Ellin.com
Not Very Interesting
Open Policy Agent w Kubernetes Part 2
Open Policy Agent w Kubernetes Part 2

Open Policy Agent (OPA) and Kubernetes Part 2

This post continues the discussion of OPA. It is designed to illustrate how to integrate the OPA Gatekeeper with Kubernetes. For details on what the OPA is, see my previous post.

We will be implementing a rule which will validate that the domain used within a given namespace is allowed.

In other words:

The QA namespace URLs should always match the following regular expression:

*.qa.acmecorp.com,*.internal.acmecorp.com

The prod namespace URLs should always match the following regular expression:

"*.acmecorp.com"

The Video

Installation

All of the YAML required to install the OPA is available on Github

  • Create the OPA namespace

  • Create an SSL Certificate For OPA

  • Install the OPA

  • Create the admission controller

  • Create the ValidatingWebhookConfiguration

  • Create a Policy

Detailed steps are provided in the OPA Docs as well as the attached video. For your convenience, I have added everything you need to a Git repository.

1
2
3
# clone the git repo
git clone https://github.com/jeffellin/opa
cd opa

Create a namespace for OPA

1
2
3
kubectl create namespace opa
kubectl config set-context opa-tutorial --user minikube --namespace opa
kubectl config use-context opa-tutorial

Create a CA for OPA

1
2
3
4
5
openssl genrsa -out ca.key 2048
openssl req -x509 -new -nodes -key ca.key -days 100000 -out ca.crt -subj "/CN=admission_ca"
penssl genrsa -out server.key 2048
openssl req -new -key server.key -out server.csr -subj "/CN=opa.opa.svc" -config server.conf
openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt -days 100000 -extensions v3_req -extfile server.conf

Put the new Cert into a secret.

1
kubectl create secret tls opa-server --cert=server.crt --key=server.key

create the admission controller

1
kubectl apply -f admission-controller.yaml

set no policy flag for the opa and kube-system namespaces

1
2
kubectl label ns kube-system openpolicyagent.org/webhook=ignore
kubectl label ns opa openpolicyagent.org/webhook=ignore

register OPA as an admission controller

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
cat > webhook-configuration.yaml <<EOF
kind: ValidatingWebhookConfiguration
apiVersion: admissionregistration.k8s.io/v1beta1
metadata:
  name: opa-validating-webhook
webhooks:
  - name: validating-webhook.openpolicyagent.org
    namespaceSelector:
      matchExpressions:
      - key: openpolicyagent.org/webhook
        operator: NotIn
        values:
        - ignore
    rules:
      - operations: ["CREATE", "UPDATE"]
        apiGroups: ["*"]
        apiVersions: ["*"]
        resources: ["*"]
    clientConfig:
      caBundle: $(cat ca.crt | base64 | tr -d '\n')
      service:
        namespace: opa
        name: opa
EOF

kubectl apply -f webhook-configuration.yaml

# apply the policy
kubectl create configmap ingress-whitelist --from-file=ingress-whitelist.rego

Test out your policy

Create a prod and qa namespace with a label.

1
2
3
to indicate valid domains
kubectl create -f qa-namespace.yaml
kubectl create -f production-namespace.yaml

Create an valid ingress for the production namespace.

1
kubectl create -f ingress-ok.yaml -n production

create a bad ingress for the qa namespace.

1
kubectl create -f ingress-bad.yaml -n qa

References

The below two videos from TGIK provides some more detail on how to use the OPA with Kubernetes.


Last modified on 2020-06-07

comments powered by Disqus