← Back to Blog

Open Policy Agent

Blog March 23, 2025 2 min read

Open Policy Agent To implement image validation policies using Open Policy Agent (OPA) and Gatekeeper in a Kubernetes environment like OpenShift, you will need to create ConstraintTemplates and Constraints.

Open Policy Agent

To implement image validation policies using Open Policy Agent (OPA) and Gatekeeper in a Kubernetes environment like OpenShift, you will need to create ConstraintTemplates and Constraints. These are Kubernetes Custom Resource Definitions (CRDs) that Gatekeeper uses to enforce policies defined by OPA's Rego language.

Here's a sample code setup to get you started:

Step 1: Install Gatekeeper on your OpenShift cluster

open policy agent 1

You can install Gatekeeper by applying the Gatekeeper YAML file:

kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper/release-3.7/deploy/gatekeeper.yaml

Step 2: Create a ConstraintTemplate for image validation

A ConstraintTemplate defines the schema and the logic of the policy you want to enforce using Rego. Here's an example that validates images to ensure they are only pulled from a specific registry:

apiVersion: templates.gatekeeper.sh/v1beta1
kind: ConstraintTemplate
metadata:
name: k8sallowedrepos
spec:
crd:
spec:
names:
kind: K8sAllowedRepos
validation:
openAPIV3Schema:
properties:
repos:
type: array
items:
type: string
targets:
- target: admission.k8s.gatekeeper.sh
rego: |
package k8sallowedrepos

    violation[{"msg": msg}] {
                      image := input.review.object.spec.containers[_].image
                      not startswith(image, allowed[_])
                      msg := sprintf("Container image '%v' is not from an allowed registry", [image])
                    }
                
                    allowed[repo] {
                      repo := input.parameters.repos[_]
                    }

Step 3: Deploy the ConstraintTemplate to your cluster

Apply the ConstraintTemplate:

kubectl apply -f .yaml

Step 4: Create a Constraint to enforce the policy

A Constraint specifies the parameters and which resources the policy should apply to. Here’s an example of a Constraint that applies the above template to all deployments and restricts images to only my-registry.io:

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sAllowedRepos
metadata:
name: allowed-repos
spec:
match:
kinds:
- apiGroups: [""]
kinds: ["Pod"]
parameters:
repos:
- "my-registry.io"

Step 5: Deploy the Constraint to your cluster

Apply the Constraint:

kubectl apply -f .yaml

Summary

  • Install Gatekeeper: Install Gatekeeper to your Kubernetes cluster.

  • Create a ConstraintTemplate: Define the policy logic using Rego.

  • Deploy the ConstraintTemplate: Apply it to your cluster.

  • Create a Constraint: Define specific rules using the ConstraintTemplate.

  • Deploy the Constraint: Apply it to enforce the rules.

With these steps, Gatekeeper will enforce the policies defined by your OPA templates, ensuring only images from my-registry.io are used in your cluster. You can modify the Rego policy and constraints to suit your specific requirements.

🔗 Connect with me:

Imported from rifaterdemsahin.com · 2025

📚 Related Reading

Double Charge Your Second Brain With Obsidian 2025-12-31
Custom app refresh to save battery 2025-12-28
Check List for a Google Meets Call 2025-12-28