[Yandex Cloud documentation](../../../index.md) > [Yandex Managed Service for Kubernetes](../../index.md) > [Step-by-step guides](../index.md) > Installing applications from Cloud Marketplace > Installing Gatekeeper

# Installing Gatekeeper

[Gatekeeper](https://open-policy-agent.github.io/gatekeeper/website/) is a customizable [policy](../../concepts/network-policy.md) controller and auditor for Kubernetes. Gatekeeper accepts incoming requests to clusters and audits them in real time to make sure they comply with predefined policies.

## Getting started {#before-you-begin}

[Make sure](../connect/security-groups.md) the security groups for the Managed Service for Kubernetes cluster and its node groups are configured correctly. If a rule is missing, [add it](../../../vpc/operations/security-group-add-rule.md).

{% note warning %}

The configuration of security groups determines performance and availability of the cluster and the services and applications running in it.

{% endnote %}

## Installation from Yandex Cloud Marketplace {#marketplace-install}

1. In the [management console](https://console.yandex.cloud), select a folder.

1. Navigate to **Managed Service for&nbsp;Kubernetes**.

1. Click the name of your cluster and select the ![image](../../../_assets/console-icons/shopping-cart.svg) **Marketplace** tab.

1. Under **Application available for installation**, select [Gatekeeper](https://yandex.cloud/ru/marketplace/products/yc/gatekeeper) and click **Go to install**.

1. Configure the application:
    * **Namespace**: Create a new [namespace](../../concepts/index.md#namespace), e.g., `gatekeeper-space`. If you leave the default namespace, Gatekeeper may work incorrectly.
    * **Application name**: Specify the application name.
    * **Audit interval**: Set the interval between audits in seconds. `0` disables audits.
    * **Constraint violations limit**: Set the maximum number of violations to log for each constraint.
    * **Only matching resource types**: Select this option if you need to audit only those Kubernetes resource types for each constraint that are explicitly specified in the constraint. If no resource types are specified or the option is disabled, all resources will be audited.
    * **Create events at audit**: Select this option to create a Kubernetes event for each constraint violation detected during the audit, with detailed information about the violation.
    * **Events in affected namespace**: Select this option if events with violation details should be created in the namespace where a constraint violation was logged. It only applies if the **Create events at audit** option is enabled.
    
      If the **Events in affected namespace** option is disabled, events will be created in the namespace where Gatekeeper is installed.

    * **Allow external data**: Select this option to enable experimental support for external data sources.

1. Click **Install**.

1. Wait for the application status to change to `Deployed`.

## Installation using a Helm chart {#helm-install}

1. [Install kubect](https://kubernetes.io/docs/tasks/tools/install-kubectl) and [configure it to work with the new cluster](../connect/index.md#kubectl-connect).

1. [Install Helm](https://helm.sh/docs/intro/install/) v3.8.0 or higher.

1. To install a [Helm chart](https://helm.sh/docs/topics/charts/) with Gatekeeper, run this command:
  
    ```bash
    helm pull oci://cr.yandex/yc-marketplace/yandex-cloud/gatekeeper/gatekeeper \
      --version 3.20.1 \
      --untar && \
    helm install \
      --namespace <namespace> \
      --create-namespace \
      gatekeeper ./gatekeeper/
    ```

  If you set `namespace` to the default namespace, Gatekeeper may work incorrectly. We recommend specifying a value different from all the existing namespaces, e.g., `gatekeeper-space`.

  You can redefine optional parameters in the install command using the following key: `--set <parameter_name>=<new_value>`.

  See the table below for a list of redefinable parameters and their default values:

  Parameter name | Description | Default value
  --- | --- | ---
  `auditInterval` | Interval between audits in seconds | `60`
  `constraintViolationsLimit` | Maximum number of violations to log for each constraint | `20`
  `auditMatchKindOnly` | Only matching resource types | `false`
  `emitAuditEvents` | Creating events during audit | `false`
  `auditEventsInvolvedNamespace` | Creating events in the affected namespace | `false`
  `enableExternalData` | Experimental support for external data sources | `true`

## See also {#see-also}

* [Gatekeeper documentation](https://open-policy-agent.github.io/gatekeeper/website/docs/)

* [Library of Gatekeeper policies](https://open-policy-agent.github.io/gatekeeper-library/website/)