I'm trying to get values from a configmap in rego.
for kube-mgmt, in the deployment ,I have:
- args:
- --enable-data=true
- --policies=opa-mutate
- --require-policy-label=true
- --replicate-cluster=v1/configmaps
- --replicate-cluster=v1/namespaces
- --replicate=extensions/v1beta1/ingresses
- --replicate=v1/configmaps
- --replicate=networking.k8s.io/v1beta1/ingressesIn my configmap I have:
apiVersion: v1
data:
annotations.rego: |
package kubernetes.admission
import data.kubernetes
import data.kubernetes.namespaces
import data.kubernetes.configmaps
# Get configmap properties
clvars := configmaps["kube-system"].data["helm-variables"]["values.yaml"]
subnet := clvars.workerSubnets[0]
patch[p] {
ops := { "CREATE", "UPDATE" }
kinds := { "Ingress" }
ops[input.request.operation]
kinds[input.request.object.kind]
albannotations := {
"subnet": subnet,
"alb.ingress.kubernetes.io/healthcheck-path": "/healthz",
"alb.ingress.kubernetes.io/listen-ports": `[{"HTTPS": 443}]`,
"alb.ingress.kubernetes.io/target-type": "ip"
}
alb_annotations := merge_objects(annotations,albannotations)
k := pick_first("annotations", input.request.object.metadata, {"annotations": {}})
merged_annotations := merge_objects(alb_annotations, k)
p = {"op": "add", "path": "/metadata/annotations", "value": merged_annotations}
}
Now this all works great, if I remove the "subnet": subnet,, meaning created ingresses get annotated as desired.
I tried following the info on: https://github.com/open-policy-agent/kube-mgmt
I don't know what else to try to get the information from the configmap, nor how to test it any other way besides re-editing the configmap.
This is how my configmap looks:
---
apiVersion: v1
kind: ConfigMap
metadata:
labels:
openpolicyagent.org/data: opa
name: helm-variables
namespace: kube-system
data:
values.yaml: |
global:
availabilityZones:
- "us-west-2a"
- "us-west-2b"
workerSubnets:
- "subnet_a"
- "subnet_b"