{"id":13408150,"url":"https://github.com/sighupio/gatekeeper-policy-manager","last_synced_at":"2026-04-02T14:46:58.518Z","repository":{"id":37207681,"uuid":"260045679","full_name":"sighupio/gatekeeper-policy-manager","owner":"sighupio","description":"A simple to use web-based OPA Gatekeeper policy manager","archived":false,"fork":false,"pushed_at":"2026-03-30T07:48:06.000Z","size":18172,"stargazers_count":326,"open_issues_count":19,"forks_count":38,"subscribers_count":7,"default_branch":"main","last_synced_at":"2026-03-30T09:37:10.820Z","etag":null,"topics":["dashboard","fury","gatekeeper","k8s","kubernetes","kustomize","opa","policies","rego","ui","web","webapp"],"latest_commit_sha":null,"homepage":"https://sighup.io","language":"TypeScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"bsd-3-clause","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/sighupio.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2020-04-29T21:04:51.000Z","updated_at":"2026-03-30T07:48:09.000Z","dependencies_parsed_at":"2023-10-03T14:16:31.580Z","dependency_job_id":"417cba51-3f92-4012-8b72-c642c33e3918","html_url":"https://github.com/sighupio/gatekeeper-policy-manager","commit_stats":null,"previous_names":[],"tags_count":79,"template":false,"template_full_name":null,"purl":"pkg:github/sighupio/gatekeeper-policy-manager","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sighupio%2Fgatekeeper-policy-manager","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sighupio%2Fgatekeeper-policy-manager/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sighupio%2Fgatekeeper-policy-manager/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sighupio%2Fgatekeeper-policy-manager/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/sighupio","download_url":"https://codeload.github.com/sighupio/gatekeeper-policy-manager/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sighupio%2Fgatekeeper-policy-manager/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":31308410,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-04-02T12:59:32.332Z","status":"ssl_error","status_checked_at":"2026-04-02T12:54:48.875Z","response_time":89,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.5:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["dashboard","fury","gatekeeper","k8s","kubernetes","kustomize","opa","policies","rego","ui","web","webapp"],"created_at":"2024-07-30T20:00:51.062Z","updated_at":"2026-04-02T14:46:58.511Z","avatar_url":"https://github.com/sighupio.png","language":"TypeScript","funding_links":[],"categories":["TypeScript","Kubernetes","Tools"],"sub_categories":["Built with Wasm","Others"],"readme":"\u003c!-- markdownlint-disable MD033 --\u003e\n\u003ch1\u003e\n \u003cimg src=\"docs/assets/logo.svg\" align=\"left\" width=\"90\" style=\"margin-right: 15px\"/\u003e\n Gatekeeper Policy Manager (GPM)\n\u003c/h1\u003e\n\u003c!-- markdownlint-enable MD033 --\u003e\n\n[![Build Status](https://ci.sighup.io/api/badges/sighupio/gatekeeper-policy-manager/status.svg)](https://ci.sighup.io/sighupio/gatekeeper-policy-manager)\n![GPM Release](https://img.shields.io/badge/GPM-v1.1.1-blue)\n![Helm Chart Release](https://img.shields.io/badge/Helm%20Chart-v0.4.1-blue)\n![License](https://img.shields.io/github/license/sighupio/gatekeeper-policy-manager)\n\n**Gatekeeper Policy Manager** is a simple *read-only* web UI for viewing OPA Gatekeeper policies' status in a Kubernetes Cluster.\n\nThe target Kubernetes Cluster can be the same where GPM is running or some other [remote cluster(s) using a `kubeconfig` file](#multi-cluster-support). You can also run GPM [locally in a client machine](#running-locally) and connect to a remote cluster.\n\nGPM can display all the defined **Constraint Templates** with their rego code, all the Gatekeeper Configuration CRDs, and all the **Constraints** with their current status, violations, enforcement action, matches definitions, etc.\n\n[You can see some screenshots below](#screenshots).\n\n## Requirements\n\nYou'll need OPA Gatekeeper running in your cluster and at least some constraint templates and constraints defined to take advantage of this tool.\n\n\u003e [!NOTE]\n\u003e You can easily deploy Gatekeeper to your cluster using the (also open source) [SIGHUP Distribution Policy Module](https://github.com/sighupio/module-policy).\n\n## Deploying GPM\n\n### Deploy using Kustomize\n\nTo deploy Gatekeeper Policy Manager to your cluster, apply the provided [`kustomization`](kustomization.yaml) file running the following command:\n\n```shell\nkubectl apply -k .\n```\n\nBy default, this will create a deployment and a service both with the name `gatekeper-policy-manager` in the `gatekeeper-system` namespace. We invite you to take a look into the `kustomization.yaml` file to do further configuration.