
Gatekeeper – Policy Controller for Kubernetes - alexellisuk
https://github.com/open-policy-agent/gatekeeper
======
wwright
There was an article here yesterday where the comments were almost nothing but
complaints about administering Kubernetes.

Tools like this and KNative make me feel like Kubernetes is the next UNIX:
it’s a platform. You don’t use it to run a set of server processes. You use it
to leverage an entire distributed platform.

~~~
twblalock
One way to look at Kubernetes is to say that it consists of a database of
arbitrary objects and controller programs that take actions when those objects
change.

This is a good system to control software deployment (i.e. controllers react
to objects that represent the desired state of a set of containers and a way
to access them) but it can be a lot more generic than that.

Kubernetes isn't like other systems where the core is locked down and users
can add plugins that have limited privileges but aren't really the same as the
built-in stuff -- examples include browser extensions, or maybe Lua plugins
for Nginx.

In Kubernetes you can create objects and controllers that are first-class
citizens just like the ones it comes with out of the box. They go in the same
database as the built-in objects. You can remove or replace parts of the core
system if you want to. This is what makes it a platform.

------
hon3ybadg3r
eli5

~~~
marcc
Gatekeeper is an easy way to deploy and manage admission policies in
Kubernetes. Kubernetes admission policies allow you to set custom rules on
what can and cannot be deployed in Kubernetes.

Gatekeeper is a CRD (Custom resource definition). This means that you can
write policies as Kubernetes objects and deploy them to the cluster the same
way you'd deploy any other object to cluster.

Gatekeeper policies are rego (created by OpenPolicyAgent), which is based on
Datalog, and allows you to create these policies using a very rich and
powerful language.

~~~
Rapzid
Ah, I think I get it now. So you could reject deployments for oversubscribing
resources or using unsupported docker repos, as some contrived examples.

~~~
charlieegan3
Yeah exactly. Kubernetes has some good built in tools for resource checking
(and pods in general imo). I've found this most useful for asserting rules on
ingress and services to control exposing of services to the public.

