我正在尝试了解什么是 OPA(开放策略代理)及其用例,我正处于基础阶段。当我阅读一篇 opa 文章时,我了解了 OPA Gatekeeper,但我不清楚为什么我们需要这个 OPA gatekeeper?我们可以用它来审计 kubernetes 中的各种策略,如 Pod 调度、集群放置、授权等吗?还是它只特定于 kubernetes 准入控制阶段?
最佳答案
根据官方文档:
Kubernetes allows decoupling policy decisions from the API server by means of admission controller webhooks to intercept admission requests before they are persisted as objects in Kubernetes. Gatekeeper was created to enable users to customize admission control via configuration, not code and to bring awareness of the cluster’s state, not just the single object under evaluation at admission time. Gatekeeper is a customizable admission webhook for Kubernetes that enforces policies executed by the Open Policy Agent (OPA).
Validating Admission Control
Once all the Gatekeeper components have been installed in your cluster, the API server will trigger the Gatekeeper admission webhook to process the admission request whenever a resource in the cluster is created, updated, or deleted.
Audit
The audit functionality enables periodic evaluations of replicated resources against the Constraints enforced in the cluster to detect pre-existing misconfigurations. Gatekeeper stores audit results as violations listed in the status field of the relevant Constraint. By default, the audit will request each resource from the Kubernetes API during each cycle of the audit.
简短地回答您的问题:Gatekeeper 旨在处理准入场景和复制资源的审计。
来源:
如果有帮助,请告诉我。
关于kubernetes - 为什么我们需要 OPA 网守?,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/61770352/