What Is OPA Gatekeeper? Security Definition
Also known as: OPA Gatekeeper, Kubernetes policy engine, CKS exam, admission controller, Rego policy language
On This Page
Quick Definition
OPA Gatekeeper is a tool that lets you set rules for what kinds of applications and settings are allowed in your Kubernetes cluster. Think of it as a security guard that checks every request to create or change something in the cluster, and only lets it through if it follows your rules. It helps prevent misconfigurations that could lead to security problems.
Must Know for Exams
OPA Gatekeeper is a significant topic in the Certified Kubernetes Security Specialist (CKS) exam. The CKS exam specifically tests your ability to configure and troubleshoot security controls in a Kubernetes cluster. One of the exam domains is 'Cluster Setup and Hardening,' which includes setting up admission controllers and policy engines. Gatekeeper is the most commonly tested policy engine for the CKS.
In the exam, you may be asked to install Gatekeeper in a cluster, define a policy using ConstraintTemplate and Constraint, and verify that the policy works. You might also need to modify an existing policy or troubleshoot why a policy is not being enforced. The exam scenarios are hands-on, requiring you to write Rego code and apply YAML manifests.
The CKS exam objectives related to Gatekeeper include: understanding how admission controllers work, knowing how to enable and configure OPA Gatekeeper, writing policies to enforce Pod Security Standards (like requiring that containers run as non-root), restricting hostPath volumes, requiring resource limits, and preventing the use of certain image registries.
While Gatekeeper is most directly associated with the CKS, it also appears in the Certified Kubernetes Administrator (CKA) exam in a lighter context, typically as a high-level concept. The Certified Kubernetes Application Developer (CKAD) exam does not usually cover Gatekeeper, but understanding it helps developers write policies that pass admission checks.
Beyond the CKS, the concept of policy-as-code using OPA appears in other certification exams such as the HashiCorp Certified Vault Associate and the CNCF Cloud Native Security Professional certification. If you understand Gatekeeper, you have a strong foundation for these adjacent topics.
Simple Meaning
Imagine you run a busy office building with many offices and meeting rooms. Every time someone wants to move into a new office or set up new equipment, they must fill out a request form. The building manager doesn't have time to check every request personally, so they hire a security guard named Gatekeeper who stands at the entrance.
The guard has a rulebook that lists all the policies: no furniture blocking fire exits, no unapproved electrical equipment, no room assignments that conflict with existing tenants. When a request arrives, the guard checks it against the rulebook. If the request follows all the rules, it is approved and the move can happen.
If it violates a rule, the guard rejects it and explains why. This is exactly what OPA Gatekeeper does for a Kubernetes cluster. Kubernetes is a system that runs and manages applications in containers.
People create or update resources like pods, services, or namespaces. Gatekeeper evaluates every request against a set of policies written in a language called Rego. If the request passes all policies, it is allowed into the cluster.
If it breaks a policy, Gatekeeper blocks it and sends back an error message. The policies can cover anything that matters to your organization: ensuring all containers come from trusted registries, requiring labels for cost tracking, preventing deployments from running as root, or enforcing network security rules. This keeps the cluster secure, compliant, and well-organized without needing a human to review every single change.
Full Technical Definition
OPA Gatekeeper is a Kubernetes-native admission webhook that integrates with the Open Policy Agent (OPA) to enforce policies on resources in a Kubernetes cluster. It is a graduated project in the Cloud Native Computing Foundation (CNCF) ecosystem and is widely used for security, compliance, and governance.
Gatekeeper works by intercepting Kubernetes API requests at the admission stage. When a user or system submits a request to create, update, or delete a resource, the API server sends that request to Gatekeeper’s admission webhook before persisting the resource. Gatekeeper evaluates the request against policies defined as ConstraintTemplates and Constraints. ConstraintTemplates define the logic of a policy using the Rego policy language, which is a declarative language designed for expressing rules over structured data. Constraints are instances of a template that specify the scope and parameters of the policy, such as which namespaces or kinds of resources it applies to.
Under the hood, Gatekeeper runs as a pod in the cluster and listens on HTTPS endpoints for admission review requests from the Kubernetes API server. It uses a cache of existing resources to make decisions that depend on cluster state, such as ensuring that there is only one ingress resource per host. Gatekeeper also supports audit functionality: it can periodically scan all existing resources in the cluster and report those that violate policies, even if they were created before the policy was installed.
From an implementation perspective, administrators create ConstraintTemplates and Constraints as Kubernetes Custom Resource Definitions (CRDs). Each ConstraintTemplate includes a Rego rule that defines the validation logic. Parameters passed to the constraint allow the same template to be reused with different settings. For example, a template that requires all container images to come from a specific registry can be instantiated for different registries in different namespaces.
