GatekeeperOverview

Gatekeeper & Policies

OPA Gatekeeper is a policy enforcement engine for Kubernetes. SRExpert provides a visual interface to create, manage, and monitor Gatekeeper policies across your clusters.

Prerequisites

Before creating Gatekeeper policies, you need to install the Gatekeeper Helm Chart in your cluster.

Installing Gatekeeper

  1. Navigate to Helm Charts in the sidebar
  2. Select the Custom tab
  3. Find the gatekeeper chart
Gatekeeper Helm Chart
Gatekeeper Helm Chart available in the Custom tab
  1. Click Install and configure with default values (or customize as needed)
Gatekeeper Installation
Installing Gatekeeper with default configuration
  1. Wait for the installation to complete. The Gatekeeper pods will be deployed in the gatekeeper namespace.

Overview

Once Gatekeeper is installed, navigate to Security > Gatekeeper to access the policy management interface.

Gatekeeper Policies
Gatekeeper Policies management interface showing active constraints and violations

Gatekeeper uses Constraint Templates to define reusable policy logic and Constraints to apply those policies to your clusters. SRExpert simplifies this process with a visual interface that lets you:

  • View all active policies and their status
  • Monitor policy violations in real-time
  • Create new policies from pre-built templates
  • Edit and delete existing policies

Dashboard Metrics

At the top of the Gatekeeper view, you’ll see three key metrics:

MetricDescription
Active ConstraintsTotal number of policies currently deployed
EnforcedPolicies that block non-compliant resources (Deny mode)
ViolationsResources that violate your policies

Managing Policies

Viewing Policies

Each policy card displays:

  • Name: The constraint name (e.g., require-labels-production)
  • Kind: The constraint template type (e.g., K8sRequiredLabels)
  • Clusters: Which clusters the policy applies to
  • Enforcement: Warn (log only) or Deny (block)

Actions available:

  • Details: View full policy configuration
  • Edit: Modify policy settings
  • Delete: Remove the policy

Viewing Violations

Click on a policy card or go to the Violations tab to see:

  • Which resources are violating the policy
  • The specific violation message
  • Namespace and resource type
  • When the violation was detected

Creating a Policy

Click + Create Policy to open the creation form.

Create Policy Form
Policy creation form with template selection and configuration options

Step 1: Target Clusters

Choose where to apply the policy:

  • Selected clusters: Pick specific clusters from the dropdown
  • All clusters: Apply to every connected cluster
  • Don’t apply yet: Save the policy without deploying

Step 2: Policy Template

Select a pre-built template from the dropdown. Common templates include:

TemplatePurpose
K8sRequiredLabelsRequire specific labels on resources
K8sContainerLimitsRequire CPU/memory limits on containers
K8sAllowedReposRestrict container images to approved registries
K8sDisallowedTagsBlock specific image tags (e.g., latest)
K8sBlockLoadBalancerPrevent LoadBalancer service creation
K8sBlockNodePortPrevent NodePort service creation
K8sHttpsOnlyRequire HTTPS for ingress resources

Step 3: Policy Details

  • Name: A unique identifier for the constraint (e.g., require-labels-production)
  • Description: Explain what this policy enforces
  • Enforcement:
    • Warn (Log only) - Log violations but allow the resource
    • Deny (Block) - Block non-compliant resources from being created

Step 4: Scope

Define which resources the policy applies to:

  • Namespaces: Comma-separated list (empty = all namespaces)
  • Excluded Namespaces: Namespaces to skip (e.g., kube-system, kube-public)
  • Resource Kinds: Which resource types to check (e.g., Pod, Deployment, StatefulSet)

Step 5: Parameters

Configure template-specific parameters in JSON format. For example:

K8sRequiredLabels:

{
  "labels": ["app", "environment", "team"]
}

K8sAllowedRepos:

{
  "repos": ["gcr.io/", "docker.io/", "quay.io/"]
}

K8sDisallowedTags:

{
  "tags": ["latest", "dev"]
}

Editing and Deleting Policies

  • Click Edit on any policy card to modify its configuration
  • Click Delete to remove a policy (this will stop enforcement immediately)

Best Practices

  1. Start with Warn mode: Test policies in warning mode before switching to Deny
  2. Exclude system namespaces: Always exclude kube-system and kube-public
  3. Use descriptive names: Make policy names clear and searchable
  4. Monitor violations: Regularly check the dashboard to catch policy violations
  5. Document your policies: Use the description field to explain the policy’s purpose
  6. Apply incrementally: Start with a few critical policies and expand over time
Secrets ScanningKubernetes Setup