Solutions
Audit & Optimization Platform Design Automation Team Structure
Documentation Blog
Get Started
Security 2021

Gatekeeper 3.5: Policy Enforcement Evolution

K8s Guru
2 min read
#gatekeeper #opa #policy #mutation #kubernetes
Gatekeeper 3.5: Policy Enforcement Evolution

Table of Contents

Introduction

Gatekeeper 3.5 — Policy Enforcement Evolution — was released on June 15, 2021.

Policy usually becomes urgent the first time you need to stop a risky manifest from shipping — or when you’re trying to make standards repeatable across teams.

In this release: Gatekeeper 3.5 enhances policy-as-code capabilities with improved mutation support, better template library, and enhanced performance for Kubernetes policy enforcement.

Mutation Enhancements

  • Mutation stability improvements provide more reliable resource modification before admission.
  • Mutation ordering enables predictable application of multiple mutation policies.
  • Dry-run support allows previewing mutations without actually modifying resources.
  • Error handling improvements provide better feedback when mutations fail.

Template Library Expansion

  1. Community templates growth provides more pre-built policies for common use cases.
  2. Template validation improvements prevent misconfigurations with better error messages.
  3. Template versioning enables teams to manage policy template updates more effectively.
  4. Documentation expansion includes comprehensive guides for all template types.

Performance Improvements

  • Evaluation performance optimizations reduce latency for policy decisions.
  • Caching enhancements improve throughput for high-volume admission requests.
  • Resource usage optimizations reduce CPU and memory footprint.
  • Scalability improvements enable policy enforcement at larger cluster scales.

Operational Enhancements

  • Audit improvements provide better visibility into policy violations and enforcement actions.
  • Metrics expansion exposes detailed policy evaluation metrics for Prometheus.
  • Debugging tools improvements simplify troubleshooting policy issues.
  • Migration guides help teams upgrade from earlier Gatekeeper versions.

Getting Started

kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper/v3.5.0/deploy/gatekeeper.yaml

Create a constraint:

apiVersion: templates.gatekeeper.sh/v1beta1
kind: ConstraintTemplate
metadata:
  name: k8srequiredlabels
spec:
  crd:
    spec:
      names:
        kind: K8sRequiredLabels
      validation:
        openAPIV3Schema:
          properties:
            labels:
              type: array
              items:
                type: string
  targets:
    - target: admission.k8s.gatekeeper.sh
      rego: |
        package k8srequiredlabels
        violation[{"msg": msg}] {
          required := input.parameters.labels
          provided := input.review.object.metadata.labels
          missing := required[_]
          not provided[missing]
          msg := sprintf("Missing required label: %v", [missing])
        }

Summary

AspectDetails
Release DateJune 15, 2021
Headline FeaturesMutation enhancements, template library expansion, performance improvements
Why it MattersProvides powerful policy-as-code capabilities with improved performance and usability

Gatekeeper 3.5 continues to evolve as a leading policy enforcement solution, providing teams with flexible, performant policy management for Kubernetes.