I am trying to setup my OPA as below. OPA installed as a sidecar in Kubernetes Policy will be managed as bundle OPA policy will be stored and served from a separate service [ Bundle ] OPA need to be configured using config-file to get the policy from external service config-file will be stored as a config map in kubernetes. That config map need to be used in --config-file My config map in kubernetes kubectl create configmap policyconfig --from-file=./config/config.yaml My Sidecar OPA - name: opa image: openpolicyagent/opa:latest args: - "run" - "--server" - "--addr=0.0.0.0:443" - "--addr=0.0.0.0:8181" - "--config-file=policyconfig" volumes: - name: policyconfig configMap: name: policyconfig Let me know if it is possible to implement in this way

You can use kube-mgmt as sidecar for managing OPA on top of Kubernetes. kube-mgmt automatically discovers policies stored in ConfigMaps in Kubernetes and loads them into OPA. kube-mgmt assumes a ConfigMap contains policies if the ConfigMap is: Created in a namespace listed in the --policies option. If you specify --policies=* then kube-mgmt will look for policies in ALL namespaces. Labelled with openpolicyagent.org/policy=rego https://medium.com/capital-one-tech/policy-enabled-kubernetes-with-open-policy-agent-3b612b3f0203 Update: With your current setup and requirement you need to add a volumeMounts to make it work - name: opa image: openpolicyagent/opa:latest args: - "run" - "--server" - "--addr=0.0.0.0:443" - "--addr=0.0.0.0:8181" - "--config-file=policyconfig" volumeMounts: - name: policyconfig mountPath: /config volumes: - name: policyconfig configMap: name: policyconfig

kubernetesminikubeopen-policy-agent

ajoy sinha

Reputation: 1236

open policy agent - OPA - How to use --config-file from kubernetes configmap object

I am trying to setup my OPA as below.

OPA installed as a sidecar in Kubernetes
Policy will be managed as bundle
OPA policy will be stored and served from a separate service [ Bundle ]
OPA need to be configured using config-file to get the policy from external service
config-file will be stored as a config map in kubernetes.
That config map need to be used in --config-file

My config map in kubernetes

kubectl create configmap policyconfig --from-file=./config/config.yaml

My Sidecar OPA

 - name: opa
          image: openpolicyagent/opa:latest
          args:
            - "run"
            - "--server"
            - "--addr=0.0.0.0:443"
            - "--addr=0.0.0.0:8181"
            - "--config-file=policyconfig"
      volumes:
        - name: policyconfig
          configMap:
            name: policyconfig

Let me know if it is possible to implement in this way

Upvotes: 2

Answers (3)

user15202490

Reputation: 1

It seems like I am also trying to achieve the same goal - through Envoy to OPA using bundle API.

My bundle-API configuration –

  apiVersion: v1
  kind: ConfigMap
  metadata:
    name: policyconfig
  data:
    config.yaml: |
      services:
        - name: controller
          url: https://opa-bundle-bucket1.s3-us-west-1.amazonaws.com/bundles/authz.gz
      bundles:
        envoy/authz:
          service: controller
          resource: authz.gz
          polling:
            min_delay_seconds: 10
            max_delay_seconds: 20
      plugins:
        envoy_ext_authz_grpc:
          addr: :9191
          path: envoy/authz/allow
          dry-run: false
          enable-reflection: false

My config map in kubernetes - kubectl create configmap policyconfig --from-file=./config/config.yaml

My Sidecar OPA -

  - name: opa
  # the latest released image of OPA-Envoy.
  image: openpolicyagent/opa:latest-envoy
  securityContext:
    runAsUser: 1111
  volumeMounts:
  - readOnly: true
    mountPath: /config
    name: policyconfig
  args:
  - "run"
  - "--server"
  - "--addr=localhost:8181"
  - "--diagnostic-addr=0.0.0.0:8282"
  - "--set=plugins.envoy_ext_authz_grpc.addr=:9191"
  - "--set=plugins.envoy_ext_authz_grpc.query=data.envoy.authz.allow"
  - "--set=decision_logs.console=true"
  - "--ignore=.*"
  - "--config-file=/config/config.yaml"
    volumes:
    - name: policyconfig
    configMap:
      name: policyconfig

Expected Behavior:- Envoy will call OPA and OPA will send the request to the bundle-server to get the latest policy and data .

Actual Behavior :- Envoy is calling OPA but OPA policies are not able to download.

Let me know what I am doing wrong here.

Upvotes: 0

Rico

Reputation: 61669

Alternatively, you can use Gatekeeper. Which in addition to what kube-mgmt (Gatekeeper 1.0) has it also provides (per this):

An extensible, parameterized policy library
Native Kubernetes CRDs for instantiating the policy library (aka "constraints")
Native Kubernetes CRDs for extending the policy library (aka "constraint templates")
Audit functionality

Another recent tool is MagTape.

Upvotes: 2

Arghya Sadhu

Reputation: 44677

You can use kube-mgmt as sidecar for managing OPA on top of Kubernetes.

kube-mgmt automatically discovers policies stored in ConfigMaps in Kubernetes and loads them into OPA. kube-mgmt assumes a ConfigMap contains policies if the ConfigMap is:

Created in a namespace listed in the --policies option. If you specify --policies=* then kube-mgmt will look for policies in ALL namespaces.
Labelled with openpolicyagent.org/policy=rego

https://medium.com/capital-one-tech/policy-enabled-kubernetes-with-open-policy-agent-3b612b3f0203

Update:

With your current setup and requirement you need to add a volumeMounts to make it work

 - name: opa
          image: openpolicyagent/opa:latest
          args:
            - "run"
            - "--server"
            - "--addr=0.0.0.0:443"
            - "--addr=0.0.0.0:8181"
            - "--config-file=policyconfig"
          volumeMounts:
          - name: policyconfig
            mountPath: /config
      volumes:
        - name: policyconfig
          configMap:
            name: policyconfig

Upvotes: 3

open policy agent - OPA - How to use --config-file from kubernetes configmap object

Answers (3)

Related Questions