Gatekeeper also supports dry-run mode, which allows administrators to test new policies without enforcing them. This is critical for safely rolling out policies in production environments. Policies can be enforced in deny mode, which blocks violating requests, or in warn mode, which allows the request but logs a warning.
In real IT environments, Gatekeeper is often combined with other security tools like OPA itself, Kyverno (a similar policy engine), and service mesh security policies. It is particularly valuable in regulated industries such as finance and healthcare, where compliance with standards like PCI DSS or HIPAA requires strict controls on configuration.
Real-Life Example
Imagine you live in a large apartment complex with a central entrance. The building manager wants to keep everyone safe and make sure the building is well-maintained. So they create a set of rules: every package delivered must go through the mailroom, no furniture can be left in the hallways, pets must be registered, and only tenants with a valid access card can enter after 10 PM.
The manager cannot check every person and every package at the door, so they hire a concierge named Alex who sits at the front desk. Alex is given a binder with all the rules. When a delivery person arrives with a package, Alex checks the package against the rules: package from a known carrier, addressed to a current tenant, not oversized or hazardous.
If it passes, Alex lets the delivery person in to use the mailroom. If not, Alex refuses entry and explains why. When a visitor wants to enter after hours, Alex checks their ID and calls the tenant to confirm.
In this analogy, the apartment complex is the Kubernetes cluster. The tenants and deliveries are the resources being created. The binder of rules is the set of policies written in Rego.
Alex the concierge is OPA Gatekeeper. Every request to create, update, or delete a resource hits Gatekeeper first. Gatekeeper evaluates the request against its policies. If the request is valid, it goes through to the API server and the resource is created.
If it violates a policy, Gatekeeper rejects the request and sends back a clear message about what rule was broken. This protects the cluster from misconfigured deployments, insecure container images, or resources that violate organizational standards. Just like Alex keeps the apartment complex safe and orderly, Gatekeeper keeps the Kubernetes cluster secure and compliant.
Why This Term Matters
OPA Gatekeeper matters because Kubernetes clusters are complex and frequently change. People create, update, and delete hundreds of resources every day. Without automated policy enforcement, misconfigurations can easily slip through and cause security vulnerabilities, outages, or compliance violations.
In real IT work, teams often struggle to enforce best practices across many developers and teams. A developer might accidentally deploy a container running as root, which gives an attacker elevated privileges if the container is compromised. Another might forget to add required labels, making it impossible to track costs by department. Someone else might expose a database to the public internet because of a misconfigured service. Gatekeeper catches these mistakes automatically before they cause damage.
From a security perspective, Gatekeeper is a crucial layer of defense. It enforces policies like requiring all container images to come from an approved registry, preventing the use of privileged containers, and ensuring that network policies are in place. This reduces the attack surface of the cluster.
From an operations perspective, Gatekeeper helps maintain consistency. Every team in the organization can rely on the same baseline policies. New clusters can be provisioned with Gatekeeper pre-installed, ensuring that compliance is built in from the start. Audit reports generated by Gatekeeper show which existing resources violate policies, allowing teams to remediate issues over time.
In regulated environments, Gatekeeper provides the evidence needed for compliance audits. You can demonstrate that your cluster enforces policies that align with standards like SOC 2, ISO 27001, or CIS Benchmarks. Without a tool like Gatekeeper, proving compliance would require manual reviews and scattered documentation, which is slow and error-prone.
How It Appears in Exam Questions
OPA Gatekeeper appears in CKS exam questions in several distinct patterns.
Scenario-based questions often describe a security requirement and ask you to implement a policy that meets it. For example: 'Your organization requires that all pods in the finance namespace must have a resource limit set on the memory and CPU. Create a ConstraintTemplate and Constraint to enforce this policy.' You would need to write a Rego rule that checks the pod spec for resource limits and a constraint that applies the template to the finance namespace.
Configuration questions ask you to modify existing policies or resources. For instance: 'The existing Gatekeeper policy is blocking all pods from using the latest image tag. Modify the policy to allow the latest tag only for the development namespace.' You would need to edit the ConstraintTemplate or add an exception parameter.
Troubleshooting questions present a scenario where a policy is not working as expected. Example: 'You applied a policy that should prevent containers from running as root, but a pod in the production namespace still runs as root. Debug why the policy is not effective.' The answer might involve checking that the constraint applies to the correct namespaces, verifying the Rego rule logic, or ensuring that the Gatekeeper webhook is running correctly.
