Kubernetes Setup
Set up OPA Gatekeeper in your Kubernetes cluster to enforce policies.
Prerequisites
- Kubernetes cluster v1.16+
kubectlaccess with admin privileges- Helm 3.x (recommended)
Installation
Using Helm (Recommended)
helm repo add gatekeeper https://open-policy-agent.github.io/gatekeeper/charts
helm repo update
helm install gatekeeper gatekeeper/gatekeeper \
-n gatekeeper-system \
--create-namespaceVerify Installation
kubectl get pods -n gatekeeper-systemYou should see:
gatekeeper-audit-*- Audits existing resourcesgatekeeper-controller-manager-*- Enforces policies on new resources
Using Policies in SRExpert
Creating Policy Templates
- Go to Security > Policy Management > Policy Templates
- Click Create Template
- Choose a template from the Policy Examples
- Fill in Name, Kind, Description, Category, Severity
- Paste the Rego code
- Save the template
Applying Policies
- Go to Security > Policy Management > Policies
- Click Create Policy
- Select your template
- Choose target clusters
- Configure parameters
- Set enforcement mode (Warn, Deny, or Dryrun)
- Click Create
Compliance Frameworks
These policies can help support requirements from major compliance frameworks:
| Framework | How policies help |
|---|---|
| CIS Kubernetes Benchmark | Pod security, network policies, and RBAC hardening |
| NSA/CISA Kubernetes Hardening | Workload isolation, least privilege, and supply-chain controls |
| NIST | Container isolation, least privilege, and network segmentation |
| PCI-DSS | Network segmentation and encryption in transit |
| SOC 2 | Access controls and availability controls |
| ISO 27001 | Secure development practices and network security |
| HIPAA | Access control and transmission security |
The mapping above is indicative. Always validate specific control coverage against the current revision of each framework for your environment.
References
Next Steps
- Policy Examples - Browse available policies
- Gatekeeper Overview - Learn how to manage policies in SRExpert