I am trying to understand what is OPA(open policy agent) and its use-cases and I'm in the basic stage . When I was reading an opa article I got to know about the OPA Gatekeeper but I don't have a clear understanding about why we need this OPA gatekeeper? can we use this for auditing all kinds of policies in kubernetes like Pod scheduling, Cluster placement ,Authorization etc.or is it only specific for kubernetes admission control phase ?.
According to the official docs:
Kubernetes allows decoupling policy decisions from the API server by means of admission controller webhooks to intercept admission requests before they are persisted as objects in Kubernetes. Gatekeeper was created to enable users to customize admission control via configuration, not code and to bring awareness of the cluster’s state, not just the single object under evaluation at admission time. Gatekeeper is a customizable admission webhook for Kubernetes that enforces policies executed by the Open Policy Agent (OPA).
Validating Admission Control
Once all the Gatekeeper components have been installed in your cluster, the API server will trigger the Gatekeeper admission webhook to process the admission request whenever a resource in the cluster is created, updated, or deleted.
Audit
The audit functionality enables periodic evaluations of replicated resources against the Constraints enforced in the cluster to detect pre-existing misconfigurations. Gatekeeper stores audit results as violations listed in the status field of the relevant Constraint. By default, the audit will request each resource from the Kubernetes API during each cycle of the audit.
And to answer your questions in short: Gatekeeper is designed to take care of both the admission scenario and the audit of the replicated resources.
Sources:
Please let me know if that helped.