Architecture questions ask you to explain or configure the components of Gatekeeper. For example: 'Describe the difference between a ConstraintTemplate and a Constraint. Where would you define the Rego logic?' You would explain that the ConstraintTemplate holds the reusable policy logic, while the Constraint is an instantiation of that template with specific parameters and scope.
Some questions involve the audit feature. For instance: 'After installing Gatekeeper, you run an audit and find that several existing pods violate the policy against privileged containers. How would you handle this without disrupting running workloads?' The correct answer would involve using dry-run mode or creating a remediation plan rather than immediately deleting the pods.
Finally, multiple-choice or fill-in-the-blank questions may test knowledge of Gatekeeper syntax, such as how to write a Rego rule that denies a resource or how to specify the admission review API version.
Study cncf-cks
Test your understanding with exam-style practice questions.
Example Scenario
A company called FinSecure runs a Kubernetes cluster for their financial application. The security team has a rule: no container in the team's namespace may run with the security context 'privileged: true' because that gives the container full access to the host system, which is a major security risk. They decide to use OPA Gatekeeper to enforce this rule.
The security team writes a ConstraintTemplate called 'deny-privileged-containers'. The template contains a Rego rule that looks at each pod's spec or container specs. If any container has 'securityContext.privileged' set to true, the Rego rule returns a violation. Next, they create a Constraint called 'no-privileged-pods' that uses the template and applies it to the namespace called 'finsecure-apps'.
A developer named Alice is working on a new microservice. She creates a deployment YAML and sets securityContext.privileged to true because she thinks it might help with debugging. When she runs 'kubectl apply -f deployment.yaml', the API server sends the request to Gatekeeper for review. Gatekeeper evaluates the deployment against the 'no-privileged-pods' constraint. It finds that the deployment violates the rule because it has a privileged container. Gatekeeper sends back an admission response that denies the request. Alice gets an error message: 'The deployment was denied because it contains a privileged container, which is not allowed in this namespace.' Alice removes the privileged setting from her YAML and reapplies. This time, Gatekeeper allows the request and the deployment is created successfully. The FinSecure cluster remains secure because Gatekeeper automatically blocked a risky configuration before it could cause harm.
Common Mistakes
Thinking that Gatekeeper policies are written in YAML only.
While ConstraintTemplates and Constraints are defined as YAML resources, the actual policy logic inside a ConstraintTemplate is written in Rego, a declarative policy language. YAML alone cannot express the conditional logic and data queries needed for complex policies.
Learn the basics of Rego, including how to write rules that match on resource fields, use variables, and return denial messages. Practice writing simple Rego policies for common scenarios like checking image registries or required labels.
Confusing ConstraintTemplate with Constraint and using them incorrectly.
A ConstraintTemplate defines the reusable policy logic, but it does not apply to any resources by itself. You must create one or more Constraints that instantiate the template and specify which namespaces or kinds it applies to. Applying only a template has no effect.
Always create both a ConstraintTemplate and at least one Constraint. In the Constraint, set the 'spec.match' field to target specific namespaces, kinds, or label selectors. Verify that the policy is active by checking the Gatekeeper audit logs or testing with a sample resource.
Believing Gatekeeper policies apply to existing resources immediately upon creation.
Gatekeeper intercepts admission requests, so it only checks resources at the moment they are created or updated. Existing resources that were created before the policy was installed remain unchanged unless you run an audit or manually revalidate them.
Use the Gatekeeper audit feature to scan existing resources and generate violations. You can then decide to update or delete offending resources. For critical security policies, consider running a one-time audit after installing a new policy to catch any non-compliant resources already in the cluster.
Assuming Gatekeeper can enforce policies on all Kubernetes resources automatically.
Gatekeeper only evaluates resources that are intercepted by the admission webhook. Some types of resources, like custom resource definitions (CRDs) or specific aggregated API resources, might not be sent to the webhook if not configured properly. Also, resources inside the cluster that are not created via the API server (like some internal components) are not checked.
Ensure that the Gatekeeper webhook configuration covers all resource types you need to police. Check the ValidatingWebhookConfiguration manifest to see which resources and operations are included. Test with a non-critical resource first to confirm the policy works as intended.
Exam Trap — Don't Get Fooled
In an exam scenario, you might be asked to create a ConstraintTemplate and Constraint, but you mistakenly place the Rego logic inside the Constraint YAML instead of the ConstraintTemplate. Remember the template pattern: the ConstraintTemplate is like a function that contains the code, and the Constraint is like a function call with arguments. Always create the ConstraintTemplate first, then the Constraint.
