On Nov 4, 2021, I had the chance to speak at the Kubernetes Community Days, DC Edition event! It was a great opportunity to share some behind-the-scenes on how we use Gatekeeper and OPA to provide additional policy control over who can do what within our clustered environments.
While Kubernetes has a rich feature-set with RBAC and namespaces, it still falls short in making a multi-tenant solution possible out-of-the-box. How do you protect teams from each other without simply taking all of the control from them? For example, how do you prevent a team from defining an Ingress object that takes the traffic from another? Or how do you prevent teams from creating additional LoadBalancer services? Fortunately, Gatekeeper has come to the rescue!
In this talk, we'll talk about admissions controllers and how Gatekeeper can solve these problems. We'll go over the Rego language (which takes some time to wrap your head around) and provide several examples of how Virginia Tech is using Gatekeeper to support multi-tenancy. While policy enforcement sounds scary, it certainly doesn't have to be!
- Google Slides - link to the slidedeck used during the presentation
- Gatekeeper/Landlord demo - link to the repo that contains a Gatekeeper sample using a "landlord" Helm chart very similar (but simplified) to the one we use in our platform