Skip to content

floriandorau/opa-aks

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

16 Commits

app

app

 
 

kubernetes/required-labels

kubernetes/required-labels

 
 

terraform

terraform

 
 

.gitignore

.gitignore

 
 

Makefile

Makefile

 
 

README.md

README.md

 
 

Repository files navigation

Open Policy Agent on AKS

The purpose of this repository is to use Open Policy Agent definitons in combination with Azure Kubernetes Cluster.

Policy

To test how OPA is working in AKS we try to apply a policy which require pods to have a specific labels attached. If these labels do not exist, pods should be rejected when applied to cluster.

Deploy policy

Terraform is used to deploy policy definitions to Azure managed cluster. It assumes that a cluster already exists.

Prepare env

In order to run terraform you first need to create a file env.tfvars within terraform folder. Here you need to define values for varibales (see varibales.tf) that are used for the deployment

Plan & apply policy

You can use make to run terraform commands

# Terraform init
make init

# Terraform plan
make plan

# Terraform apply
make apply

Test policy

Apply invalid pod

To test if the policy is working you can use the busybox pod under app. When trying to apply the pod to your cluster it should result in an error when the policy is working corretly

# First create namespace for test
kubectl create ns opa-test

# Second try to apply busybox to created ns
kubectl -n opa-test apply -f app/busybox.yaml

After running this, you should see an error similar to the following.

Error from server ([azurepolicy-require-opa-label-5cbc81520134ce86ea47] you must provide labels: {"opa-test"}):
error when creating "busybox.yaml": admission webhook "validation.gatekeeper.sh" denied the request:
[azurepolicy-require-opa-label-5cbc81520134ce86ea47] you must provide labels: {"opa-test"}

Fix pod definition

Adding the opa-test label to pod definition like the following should fix the error.

metadata:
  name: busybox-opa
  namespace: opa-test
  labels:
    app: busybox-opa
    opa-test: hooray

After again running kubectl -n opa-test apply -f app/busybox.yaml you should the following message

pod/busybox-opa created

Links

About

Use Open Policy Agent in combination with Azure Kubernetes cluster

Topics

terraform opa aks azure-kubernetes-service open-policy-agent

Resources

Readme
Activity

Stars

3 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases 1

v1.0 Latest
Sep 3, 2021

Packages

No packages published

Languages