The Constraint's 'spec.parameters' section passes data to the template, and the template's Rego code accesses those parameters. The Rego logic never goes directly into the Constraint YAML.
Commonly Confused With
Kyverno is another Kubernetes-native policy engine that uses YAML for policy definitions instead of the Rego language. While both serve similar purposes, Kyverno is often considered easier to learn because policies can be written without learning a new language, whereas Gatekeeper requires Rego knowledge.
A policy that requires all pods to have a specific label: in Kyverno you write a YAML rule with a pattern, while in Gatekeeper you write a Rego rule that checks the metadata.labels field.
OPA is a general-purpose policy engine that can be used in many contexts beyond Kubernetes, such as microservice authorization, API gateway policies, or Terraform validation. OPA Gatekeeper is a specific integration of OPA for Kubernetes admission control. Gatekeeper is built on top of OPA but adds Kubernetes-specific features like ConstraintTemplates and audit.
OPA can be used to authorize HTTP requests in a web application. Gatekeeper uses OPA under the hood but is designed to intercept Kubernetes API requests and enforce cluster-level policies.
Pod Security Admission is a built-in Kubernetes admission controller that enforces Pod Security Standards (privileged, baseline, restricted). It is simpler and requires no external tools, but it is far less flexible than Gatekeeper. PSA only covers pod-level security contexts, while Gatekeeper can enforce any policy on any resource type.
To prevent containers from running as root, PSA can enforce the 'restricted' profile, while Gatekeeper can write a custom policy that allows root containers only in a specific namespace for legacy applications.
Step-by-Step Breakdown
Step 1: Install OPA Gatekeeper in the cluster
Download the Gatekeeper deployment manifests from the official repository or use a Helm chart. Apply them to your cluster to create the necessary resources: namespace, service account, cluster roles, the admission webhook, and the Gatekeeper controller manager pods. Verify installation by checking that the gatekeeper-controller-manager pods are running.
Step 2: Write a ConstraintTemplate
Create a YAML file that defines a ConstraintTemplate resource. Inside the template, include a Rego rule that specifies the validation logic. For example, a rule that checks if all containers have a resource limit set. The rule must return a violation message if the condition is not met. Apply the template to the cluster.
Step 3: Create a Constraint
Define a YAML file for a Constraint resource that references the ConstraintTemplate. In the Constraint, set the 'spec.match' section to target specific namespaces, kinds (e.g., Pod, Deployment), or label selectors. Optionally, pass parameters like allowed image registries. Apply the Constraint to the cluster.
Step 4: Test the policy
Attempt to create a resource that violates the policy, such as a pod without resource limits. Use kubectl apply. You should receive an error message from Gatekeeper explaining the violation. Then create a compliant resource and verify it succeeds. This confirms the policy is working.
Step 5: Run an audit on existing resources
Gatekeeper can audit existing resources in the cluster. Check the audit logs or use kubectl to list constraint violations. This step identifies resources that were created before the policy was installed and are now non-compliant. Plan remediation: update, delete, or whitelist those resources as appropriate.
Step 6: Monitor and refine policies
Review Gatekeeper logs and metrics regularly. Adjust policies to reduce false positives or cover new requirements. For example, if a legitimate use case is blocked, add an exception parameter to the Constraint. Proper monitoring ensures policies stay effective and do not hinder development.
Practical Mini-Lesson
OPA Gatekeeper is a big step up from basic Kubernetes security because it allows you to enforce custom rules without modifying the Kubernetes source code or relying on manual reviews. To use it effectively, you need to understand three main components: the admission webhook, Rego policy language, and the ConstraintTemplate/Constraint pairing.
First, the admission webhook is how Gatekeeper sits in the request path. When you install Gatekeeper, it registers a ValidatingWebhookConfiguration with the Kubernetes API server. This tells the API server to send every matching request to Gatekeeper's HTTPS endpoint before persisting the resource. Gatekeeper checks the request against all active constraints and sends back a response that either allows or denies the request. The response includes a message if denied.
Second, Rego is the language you use to write policies. Rego is declarative, meaning you describe what you want to allow or deny, not how to check it step-by-step. A basic Rego rule looks at the input resource (the request's object) and returns true or false. For example, to deny pods that use the 'latest' image tag, you write a rule that checks if the container image string ends with ':latest'. If any container matches, the rule returns a violation. Rego also supports iteration, data lookups, and functions, allowing complex policies.
