Manifest Structure for Gatekeeper Constraint Templates & Templates for Treasuremap

[lb4368]

Problem description
With the delivery of the Gatekeeper manifest function (#167), we will begin to define policy constraint templates and associated constraint instances for policies to be enforced within treasuremap or for use within downstream sites. Would like to come up with a manifest structure for organizing these separate from the Gatekeeper install function itself and delivering these during site deployment.

Proposed change

1. Determine how we manage constraint templates in treasuremap manifests. There is a sample library here.
2. Determine how we manage constraint definitions (instances of constraint templates in treasuremap manifests.
3. Determine manifest phase(s) for delivery of Gatekeeper install, constraint templates, and constraints into a site type
4. Consider downstream definition of constraints. Presumably, downstream can just define their own and include in appropriate phase(s).

[lb4368]

Notes from 6/15/21 design meeting:

Definition of the Policy == Constraint Template

e.g. https://github.com/open-policy-agent/gatekeeper-library/blob/master/library/pod-security-policy/users/template.yaml
e.g. https://github.com/open-policy-agent/gatekeeper-library/tree/master/library/pod-security-policy/users

manifests/function/gatekeeper/policies/
manifests/function/gatekeeper/policies/<policy-name>
manifests/function/gatekeeper/policies/<policy-name>/
manifests/function/gatekeeper/policies/<policy-name>/kustomization.yaml
manifests/function/gatekeeper/policies/<policy-name>/template.yaml

Instance of a Policy == Constraint

e.g https://github.com/open-policy-agent/gatekeeper-library/blob/master/library/pod-security-policy/users/samples/psp-pods-allowed-user-ranges/constraint.yaml

manifests/function/gatekeeper/policies/instances/
manifests/function/gatekeeper/policies/instances/<instance-of-policy-x-name>
manifests/function/gatekeeper/policies/instances/<instance-of-policy-x-name>/kustomization.yaml
manifests/function/gatekeeper/policies/instances/<instance-of-policy-x-name>/constraint.yaml
manifests/function/gatekeeper/policies/instances/<instance-of-policy-x-name>/replacements/… || TBD if we use catalogue info for defining the constraints

How do we define a collection of policies as a group that menas something. e.g. PodSecurityPolicy

    manifests/composite/gatekeeper/<name of policy group>
    manifests/composite/gatekeeper/<name of policy group>/kustomization.yaml
    … Uses Instance of policy as resources.
    manifests/composite/gatekeeper/<name of policy group>/replacements/kustomization.yaml

When do we deliver the Policies

Will keep this as a TBD, expect we might need to deliver policies in multiple phases, yet to be determined.

[lb4368]

Some basic constraint templates that could be included from the Gatekeeper policy library (https://www.github.com/open-policy-agent/gatekeeper-library):

• https://github.com/open-policy-agent/gatekeeper-library/tree/master/library/general/allowedrepos
• https://github.com/open-policy-agent/gatekeeper-library/tree/master/library/general/containerlimits
• https://github.com/open-policy-agent/gatekeeper-library/tree/master/library/general/imagedigests

[snehal1797]

Please assign this issue to me

[snehal1797]

As per discussion on 11/16/2021, Gatekeeper functionality is not required.