Docs Menu
Docs Home
MongoDB Enterprise Kubernetes Operator

Apply OPA Gatekeeper Policies

On this page

  • Control Your Deployments with Gatekeeper Policies

To control, audit, and debug your production deployments, you can use policies for the Gatekeeper Open Policy Agent (OPA). Gatekeeper contains CustomResourceDefinitions for creating and extending deployment constraints through the constraint templates.

The Kubernetes Operator offers a list of Gatekeeper policies that you can customize and apply to your deployments.

Each Gatekeeper policy consists of:

  • <policy_name>.yaml file

  • constraints.yaml file that is based on the constraint template

You can use binary and configurable Gatekeeper policies:

  • Binary policies allow or prevent specific configurations, such as preventing deployments that don't use TLS, or deploying only specific MongoDB or Ops Manager versions.

  • Configurable policies allow you to specify configurations, such as the total number of replica sets that will be deployed for a specific MongoDB or Ops Manager custom resource.

To use and apply Gatekeeper sample policies with the Kubernetes Operator:

  1. Install the OPA Gatekeeper on your Kubernetes cluster.

  2. Review the list of available constraint templates and constraints:

    kubectl get constrainttemplates
    kubectl get constraints
  3. Navigate to the policy directory, select a policy from the list and apply it and its constraints file:

    cd <policy_directory>
    kubectl apply -f <policy_name>.yaml
    kubectl apply -f constraints.yaml
  4. Review the Gatekeeper policies that are currently applied:

    kubectl get constrainttemplates
    kubectl get contstraints

The Kubernetes Operator offers the following sample policies in this OPA examples GitHub directory:

Policy Description
Blocks all MongoDB and Ops Manager resources. This allows you to use the log output to craft your own policies. To learn more, see Gatekeeper Debugging.
Allows deploying only replica sets for MongoDB resources and prevents deploying sharded clusters.
Allows deploying only specific MongoDB versions.
Allows deploying only specific Ops Manager versions.
Allows using strict TLS mode for MongoDB deployments.
Allows deploying a specified number of Ops Manager replica set and Application Database members.
Allows installing Ops Manager in a non-interactive mode.
← Verify MongoDB Signatures