{"id":13492106,"url":"https://github.com/open-policy-agent/gatekeeper-library","last_synced_at":"2025-05-14T20:03:12.792Z","repository":{"id":37601391,"uuid":"191437603","full_name":"open-policy-agent/gatekeeper-library","owner":"open-policy-agent","description":"📚 The OPA Gatekeeper policy library","archived":false,"fork":false,"pushed_at":"2025-04-05T04:32:40.000Z","size":9666,"stargazers_count":671,"open_issues_count":21,"forks_count":336,"subscribers_count":25,"default_branch":"master","last_synced_at":"2025-04-06T11:05:19.618Z","etag":null,"topics":["cncf","gatekeeper","hacktoberfest","kubernetes","opa","policy","policy-library"],"latest_commit_sha":null,"homepage":"https://open-policy-agent.github.io/gatekeeper-library","language":"Open Policy Agent","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/open-policy-agent.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":".github/CODEOWNERS","security":"SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2019-06-11T19:34:50.000Z","updated_at":"2025-04-02T17:04:55.000Z","dependencies_parsed_at":"2023-12-18T22:37:49.231Z","dependency_job_id":"1475b25b-65f9-4108-8d71-bafe462a79c7","html_url":"https://github.com/open-policy-agent/gatekeeper-library","commit_stats":{"total_commits":367,"total_committers":70,"mean_commits":5.242857142857143,"dds":0.6512261580381471,"last_synced_commit":"52cb14a2ef7a9d06908e1543524f283290b8b4f4"},"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/open-policy-agent%2Fgatekeeper-library","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/open-policy-agent%2Fgatekeeper-library/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/open-policy-agent%2Fgatekeeper-library/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/open-policy-agent%2Fgatekeeper-library/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/open-policy-agent","download_url":"https://codeload.github.com/open-policy-agent/gatekeeper-library/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":248724585,"owners_count":21151560,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["cncf","gatekeeper","hacktoberfest","kubernetes","opa","policy","policy-library"],"created_at":"2024-07-31T19:01:03.158Z","updated_at":"2025-04-13T14:03:32.286Z","avatar_url":"https://github.com/open-policy-agent.png","language":"Open Policy Agent","funding_links":[],"categories":["Open Policy Agent","kubernetes","Real-world Examples"],"sub_categories":[],"readme":"# OPA Gatekeeper Library\n[![Artifact Hub](https://img.shields.io/endpoint?url=https://artifacthub.io/badge/repository/gatekeeper-policies)](https://artifacthub.io/packages/search?repo=gatekeeper-policies)\n\nA community-owned library of policies for the [OPA Gatekeeper project](https://open-policy-agent.github.io/gatekeeper/website/docs/).\n\n## Validation and Mutation\nThe library consists of two main components: `Validation` and `Mutation`.\n- Validation: Gatekeeper can validate resources in the cluster against Gatekeeper validation policies, such as these defined in the library. The policies are defined as `ConstraintTemplates` and `Constraints`. `ConstraintTemplates` can be applied directly to a cluster and then `Constraints` can be applied to customize policy to fit your specific needs.\n- Mutation: Gatekeeper can mutate resources in the cluster against the Gatekeeper mutation policies, such as these defined in the library. Mutation policies are only examples, they should be customized to meet your needs before being applied.\n\n## Usage\n\n### kustomize\n\nYou can use [kustomize](https://kubectl.docs.kubernetes.io/installation/kustomize/) to install some or all of the templates alongside your own constraints.\n\nFirst, create a `kustomization.yaml` file:\n\n```yaml\napiVersion: kustomize.config.k8s.io/v1beta1\nkind: Kustomization\nresources:\n- github.com/open-policy-agent/gatekeeper-library/library\n# You can optionally install a subset by specifying a subfolder, or specify a commit SHA\n# - github.com/open-policy-agent/gatekeeper-library/library/pod-security-policy?ref=0c82f402fb3594097a90d15215ae223267f5b955\n- constraints.yaml\n```\n\nThen define your constraints in a file called `constraints.yaml` in the same directory. Example constraints can be found in the \"samples\" folders.