Third, the ConstraintTemplate and Constraint pattern provides reusability and separation of concerns. The ConstraintTemplate defines the policy logic once. The Constraint then specifies the scope (which namespaces, which kinds) and any parameters (like allowed registries). This means you can write one template that checks for required labels, and then create separate Constraints for different namespaces with different label requirements.
What can go wrong with Gatekeeper? Common issues include writing Rego rules that are too broad and block legitimate resources, forgetting to apply the Constraint after creating the template, or misconfiguring the webhook to miss certain resource types. Also, Gatekeeper can add latency to every admission request, especially if policies are complex or if the cluster has many resources. Performance testing is recommended in large clusters.
In practice, professionals integrate Gatekeeper with CI/CD pipelines. Developers can test their manifests against Gatekeeper locally before pushing them to the cluster. This catches violations earlier and speeds up feedback. Teams also use Gatekeeper's dry-run mode to test new policies in production without blocking anything, then switch to enforce mode after validation.
Gatekeeper connects to broader concepts like policy-as-code, GitOps, and compliance automation. By treating policies as code stored in Git, you can version them, review changes via pull requests, and automatically apply them to clusters. This aligns with DevOps practices and helps maintain audit trails.
Memory Tip
Think G.A.T.E.: Gatekeeper validates, Applies Rego, Targets constraints, Enforces policies. The template holds the rule, the constraint holds the target.
Covered in These Exams
Related Glossary Terms
802.1X is a network access control standard that authenticates devices before they are allowed to connect to a wired or wireless network.
Two-factor authentication (2FA) is a security method that requires two different types of proof before granting access to an account or system.
An A record is a DNS record that maps a domain name to the IPv4 address of the server hosting that domain.
Frequently Asked Questions
What is the difference between OPA Gatekeeper and OPA itself?
OPA (Open Policy Agent) is a general-purpose policy engine that can be used in many contexts, like API authorization or Terraform validation. OPA Gatekeeper is a specific integration of OPA for Kubernetes admission control. Gatekeeper uses OPA under the hood but adds Kubernetes-specific features like ConstraintTemplates, audit, and native CRD support.
Do I need to know Rego to use OPA Gatekeeper?
Yes, because the policy logic inside ConstraintTemplates is written in Rego. While you can copy existing templates, writing or debugging your own policies requires understanding Rego syntax. Fortunately, Rego is simple for basic rules and there are many examples available.
Can OPA Gatekeeper block resource updates or only creates?
Gatekeeper can block both creates and updates, depending on how its webhook is configured. By default, it intercepts CREATE and UPDATE operations. You can also configure it to intercept DELETE operations if needed, though that is less common.
Does OPA Gatekeeper affect cluster performance?
Every create or update request goes through Gatekeeper, which adds a small amount of latency. In most clusters the impact is negligible. However, with many complex policies or a very high request rate, you may need to tune the webhook timeout or scale the Gatekeeper controller replicas.
Can I use OPA Gatekeeper with other admission controllers?
Yes, multiple admission controllers can run in the same cluster. They are evaluated in order according to the webhook configuration. Gatekeeper plays nicely with other webhooks, but you should ensure policies do not conflict. For example, Gatekeeper and Pod Security Admission can complement each other.
How do I test a Gatekeeper policy without blocking resources?
Use Gatekeeper's dry-run mode by setting the 'enforcementAction' field in the Constraint to 'dryrun'. The policy will be evaluated and violations will be logged, but no resources will be blocked. You can also use the '--dry-run' flag with kubectl apply to simulate the request.
Is OPA Gatekeeper the only policy engine for Kubernetes?
No. Other popular policy engines include Kyverno, which uses YAML for policies, and the built-in Pod Security Admission (PSA). Each has its strengths: Kyverno is easier for YAML users, Gatekeeper is more flexible with Rego, and PSA is simple and requires no additional installation.
Summary
OPA Gatekeeper is a powerful and flexible policy engine for Kubernetes that helps you enforce security, compliance, and operational best practices. It works as an admission webhook that checks every request to create or update resources against custom policies written in the Rego language. You define the policy logic in a ConstraintTemplate and apply it to specific namespaces or resource types using a Constraint.
Gatekeeper can also audit existing resources to find violations. For certification exams like the CKS, you need to know how to install Gatekeeper, write Rego policies, create Constraints, and troubleshoot common issues. Avoid mistakes like confusing templates with constraints, forgetting to apply both, or assuming policies affect existing resources immediately.
Remember that Gatekeeper is just one tool in the Kubernetes security ecosystem, but it is essential for organizations that need fine-grained control and auditability. By mastering OPA Gatekeeper, you gain a key skill for securing Kubernetes clusters in production and passing security-focused certifications.