Summary
Add Gatekeeper as an optional deployable AICR recipe component.
This is sub-issue 1 from #860. It covers only the deployable Gatekeeper admission controller path and intentionally leaves policy bundles, gator, validator integration, and conformance evidence to separate follow-up work.
Related PR: #821
Parent epic: #860
Scope
- Register Gatekeeper in
recipes/registry.yaml as an optional Helm component.
- Add deterministic Helm values under
recipes/components/gatekeeper/values.yaml.
- Add a
policy-gatekeeper recipe mixin so recipes can opt in without changing base overlays.
- Add a Chainsaw health check that verifies the Gatekeeper controller-manager and audit deployments exist and have available replicas.
- Wire system-tier node selector and toleration paths for Gatekeeper workloads.
Out of Scope
- Shipping AI/GPU
ConstraintTemplate or Constraint bundles.
- Running
gator policy from aicr validate.
- Capturing Gatekeeper or
gator results as AICR conformance evidence.
- Enabling Gatekeeper by default in base overlays.
- Defining enforcement-mode defaults for future workload policies.
Acceptance Criteria
- A recipe can opt in to Gatekeeper through an explicit mixin or component reference.
- Base overlays remain unchanged and do not install Gatekeeper by default.
- Generated bundles include the Gatekeeper Helm chart with pinned chart metadata and deterministic values.
- System-node scheduling overrides apply to Gatekeeper controller-manager and audit workloads.
- Health validation catches missing or unavailable Gatekeeper deployments.
make qualify passes.
Notes
Gatekeeper runs on the admission path, so the component should remain conservative by default. This issue should not resolve the broader architectural questions from #860 around offline gator validation or policy evidence; those need separate design discussion before implementation.
Summary
Add Gatekeeper as an optional deployable AICR recipe component.
This is sub-issue 1 from #860. It covers only the deployable Gatekeeper admission controller path and intentionally leaves policy bundles,
gator, validator integration, and conformance evidence to separate follow-up work.Related PR: #821
Parent epic: #860
Scope
recipes/registry.yamlas an optional Helm component.recipes/components/gatekeeper/values.yaml.policy-gatekeeperrecipe mixin so recipes can opt in without changing base overlays.Out of Scope
ConstraintTemplateorConstraintbundles.gator policyfromaicr validate.gatorresults as AICR conformance evidence.Acceptance Criteria
make qualifypasses.Notes
Gatekeeper runs on the admission path, so the component should remain conservative by default. This issue should not resolve the broader architectural questions from #860 around offline
gatorvalidation or policy evidence; those need separate design discussion before implementation.