Kubernetes OPA

CozyFex included in kubernetes k8s orchestration opa open policy agent

2021-07-06 60 words One minute

Contents

OPA in Kubernetes

The OPA in Kubernetes is using ValidatingAdmissionWebhook of admission controllers.

Create a ConfigMap for OPA

`untrusted-registry.rego`

1
2
3
4
5
6
7
8
package kubernetes.admission

deny[msg] {
  input.request.kind.kind == "Pod"
  image := input.request.object.spec.containers[_].image
  not startswith(image, "hooli.com/")
  msg := sprintf("image '%v' comes from untrusted registry", [image])
}

Command

1
kubectl create cm untrusted-registry --from-file=untrusted-registry.rego