kubernetesminikubeopen-policy-agent
open policy agent - OPA - How to use --config-file from kubernetes configmap object
I am trying to setup my OPA as below.
- OPA installed as a sidecar in Kubernetes
- Policy will be managed as bundle
- OPA policy will be stored and served from a separate service [ Bundle ]
- OPA need to be configured using config-file to get the policy from external service
- config-file will be stored as a config map in kubernetes.
- That config map need to be used in --config-file
My config map in kubernetes
kubectl create configmap policyconfig --from-file=./config/config.yaml
My Sidecar OPA
- name: opa
image: openpolicyagent/opa:latest
args:
- "run"
- "--server"
- "--addr=0.0.0.0:443"
- "--addr=0.0.0.0:8181"
- "--config-file=policyconfig"
volumes:
- name: policyconfig
configMap:
name: policyconfig
Let me know if it is possible to implement in this way
Solution
You can use kube-mgmt as sidecar for managing OPA on top of Kubernetes.
kube-mgmt automatically discovers policies stored in ConfigMaps in Kubernetes and loads them into OPA. kube-mgmt assumes a ConfigMap contains policies if the ConfigMap is:
- Created in a namespace listed in the --policies option. If you specify --policies=* then kube-mgmt will look for policies in ALL namespaces.
- Labelled with openpolicyagent.org/policy=rego
https://medium.com/capital-one-tech/policy-enabled-kubernetes-with-open-policy-agent-3b612b3f0203
Update:
With your current setup and requirement you need to add a volumeMounts to make it work
- name: opa
image: openpolicyagent/opa:latest
args:
- "run"
- "--server"
- "--addr=0.0.0.0:443"
- "--addr=0.0.0.0:8181"
- "--config-file=policyconfig"
volumeMounts:
- name: policyconfig
mountPath: /config
volumes:
- name: policyconfig
configMap:
name: policyconfig
- How can I close over variables in kdb/Q?
- When is the EACH operator extension necessary in K besides mod/rotate?
- Handling single-character strings - in a function or in its caller? ssr()
- Kdb+ data fomat when writing to a file
- How to convert a symbol to a string in kdb+?
- Sum of each two elements using vector functions
- A dictionary with a single value and multiple keys
- Table transformation, table as list of dicts
- Accumulator gives different result then direct function applying
- Reshape [cols;table]
- FK field over IPC
- Protected execution, 2 cases
- Enums for tables
- Converge (fixed point) syntax difference in q and k
- .Q.trp and bt handling
- NULLs in q and in k.h
- Strange view declaration behaviour
- How to build a parse-tree of projections?
- Could not evaluate manually created equial ~ parse tree
- Select distinct for all columns from keyed table
- Parallel execution: blocking receive, deferred synchronous
- Multiple variable assignment in q
- Select a table from the inside of external select
- Select when one of filter-column may not exists
- What is the meaning of `s attribute on a table?
- On parallel execution - which side reports about an error?
- Validate if a keyed table have unique keys
- Applying dictionary to dictionary
- About xkey implementation
- Parse tree built on values from vars