\n\n\u003e The app can be run as a POD in a Kubernetes cluster or locally with a `kubeconfig` file. It will try its best to autodetect the correct configuration.\n\nOnce you've deployed the application, if you haven't set up an ingress, you can access the web-UI using port-forward:\n\n```bash\nkubectl -n gatekeeper-system port-forward svc/gatekeeper-policy-manager 8080:80\n```\n\nThen access it with your browser on: [http://127.0.0.1:8080](http://127.0.0.1:8080)\n\n### Deploy using Helm\n\nIt is also possible to deploy GPM using the [provided Helm Chart](./chart).\n\nFirst create a values file, for example `my-values.yaml`, with your custom values for the release. See the [chart's readme](./chart/README.md) and the [default values.yaml](./chart/values.yaml) for more information.\n\nThen, execute:\n\n```bash\nhelm repo add gpm https://sighupio.github.io/gatekeeper-policy-manager\nhelm upgrade --install --namespace gatekeeper-system --set image.tag=v1.1.1 --values my-values.yaml gatekeeper-policy-manager gpm/gatekeeper-policy-manager\n```\n\n\u003e [!IMPORTANT]\n\u003e Don't forget to replace `my-values.yaml` with the path to your values file.\n\n## Running locally\n\nGPM can also be run locally using docker and a `kubeconfig`, assuming that the `kubeconfig` file you want to use is located at `~/.kube/config` the command to run GPM locally would be:\n\n```bash\ndocker run -v ~/.kube/config:/home/gpm/.kube/config -p 8080:8080 quay.io/sighup/gatekeeper-policy-manager:v1.1.1\n```\n\nThen access it with your browser on: [http://127.0.0.1:8080](http://127.0.0.1:8080)\n\n\u003e You can also run the flask app directly, see the [development section](#development) for further information.\n\n## Configuration\n\nGPM is a stateless application, but it can be configured using environment variables. The possible configurations are:\n\n| Environment Variable Name | Description | Default |\n| --------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------- |\n| `GPM_SECRET_KEY` | The secret key used to generate tokens. **Change this value in production**. | `g8k1p3rp0l1c7m4n4g3r` |\n| `KUBECONFIG` | Path to a [kubeconfig](https://kubernetes.io/docs/concepts/configuration/organize-cluster-access-kubeconfig/) file, if provided while running inside a cluster this configuration file will be used instead of the cluster's API. |\n| `GPM_LOG_LEVEL` | Log level (see [python logging docs](https://docs.python.org/2/library/logging.html#levels) for available levels) | `INFO` |\n| `GPM_AUTH_ENABLED` | Enable Authentication current options: \"Anonymous\", \"OIDC\" | Anonymous |\n| `GPM_PREFERRED_URL_SCHEME` | URL scheme to be used while generating links. | `http` |\n| `GPM_OIDC_REDIRECT_DOMAIN` | The domain where GPM is being running. This is where the client will be redirected after authenticating | |\n| `GPM_OIDC_CLIENT_ID` | The Client ID used to authenticate against the OIDC Provider | |\n| `GPM_OIDC_CLIENT_SECRET` | The Client Secret used to authenticate against the OIDC Provider (optional) | |\n| `GPM_OIDC_ISSUER` | OIDC Issuer hostname (required if OIDC Auth is enabled) | |\n| `GPM_OIDC_AUTHORIZATION_ENDPOINT` | OIDC Authorization Endpoint (optional, setting this parameter disables the discovery of the rest of the provider configuration, set all the other values also if setting this one) | |\n| `GPM_OIDC_JWKS_URI` | OIDC JWKS URI (optional, setting this parameter disables the discovery of the rest of the provider configuration, set all the other values also if setting this one) | |\n| `GPM_OIDC_TOKEN_ENDPOINT` | OIDC TOKEN Endpoint (optional, setting this parameter disables the discovery of the rest of the provider configuration, set all the other values also if setting this one) | |\n| `GPM_OIDC_INTROSPECTION_ENDPOINT` | OIDC Introspection Endpoint (optional, setting this parameter disables the discovery of the rest of the provider configuration, set all the other values also if setting this one) | |\n| `GPM_OIDC_USERINFO_ENDPOINT` | OIDC Userinfo Endpoint (optional, setting this parameter disables the discovery of the rest of the provider configuration, set all the other values also if setting this one) | |\n| `GPM_OIDC_END_SESSION_ENDPOINT` | OIDC End Session Endpoint (optional, setting this parameter disables the discovery of the rest of the provider configuration, set all the other values also if setting this one) | |\n\n\u003e[!WARNING]\n\u003e Please notice that OIDC Authentication is in beta state. It has been tested to work with Keycloak as a provider.\n\u003e\n\u003e These environment variables are already provided and ready to be set in the [`manifests/enable-oidc.yaml`](manifests/enable-oidc.yaml) file.\n\n### Multi-cluster support\n\nGPM has multi-cluster support when using a `kubeconfig` with more than one context. GPM will let you chose the context right from the UI.