Steps to apply gatekeeper to an existing TKG guest cluster

apply_tkg_gatekeeper.md

clone or downdload https://github.com/papivot/argocd-gitops-tanzu/tree/main/gatekeeper

login to your guest cluster e.g.

❯ kubectl vsphere login --server=SERVER_IP --tanzu-kubernetes-cluster-namespace=NAMESPACE --tanzu-kubernetes-cluster-name=CLUSTER_NAME [email protected] --insecure-skip-tls-verify

run the gatekeeper.yaml (located in the gatekeeper directory of the cloned/downloaded project)

kubectl apply -f gatekeeper.yaml

verify gatekeeper pods are all running

❯ kubectl get po -n gatekeeper-system
NAME                                             READY   STATUS    RESTARTS      AGE
gatekeeper-audit-6d588687dd-rbz2d                1/1     Running   1 (48s ago)   52s
gatekeeper-controller-manager-5d7465bfb7-btj7h   1/1     Running   0             52s
gatekeeper-controller-manager-5d7465bfb7-m927k   1/1     Running   0             52s
gatekeeper-controller-manager-5d7465bfb7-nnszk   1/1     Running   0             52s

if the pods are all running, you are good. If you hit docker rate limit issues, you will need to relocate the openpolicyagent/gatekeeper to your local harbor registry and run the following to reference your copy (instead of dockerhub's copy)

# ensure you edit kustomization.yaml to point to your own image https://github.com/papivot/argocd-gitops-tanzu/blob/main/gatekeeper/kustomization.yaml#L10
❯ kubectl apply -f kustomization.yaml

apply the mutating psa

❯ kubectl apply -f mutation-psa-policy.yaml

label all existing namespaces (as gatekeeper will only apply to newly created namespaces)

kubectl label --overwrite ns --all pod-security.kubernetes.io/enforce=privileged

Testing

## create a new namespace
$ kubectl create ns demo
$ kubectl get ns demo -oyaml (you should see `pod-security.kubernetes.io/enforce: privileged` as part of the namespace labels)
$ kubectl run nginx --image=nginx:1.25.1 -n demo