K
Q

open policy agent - OPA - How to use --config-file from kubernetes configmap object

4/30/2020

I am trying to setup my OPA as below.

  1. OPA installed as a sidecar in Kubernetes
  2. Policy will be managed as bundle
  3. OPA policy will be stored and served from a separate service [ Bundle ]
  4. OPA need to be configured using config-file to get the policy from external service
  5. config-file will be stored as a config map in kubernetes.
  6. That config map need to be used in --config-file

My config map in kubernetes

kubectl create configmap policyconfig --from-file=./config/config.yaml

My Sidecar OPA

 - name: opa
          image: openpolicyagent/opa:latest
          args:
            - "run"
            - "--server"
            - "--addr=0.0.0.0:443"
            - "--addr=0.0.0.0:8181"
            - "--config-file=policyconfig"
      volumes:
        - name: policyconfig
          configMap:
            name: policyconfig

Let me know if it is possible to implement in this way

-- ajoy sinha
kubernetes
minikube
open-policy-agent

Similar Questions

How do I prevent pods from mounting secrets in the same namespace?
Kubernetes nginx ingress ssl
The problem of getting the pod creation date instead of the current date on the kubernetes pod
How to fetch the Helm chart version of an already deployed microservice from Kubernetes Cluster in Python

2 Answers

4/30/2020

Alternatively, you can use Gatekeeper. Which in addition to what kube-mgmt (Gatekeeper 1.0) has it also provides (per this):

  • An extensible, parameterized policy library
  • Native Kubernetes CRDs for instantiating the policy library (aka "constraints")
  • Native Kubernetes CRDs for extending the policy library (aka "constraint templates")
  • Audit functionality

Another recent tool is MagTape.

-- Rico
Source: StackOverflow
4/30/2020

You can use kube-mgmt as sidecar for managing OPA on top of Kubernetes.

kube-mgmt automatically discovers policies stored in ConfigMaps in Kubernetes and loads them into OPA. kube-mgmt assumes a ConfigMap contains policies if the ConfigMap is:

  1. Created in a namespace listed in the --policies option. If you specify --policies=* then kube-mgmt will look for policies in ALL namespaces.
  2. Labelled with openpolicyagent.org/policy=rego

opa

https://medium.com/capital-one-tech/policy-enabled-kubernetes-with-open-policy-agent-3b612b3f0203

Update:

With your current setup and requirement you need to add a volumeMounts to make it work

 - name: opa
          image: openpolicyagent/opa:latest
          args:
            - "run"
            - "--server"
            - "--addr=0.0.0.0:443"
            - "--addr=0.0.0.0:8181"
            - "--config-file=policyconfig"
          volumeMounts:
          - name: policyconfig
            mountPath: /config
      volumes:
        - name: policyconfig
          configMap:
            name: policyconfig
-- Arghya Sadhu
Source: StackOverflow