This post continues the discussion of OPA. It is designed to illustrate how to integrate the OPA Gatekeeper with Kubernetes. For details on what the OPA is, see my previous post.
We will be implementing a rule which will validate that the domain used within a given namespace is allowed.
In other words:
The QA namespace URLs should always match the following regular expression:
*.qa.acmecorp.com,*.internal.acmecorp.com
The prod namespace URLs should always match the following regular expression:
"*.acmecorp.com"
The Video
Installation
All of the YAML required to install the OPA is available on Github
Create the OPA namespace
Create an SSL Certificate For OPA
Install the OPA
Create the admission controller
Create the ValidatingWebhookConfiguration
Create a Policy
Detailed steps are provided in the OPA Docs as well as the attached video. For your convenience, I have added everything you need to a Git repository.
1
2
3
# clone the git repo
git clone https://github.com/jeffellin/opa
cd opa