of PubSubTopic and ComputeNetwork resources. This is a policy that enforces it:
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: KCCAllowedResourceTypes
metadata:
name: only-allowed-gcp-types
spec:
parameters:
types:
- "PubSubTopic"
- "ComputeNetwork"
Just like template above, you can apply this policy using kubectl apply.
To see this example in action, try creating ComputeNetwork or PubSubTopic. These will succeed. However, if you attempt to create another GCP resource, you will get a violation. For instance, referencing service account sample from Config Connector samples repo:
$ kubectl apply -f https://raw.githubusercontent.com/GoogleCloudPlatform/k8s-config- connector/master/resources/iamserviceaccount/iam_v1alpha1_iamserviceaccount.yaml Error from server ([denied by only-allowed-gcp-types] using type <IAMServiceAccount> is not allowed, allowed Config Connector types are ["PubSubTopic", "ComputeNetwork"]): error when creating "https://raw.githubusercontent.com/GoogleCloudPlatform/k8s-config- connector/master/resources/iamserviceaccount/iam_v1alpha1_iamserviceaccount. yaml": admission webhook "validation.gatekeeper.sh" denied the request: [denied by only-allowed-gcp-types] using type <IAMServiceAccount> is not allowed, allowed Config Connector types are ["PubSubTopic", "ComputeNetwork"]
One example use case for this policy, is ensuring that application team within your organization is limited to only creating certain GCP resource types.
To summarize, in this post we looked at how you can create policies for GCP resources to ensure their compliance, using Gatekeeper and Config Connector. This repo contains all the configuration scripts used in this sample. Good luck policy-making!