Question on OPA Gatekeeper

daniel.lee · December 31, 2023, 5:13am

Hi,

I was going through the CKS simulator (e.g. killer.sh) and I see that there’s a question on OPA Gatekeeper. I was able to reverse engineer the problem by looking at the solution and apply some of the concepts taught in the OPA lecture, but overall it is very confusing.

However, I think it’s still a bit confusing. For example, I am not sure which components are involved in the OPA Gatekeeper setup (e.g. there seems to be a lot more CRDs created) and what each component does.

Normally, if its a standard K8S OPA deployment, I would look for the resources under “opa” namespace, ConfigMaps, and ValidatingWebhookConfiguration. However, in this case, I am not even sure what I am supposed to look for when I first look at the question and there’s not a lot of information on this topic in the official K8S documentation.

What would be the suggestion on how to approach questions related to OPA Gatekeeper?

My apology if this question has been repeated already. I have seen previous post asking similar question, but none of them seem to have a straight answer. Thank you.

rob_kodekloud · December 31, 2023, 5:35am

Gatekeeper is indeed built on OPA and on a hierarchy of CRD resource types. But in practice, you define constraint templates (which package the OPA related Rego code), and you create constraints that link a resource type to that constraint template. It’s not clear what the status of OPA Gatekeeper is as far as the CKS exam goes, although as you’ve noticed, it’s been in the killer.sh simulation for CKS for a while now. We have plans to add labs and lectures concerning Gatekeeper to our CKS course, but for now, I don’t have an estimate as to when this will happen.

The best way to learn it well enough for CKS prep right now is by doing tutorials from the web; I’d start with the tutorial on the OPA docs site and work the examples there. I think that even if you see a Gatekeeper question on the exam (and I don’t know for certain that this can happen), you will need to modify a constraint or a constraint template and jiggle the Rego a bit, but nothing more complex than that. So it will be similar to what we already have in the CKS course with the earlier generation of OPA code. So if you understand how Gatekeeper fits constraint templates and constraints to raise alerts about resources that don’t fit your code, you’ll know enough to deal with any likely question you’d see in an exam.

daniel.lee · December 31, 2023, 5:52am

Thank you so much as always Rob! Your feedback is very helpful!