Gatekeeper 3.1: Policy-as-Code in Production
K8s Guru
2 min read
Table of Contents
Introduction
On May 21, 2020, the Open Policy Agent community released Gatekeeper 3.1.0, elevating policy-as-code with mutation support, curated templates, and faster audits tailored for production clusters.
Mutation Webhook (Alpha)
- Mutation policies can inject defaults, add sidecars, or enforce labels before resources hit the API server.
- Separate admission stages allow safe testing: dry-run, audit-only, then enforce.
- Works alongside Constraint validation, enabling both corrective and preventative controls.
Constraint Templates Library
- Community Catalog: Prebuilt templates now cover image provenance, network policies, Pod security, and cost labeling.
- Versioned Artifacts: Templates ship with semantic versioning and documentation links, easing reviews.
- kubectl plugin:
kubectl gatekeeper modifystreamlines applying or updating templates from Git.
Audit & Performance Enhancements
- Audit controller parallelizes evaluations across namespaces, cutting runtimes on large clusters by up to 5x.
- Status conditions on Constraint resources surface violation counts, last run, and remediation hints.
- Metrics export violation density and evaluation latency for Prometheus/Grafana dashboards.
Getting Started
kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper/v3.1.0/deploy/gatekeeper.yaml
kubectl apply -f templates/k8srequiredlabels.yaml
kubectl apply -f constraints/namespace-must-have-owner.yaml
Enable mutation:
kubectl apply -f mutation/required-default-seccomp.yaml
Summary
| Aspect | Details |
|---|---|
| Release Date | May 21, 2020 |
| Headline Features | Mutation webhook, template catalog, audit performance |
| Why it Matters | Brings opinionated, scalable guardrails to Kubernetes without slowing delivery |
Gatekeeper 3.1 equips platform security teams to codify policies, apply safe defaults, and audit continuously across sprawling clusters.