为什么我们需要 OPA 网守?
Why do we need OPA gatekeeper?
我正在尝试了解什么是 OPA(开放策略代理)及其用例,我处于基础阶段。当我阅读一篇 opa 文章时,我了解了 OPA Gatekeeper,但我不清楚为什么我们需要这个 OPA gatekeeper?我们可以用它来审计 kubernetes 中的各种策略,如 Pod 调度、集群放置、授权 etc.or 它是否仅特定于 kubernetes 准入控制阶段?
根据官方文档:
Kubernetes allows decoupling policy decisions from the API server by
means of admission controller webhooks to intercept admission requests
before they are persisted as objects in Kubernetes. Gatekeeper was
created to enable users to customize admission control via
configuration, not code and to bring awareness of the cluster’s state,
not just the single object under evaluation at admission time.
Gatekeeper is a customizable admission webhook for Kubernetes that
enforces policies executed by the Open Policy Agent (OPA).
Validating Admission Control
Once all the Gatekeeper components have been installed in your
cluster, the API server will trigger the Gatekeeper admission webhook
to process the admission request whenever a resource in the cluster is
created, updated, or deleted.
Audit
The audit functionality enables periodic evaluations of replicated
resources against the Constraints enforced in the cluster to detect
pre-existing misconfigurations. Gatekeeper stores audit results as
violations listed in the status field of the relevant Constraint. By default, the audit will request each resource from the Kubernetes API during each cycle of the audit.
并简短地回答您的问题:Gatekeeper 旨在处理准入场景和复制资源的审计。
来源:
如果有帮助,请告诉我。
我正在尝试了解什么是 OPA(开放策略代理)及其用例,我处于基础阶段。当我阅读一篇 opa 文章时,我了解了 OPA Gatekeeper,但我不清楚为什么我们需要这个 OPA gatekeeper?我们可以用它来审计 kubernetes 中的各种策略,如 Pod 调度、集群放置、授权 etc.or 它是否仅特定于 kubernetes 准入控制阶段?
根据官方文档:
Kubernetes allows decoupling policy decisions from the API server by means of admission controller webhooks to intercept admission requests before they are persisted as objects in Kubernetes. Gatekeeper was created to enable users to customize admission control via configuration, not code and to bring awareness of the cluster’s state, not just the single object under evaluation at admission time. Gatekeeper is a customizable admission webhook for Kubernetes that enforces policies executed by the Open Policy Agent (OPA).
Validating Admission Control
Once all the Gatekeeper components have been installed in your cluster, the API server will trigger the Gatekeeper admission webhook to process the admission request whenever a resource in the cluster is created, updated, or deleted.
Audit
The audit functionality enables periodic evaluations of replicated resources against the Constraints enforced in the cluster to detect pre-existing misconfigurations. Gatekeeper stores audit results as violations listed in the status field of the relevant Constraint. By default, the audit will request each resource from the Kubernetes API during each cycle of the audit.
并简短地回答您的问题:Gatekeeper 旨在处理准入场景和复制资源的审计。
来源:
如果有帮助,请告诉我。