Open Policy Agent (OPA) via UI

Open Policy Agent (OPA) is an open-source, general-purpose policy engine that unifies policy enforcement across the stack. We are integrating it with using Gatekeeper, which is an OPA’s Kubernetes-native policy engine. More info about OPA and Gatekeeper can be read from their docs and tutorials.

Admin Panel for OPA Options

As an admin, you will find a few options in the Admin Panel. You can access this panel by clicking on the account icon on the top right and select Admin Panel.

In here you can see the OPA Options with two checkboxes attached.

• Enable by Default: Set the OPA Integration checkbox on cluster creation to enabled by default.
• Enforce: Enable to make users unable to edit the checkbox.

The Admin Panel also offers you the possibility to specify Constraint Templates.

Here you navigate to the OPA menu and then to Default Constraints.

Cluster Details View

The cluster details view is extended by some more information if OPA is enabled.

• OPA Integration in the top area is indicating if OPA is enabled or not.
• OPA Gatekeeper Controller and OPA Gatekeeper Audit provide information about the status of those controllers.
• OPA Constraints and OPA Gatekeeper Config are added to the tab menu on the bottom. More details are in the following sections.

Activating OPA

To create a new cluster with OPA enabled you only have to enable the OPA Integration checkbox during the cluster creation process. It is placed in Step 2 Cluster and can be enabled by default as mentioned in the Admin Panel for OPA Options section. If you don’t know how to create a cluster using the Kubermatic Kubernetes Platform follow our Project and cluster management tutorial.

It is also possible to enable - or disable - OPA for an existing cluster. In the cluster detail view simply click on the vertical ellipsis menu and select Edit Cluster.

In the appearing dialog, you can now enable/disable the OPA Integration.

Operating OPA

Constraint Templates

Constraint Templates allow you to declare new Constraints. They are intended to work as a schema for Constraint parameters and enforce their behavior. The Constraint Templates view under OPA menu in Admin Panel allows adding, editing and deleting Constraint Templates.

The Admin Panel also offers you the possibility to specify Constraint Templates.

Constraint Templates can be added after clicking on the + Add Constraint Template icon in the top right corner of the view. A new dialog will appear, where you can specify the spec of the template:

Spec is the only field that needs to be filled with a yaml.

The following example requires all labels that are described by the constraint to be present:

crd:
  spec:
    names:
      kind: K8sRequiredLabels
    validation:
      # Schema for the `parameters` field
      openAPIV3Schema:
        properties:
          labels:
            type: array
            items: string
targets:
  - target: admission.k8s.gatekeeper.sh
    rego: |
      package k8srequiredlabels

      violation[{"msg": msg, "details": {"missing_labels": missing}}] {
        provided := {label | input.review.object.metadata.labels[label]}
        required := {label | label := input.parameters.labels[_]}
        missing := required - provided
        count(missing) > 0
        msg := sprintf("you must provide labels: %v", [missing])
      }      

Just click on Add Constraint Template to create the constraint template.

Constraint Templates can be edited after clicking on the pencil icon that appears when hovering over one of the rows. The form is identical to the one from creation. In this table you can also delete it if needed.

Constraints

Constraints are the filler for rules that are defined by the constraint templates. Constraints provide the parameters which are used in the Constraint Template rule.

Create Constraint in the Cluster

To add a new constraint click on the + Add Constraint icon on the right. A new dialog will appear, where you can specify the name, the constraint template, and the spec:

The following example will make sure that the gatekeeper label is defined on all namespaces, if you are using the K8sRequiredLabels constraint template from above:

match:
  kinds:
    - apiGroups: [""]
      kinds: ["Namespace"]
parameters:
  labels: ["gatekeeper"]

Just click on + Add Constraint to create the constraint. In this table, you can also edit or delete it again if needed after clicking on the icons that appears when hovering over one of the rows.

It also shows you possible violations. Click on the row to expand the view and to see all violations in detail.