\n\nIf you want to run GPM in-cluster but with multi-cluster support, it's as easy as mounting a `kubeconfig` file in GPM's pod(s) with the cluster access configuration and set the environment variable `KUBECONFIG` with the path to the mounted `kubeconfig` file. Or you can simply mount it in `/home/gpm/.kube/config` and GPM will detect it automatically.\n\n\u003e [!NOTE]\n\u003e Please remember that the user for the clusters should have the right permissions. You can use the [`manifests/rabc.yaml`](manifests/rbac.yaml) file as reference.\n\u003e\n\u003e Also note that the cluster where GPM is running should be able to reach the other clusters.\n\nWhen you run GPM locally, you are already using a `kubeconfig` file to connect to the clusters, now you should see all your defined contexts. You can switch between them easily from the UI.\n\n#### AWS IAM Authentication\n\nIf you want to use a Kubeconfig with IAM Authentication, you'll need to customize GPM's container image because the IAM authentication uses external AWS binaries that are not included by default in the image.\n\nYou can customize the container image with a `Dockerfile` like the following:\n\n```Dockerfile\nFROM curlimages/curl:7.81.0 as downloader\nRUN curl https://github.com/kubernetes-sigs/aws-iam-authenticator/releases/download/v0.5.5/aws-iam-authenticator_0.5.5_linux_amd64 --output /tmp/aws-iam-authenticator\nRUN chmod +x /tmp/aws-iam-authenticator\nFROM quay.io/sighup/gatekeeper-policy-manager:v1.1.1\nCOPY --from=downloader --chown=root:root /tmp/aws-iam-authenticator /usr/local/bin/\n```\n\nYou may need to add also the `aws` CLI, you can use the same approach as before.\n\nMake sure that your `kubeconfig` has the `apiVersion` set as `client.authentication.k8s.io/v1beta1`\n\nYou can read more [in this issue](https://github.com/sighupio/gatekeeper-policy-manager/issues/330).\n\n## Screenshots\n\n![welcome](screenshots/01-home.png)\n\n![Constraint Templates view](screenshots/02-constrainttemplates.png)\n\n![Constraint Templates view rego code](screenshots/03-constrainttemplates.png)\n\n![Constraint view](screenshots/04-constraints.png)\n\n![Constraint view 2](screenshots/05-constraints.png)\n\n![Constraint Report 3](screenshots/06-constraints.png)\n\n![Configurations view 2](screenshots/07-configs.png)\n\n![Cluster Selector](screenshots/08-multicluster.png)\n\n## Development\n\nGPM is written in Python using the Flask framework for the backend and React with Elastic UI and the Fury theme for the frontend.\n\nTo develop GPM, you'll need to create a Python 3 virtual environment, install all the dependencies specified in the provided `requirements.txt`, build the react frontend and you are good to start hacking.\n\nThe following commands should get you up and running:\n\n```bash\n# Build frontend and copy over to static folder\n$ pushd app/web-client\n$ yarn install \u0026\u0026 yarn build\n$ cp -r build/* ../static-content/\n$ popd\n# Create a virtualenv\n$ python3 -m venv env\n# Activate it\n$ source ./env/bin/activate\n# Install all the dependencies\n$ pip install -r app/requirements.txt\n# Run the development server\n$ FLASK_APP=app/app.py FLASK_ENV=development flask run\n```\n\nIf you want to test changes to the frontend live, make sure the backend is running (see above) and then run the frontend using `yarn`:\n\n```bash\ncd app/web-client\nyarn start\n```\n\nA browser window should open, if the React application can't reach the backend, check that the `.env` file points to the right backend endpoint (`REACT_APP_LOCAL_GPM_SERVER_URL`).\n\n\u003e [!TIP]\n\u003e Access to a Kubernetes cluster with OPA Gatekeeper deployed is recommended to debug the application.\n\u003e\n\u003e You'll need an OIDC provider to test the OIDC authentication. You can use the SIGHUP Distribution [Keycloak add-on module](https://github.com/sighupio/add-on-keycloak).\n\n## Roadmap\n\nThe following is a wishlist of features that we would like to add to GPM (in no particular order):\n\n- [x] List the constraints that are currently using a `ConstraintTemplate`\n- [ ] Polished OIDC authentication\n- [ ] LDAP authentication\n- [x] Better syntax highlighting for the rego code snippets\n- [x] Root-less docker image\n- [x] Multi-cluster view\n- [ ] Minimal write capabilities?\n- [ ] Rewrite app in Golang? (WIP in the `feature/go-backend` branch)\n\nPlease, let us know if you are using GPM and what features would you like to have by creating an issue here on GitHub 💪🏻\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsighupio%2Fgatekeeper-policy-manager","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fsighupio%2Fgatekeeper-policy-manager","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsighupio%2Fgatekeeper-policy-manager/lists"}