OPA Gatekeeper Policies

By Cloudsecops Inc

Learn about OPA Gatekeeper Policies. Each scenario is based on a specific OPA Gatekeeper policy use-case, explaining the policy that is being implemented and the need for it in an organization

OPA Gatekeeper

Enforce policies using OPA Gatekeeper

Start Scenario

Prohibit hostNetwork

A policy to prevent the usage of hostNetwork

Start Scenario

Require Trusted Image Repos

A policy to restrict the use images only from trusted repos

Start Scenario

Block "latest" Image Tag

A policy to prevent using images with the latest tag

Start Scenario

Prohibit Unauthorized ConfigMap Volumes

A policy to prevent using unauthorized configmap volumes

Start Scenario

Deny Privilege Containers

A policy to prevent the deny the privilege containers usage

Start Scenario

Encrypted Storage Class

A policy to unsure that StorageClass is encrypted

Start Scenario

Allow privilege escalation

A policy to make sure privilege escalation is allowed

Start Scenario

Deny Retain Reclaim Policy

A policy to deny Reclaim Policy of Retain Type

Start Scenario

Prohibit Service Account Namespaces

A policy to limit the creation of Service accounts to specific namespaces.

Start Scenario

Restrict Users who can Manage Roles and Cluster Roles

A policy to allow only specific users to manager Roles and Cluster Roles.

Start Scenario

Block Wildcard in RBACs

A policy to prevent the use of wildcard in RBACs

Start Scenario

Restrict Ingress/Egress IP CIDR Ranges in NetworkPolicies

A policy to deny applying any kind of ingress/egress acesss to any IP or IP CIDR ranges except the ones which are allowed

Start Scenario

Restrict Egress Label Selectors in NetworkPolicies

A policy to deny allowing allow any kind of egress access to the web-server other than the pods which match the label ‘app: mysql’

Start Scenario

Restrict Namespace and Pod Selectors in NetworkPolicies

A policy to prevent applying a network policy to a pod with a certain namespace

Start Scenario

Restrict Ingress/Egress Ports in NetworkPolicies

A policy that denies allowing ingress/egress access to the web server pod on any other port except the allowed ports

Start Scenario

Enforce Namespace Restrictions

A policy to enforce namespace restriction for NetworkPolicy

Start Scenario

OPA Policy Playground

Have fun playing with your own OPA policies

Start Scenario