How to policy control kubernetes GET object request via open policy?

12/15/2019

opa (open policy) can refer to its policy before kubernetes resources are created, deleted or updated.. but not when they are get (describe or get). How to enforce this to get request? Is this in the road map for OPA or the scope of admission controllers?

We want to block viewing of service account tokens.

-- letthefireflieslive
kubernetes
open-policy-agent

1 Answer

12/17/2019

Admission control in Kubernetes does NOT let you control a get. It only lets you control create, update, delete, and connect. The API docs for the validating webhook and its descendent RuleWithOperations (no handy link) don't make this clear, but the docs introducing API access state it explicitly.

To control get, you need to use authorization. To use OPA for authorization you would need the authorization webhook mode.

-- Tim Hinrichs
Source: StackOverflow