Open in app

Sign in

Write

Sign in

How to integrate Open Policy Agent (OPA) with Kubernetes

Matías Salinas
2 min readMar 13, 2023

--

As you already know from my previous article “What is Open Policy Agent (OPA)? and why you should know it”, OPA is a powerful tool that provides policy-based control over Kubernetes resources. By using OPA, you can ensure that your Kubernetes cluster adheres to your organization’s security and compliance policies.

Integrating OPA with Kubernetes is relatively straightforward. Here’s a step-by-step guide on how to do it:

1.- Install the OPA Gatekeeper in your Kubernetes cluster. You can do this by using the YAML manifest provided by the OPA Gatekeeper project:

$ kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper/master/deploy/gatekeeper.yaml

This will create a new namespace called gatekeeper-system in your Kubernetes cluster and install the OPA Gatekeeper as a Kubernetes deployment.

2.- Create a basic policy that restricts the creation of Pod resources with the privileged security context:

package kubernetes.admission

deny[msg] {
  input.request.kind.kind == "Pod"
  container := input.request.object.spec.containers[_]
  container.securityContext.privileged == true
  msg := "privileged containers are not allowed"
}

Save this policy to a file called privileged.rego.

3.- Load the policy into OPA using a ConfigMap in Kubernetes:

$ kubectl create configmap opa-policy --from-file=privileged.rego -n gatekeeper-system

This will create a new ConfigMap called opa-policy in the gatekeeper-system namespace, and load the privileged.rego policy into it.

4.- Configure the OPA Gatekeeper to use the policy by creating a ConstraintTemplate and a Constraint in Kubernetes:

apiVersion: templates.gatekeeper.sh/v1beta1
kind: ConstraintTemplate
metadata:
  name: k8s-psp-privileged
spec:
  crd:
    spec:
      names:
        kind: K8sPSPPrivileged
  targets:
    - target: admission.k8s.gatekeeper.sh
      rego: |
        package kubernetes.admission
        deny[msg] {
          input.request.kind.kind == "Pod"
          container := input.request.object.spec.containers[_]
          container.securityContext.privileged == true
          msg := "privileged containers are not allowed"
        }

---
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPPrivileged
metadata:
  name: deny-privileged
spec:
  match:
    kinds:
      - apiGroups: [""]
        kinds: ["Pod"]
  parameters:
    message: "privileged containers are not allowed"

This will create a new ConstraintTemplate called k8s-psp-privileged and a new Constraint called deny-privileged. The Constraint uses the K8sPSPPrivileged constraint type defined in the ConstraintTemplate, and applies the privileged.rego policy to Pod resources.

5.- Test the policy by creating a new Pod resource with a privileged container:

apiVersion: v1
kind: Pod
metadata:
  name: privileged-pod
spec:
  containers:
    - name: privileged-container
      image: nginx
      securityContext:
        privileged: true

When you try to create a Pod resource with a privileged container, the OPA Gatekeeper will deny the request and display a message that says "privileged containers are not allowed", as defined in the policy. This message will help users understand why their request was denied and what they need to do to comply with the policy.

That’s it! You’ve now integrated

Policy As Code
Kubernetes
Integration
DevOps
Cloud Computing

--

--

Matías Salinas
Matías Salinas

Written by Matías Salinas

170 Followers
48 Following

SRE | SOA-C02 | CKAD - CKA - CKS | AZ-104 | HCTA0-002 https://www.credly.com/users/matias-salinas/badges

No responses yet

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams