Using Both Constraints & OPA ConfigMap Rules

[ChuckQuinnIV]

I'm looking into implementing Gatekeeper in order to leverage the PodSecurityPolicy policies, but already have a hundred or so OPA rules defined in ConfigMaps. I'll likely migrate some of these over to Gatekeeper to facilitate better parameterization, but that will take some time.

Is it possible to run with some rules in Constraints / ConstraintTemplates via Gatekeeper, while maintaining my existing OPA rules in ConfigMaps? Are there any issues that could pop up with that kind of setup?

[anderseknert]

Hi @ChuckQuinnIV!

You can configure as many validating admission controllers as you want, using OPA, Gatekeeper and/or something else entirely. Only downside I can think of is the added complexity of having to manage multiple solutions (with different ways to fetch policy, log decisions, and so on), and of course the extra latency added by each webhook.

If you already have "plain" OPA configured for validating admission control, could the Gatekeeper PSP policies not be ported for evaluation in that context without too much effort, assuming they're both Rego? If that's not the case, running both doesn't seem too controversial to me.

[ChuckQuinnIV]

Thanks @anderseknert !

Definitely possible to use plain OPA for this - the main advantage to me of using Gatekeeper for those PSP policies would be using Constraints to manage exceptions to those policies while keeping ConstraintTemplates consistent across clusters, instead of having to manage different versions of ConfigMaps that contain both exemption data & the rule logic.

Appreciate the input!