[opa] Gatekeeper to 3.0 MVP - Githubissues

Azure / container-upstream

This project captures work in progress, and completed work for the Azure Core Container Upstream team

MIT License

54 stars 28 forks source link

[opa] Gatekeeper to 3.0 MVP #35

Closed craiglpeters closed 5 years ago

craiglpeters commented 5 years ago

https://docs.google.com/document/d/1EPb3zg-hknAK7WqYh96XIXCEXG9mQqr_Cqn8VuEGoLI/edit#heading=h.6c6ba7tmtfdm

Minimum Feature Set We believe the following minimum feature set will be best to have:

Kubernetes integration
- Validate admission control
- Audit
- CRD representation of library and instances
- Replicate k8s data into OPA
- Cache data provided to the system where the caller can provide hints on how to interpret the data (e.g. Kubernetes API Server, GCP)
  - only one data source per target necessary for MVP
Library API on OPA
- Ability to write ConstraintTemplates/Constraints
- Support of multiple targets, where a target:
  - Scopes the behavior of matching_constraints
  - Scopes the behavior of iterator helpers that enable audit
  - Allows for some variance in ConstraintTemplate/Constraint schema that can be defined by the caller (see our documentation on TargetHandler for what we think this might look like)
- A library of say 20 Kubernetes templates covering Workloads, Networks, Configuration, and Storage
  - The libraries Forseti would use to integrate would also be useful for writing the Admission Controller and writing them will make sure we don't code ourselves into a k8s-specific corner
Upgrade path for existing users

ritazh commented 5 years ago

[x] kubecon talk
[x] Rejeks talk
[ ] blog post
[ ] more tests