Default Constraints

Default Constraints allow admins to conveniently apply policies to all OPA enabled clusters This would allow admins an easier way to make sure all user clusters are following some policies (for example security), instead of the current way in which Constraints need to be created for each cluster separately. Kubermatic operator/admin creates a Constraint in the admin panel, it gets propagated to seed clusters and user clusters with OPA-integration

On Cluster Level, Default Constraints are differentiated from Constraints with default label.

Create Default Constraint

In the Admin view navigate to the OPA menu and then to Default Constraints.

To add a new default constraint click on the +Add Default Constraint icon on the right. A new dialog will appear, where you can specify the name, the constraint template and the spec:

constraintType: K8sPSPAllowPrivilegeEscalationContainer
match:
  kinds:
    - kinds:
        - Pod
      apiGroups:
        - ''
  labelSelector: {}
  namespaceSelector: {}
selector:
  labelSelector: {}

The Default Constraint created will also show up in the applied cluster view with Admin Constraint label

Edit Default Constraint

Editing Default Constraint will sync the changes to all the respective constraints on the user clusters.

admin-default-constraint.png

To edit the constraint click on edit button on the right that appears when hovering over one of the rows.

In the appearing dialog you can now edit the Default Constraint.

Filtering Clusters on Default Constraints

Filter Clusters feature enables Admin to filter User Clusters where Default Constraint is applied using with Cloud Provider and Label Selector filters.

In case of no filtering applied Default Constraints are synced to all User Clusters which can be verified by the Applies To field as shown here:

for example, Admin wants to apply a policy only on clusters with the provider as aws and label selector as filtered:true To enable this add the following selectors in the constraint spec for the above use case.

selector:
  providers:
    - aws
  labelSelector:
    matchLabels:
      filtered: 'true'

Constraints then can only be seen in the clusters which satisfy the filters. for example, for the above use case Default Constraints will be applied to Cluster blissful-stallman with Provider aws and filter filtered: 'true' and not on the Cluster zen-knuth with Provider gcp

Disabling Constraint

Disabling Constraint feature allows users to disable constraints temporarily for use cases like testing.

Constraint can be Disabled/Turned off by setting disabled flag to true in the constraint spec. As a result Constraint Policy will not be applied to clusters.

Disabled Kubermatic Constraint on a Cluster is blurred to differentiate between Enabled and Disabled Constraints

Disable Default Constraints

In Admin View to disable Default Constraints, click on the green button under On/Off

Kubermatic adds a label disabled: true to the Disabled Constraint

Enable the constraint by clicking the same button

Delete Default Constraint

Deleting Default Constraint causes all related Constraints on the user clusters to be deleted as well.

To delete the constraint click on delete button on the right that appears when hovering over one of the rows.

AllowedRegistry

AllowedRegistry is a part of the OPA Integration Admin Panel.

It allows users to manage the built-in KKP Constraint AllowedRegistry through which you can easily create policies on what image registries can be used for Pods on all OPA-enabled user clusters.

To create an AllowedRegistry just click on the + Add Allowed Registries button and set a K8s compliant name and a registry prefix. OPA matches these prefixes with the Pods container image field and if it matches with at least one, it allows the Pod to be created/updated.

The Allowed Registries can be managed through the same form by using the edit button, or deleted by the trash button.

A controller is collecting the Allowed Registries prefixes and creates a corresponding Constraint Template and Default Constraint.

We manage this Default Constraint automatically (Parameters list, Pod match, Enabled/Disabled) but users can still change other values, most importantly the Filtering.

Gatekeeper Config

In this area, you have the possibility to define a Gatekeeper Config. It is not required but might be needed for some constraints that need more access. Initially, you will only see the Add Gatekeeper Config button.

Click on this button to create a config. A new dialog will appear, where you can insert your spec:

The following example will dynamically update what objects are synced:

sync:
  syncOnly:
    - group: ""
      version: "v1"
      kind: "Namespace"
    - group: ""
      version: "v1"
      kind: "Pod"

Just click on Add to create the config. The view then displays the config parts you specified. You can also edit and delete it later.