\n\nYou can install everything with `kustomize build . | kubectl apply -f -`.\n\nMore information can be found in the [kustomization documentation](https://kubectl.docs.kubernetes.io/references/kustomize/kustomization/).\n\n### kubectl\n\nInstead of using kustomize, you can directly apply the `template.yaml` and `constraint.yaml` provided in each directory under `library/`\n\nFor example\n\n```bash\ncd library/general/httpsonly/\nkubectl apply -f template.yaml\nkubectl apply -f samples/ingress-https-only/constraint.yaml\nkubectl apply -f library/general/httpsonly/sync.yaml # optional: when GK is running with OPA cache\n```\n\n## Testing\n\nThe `suite.yaml` files define test cases for each ConstraintTemplate in the library.\nChanges to gatekeeper-library ConstraintTemplates may be tested with the gator CLI:\n\n```bash\ngatekeeper-library$ gator verify ./...\n```\n\nThe gator CLI may be downloaded from the Gatekeeper\n[releases page](https://github.com/open-policy-agent/gatekeeper/releases).\n\n## How to contribute to the library\n\n### New policy\n\nIf you have a policy you would like to contribute, please submit a pull request.\nEach new policy should contain:\n\n* A constraint template named `src/\u003cpolicy-name\u003e/constraint.tmpl` with a `description` annotation and the parameter structure, if any, defined in `spec.crd.spec.validation.openAPIV3Schema`. The template is rendered using [gomplate](https://docs.gomplate.ca/).\n* One or more sample constraints, each with an example of an allowed (`example_allowed.yaml`) and disallowed (`example_disallowed.yaml`) resource under `library/\u003cpolicy-name\u003e/samples/\u003cpolicy-name\u003e`\n* `kustomization.yaml` and `suite.yaml` under `library/\u003cpolicy-name\u003e`\n* The rego source, as `src.rego` and unit tests as `src_test.rego` in the corresponding subdirectory under `src/\u003cpolicy-name\u003e`\n* [Versioning](https://docs.google.com/document/d/1IYiypA-mRcdfSVfmoeyuaeG8XtA1u4GkcqH3kEkv2uw/edit) has been introduced for Gatekeeper Library policies. Please make sure to add or bump the version of the policy as per the guidelines in the `src/\u003cpolicy-name\u003e/constraint.tmpl` annotation.\n  * Major version bump required: Whenever there is a breaking change in the policy e.g.  updating template Kind, updating existing parameter schema, adding the `requires-sync-data` annotation to sync new data, or any other breaking changes\n  * Minor version bump required: Whenever there is a backward compatible change in the policy e.g. adding a parameter, updating Rego logic\n  * Patch version bump required: Whenever there is a simple backward compatible change in the policy, e.g. Simple Rego fix, updating policy metadata\n  * Note: Sample constraints, mutations, and expansion templates are provided as examples, and severable changes do not require a version bump.\n\n### Development\n\n* policy code and tests are maintained in `src/\u003cpolicy-name\u003e/src.rego` and `src/\u003cpolicy-name\u003e/src_test.rego`\n* `make generate` will generate `library/\u003cpolicy-name\u003e/template.yaml` from `src/\u003cpolicy-name\u003e/src.rego` using [gomplate](https://docs.gomplate.ca/).\n* `make generate-website-docs` will generate the markdown files required for the website.\n* `make generate-artifacthub-artifacts` will generate or update the artifact hub packages and associated `artifacthub-pkg.yml` file under `/artifacthub` directory.\n* `make generate-all` will generate all artifacts above.\n* `make validate` will run validation checks on the library repo. Currently it validates directory structure of `website/docs` directory.\n* `make unit-test` will run all unit tests in the scripts directory.\n* run all tests with `./test.sh`\n* run single test with `opa test src/\u003cfolder\u003e/src.rego src/\u003cfolder\u003e/src_test.rego --verbose`\n* print results with `trace(sprintf(\"%v\", [thing]))`\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fopen-policy-agent%2Fgatekeeper-library","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fopen-policy-agent%2Fgatekeeper-library","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fopen-policy-agent%2Fgatekeeper-library/lists"}