OPA Gatekeeper should be set as the admission controller. We'll do this by using the pre-built image. kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper/release-3.2/deploy/gatekeeper.yaml

We can now move on to the next steps.

We have to apply the ConstraintTemplate and the Constraint.

ConstraintTemplate

The ConstraintTemplate has to be applied first. First, we have to open the file and uncomment the rego policy lines that have been commented out after going through the policy.

We can do this by removing the "#" before the start of each line.

For example,

#input.review.object.kind == "Pod" becomes input.review.object.kind == "Pod"

What the policy does

• It checks if the kind is "Pod".
• It stores the image name in a variable.
• Finally checks if the name ends with "latest" and if so, denies the deployment.

We will now apply the ConstraintTemplate.

kubectl apply -f template.yaml

Constraint

Lets look at the constraint.yaml before applying.

kubectl apply -f constraint.yaml

NOTE: If "no matches for kind" error comes when applying the Constraint file, try the following fixes:

• Make sure all the rego policy lines have been uncommented.
• Apply the template.yaml and the constraint.yaml again.
• If the error still persists, try applying the constraint.yaml again after a couple of minutes.

We'll check if the policy is working as intended.

violation.yaml

Take a look at the deployment-violation.yaml file before applying.

kubectl apply -f deployment-violation.yaml

This will get denied as the image is tagged as "latest".

non-violation.yaml

Take a look at the deployment-non-violation.yaml before applying.

kubectl apply -f deployment-non-violation.yaml

This will not get denied as the image is not tagged as "latest".