Working with Gatekeeper Operator

Otomi uses Gatekeeper for policy enforcement. Gatekeeper can be turned on or off. When turned on, individual policies can be switched on or off. Please see the OPA Gatekeeper policy library as it is the source for the policy baseline here. We made a selection of usable policies for Otomi and adapted them to be used by Conftest as well for static analysis of manifests generated by Otomi.

The policies are provided as a best-practice security baseline. The full set of all policies can be found here.

Customization of the policies is supported based on the Otomi schema (or use Otomi Console in EE mode). In case of specific requirements, admins can add their own custom policies.

IMPORTANT NOTES:

It is possible to deviate from the baseline, provided there is a substantiated reason for doing so. To deviate from the baseline, annotations for the pod spec can be configured. Gatekeeper always keeps a log and thus it is traceable when an annotation is used. The use of annotations is a specific Otomi feature.

Enable Gatekeeper#

To enable Gatekeeper Operator, edit the values/env/charts/gatekeeper-operator.yaml file and set enabled to true:

charts:
gatekeeper-operator:
enabled: true

Using annotations#

BYO policies#