The purpose of this repository is to use Open Policy Agent definitons in combination with Azure Kubernetes Cluster.
To test how OPA is working in AKS we try to apply a policy which require pods to have a specific labels attached. If these labels do not exist, pods should be rejected when applied to cluster.
Terraform is used to deploy policy definitions to Azure managed cluster. It assumes that a cluster already exists.
In order to run terraform you first need to create a file env.tfvars
within terraform
folder. Here you need to define values for varibales (see varibales.tf
) that are used for the deployment
You can use make
to run terraform
commands
# Terraform init
make init
# Terraform plan
make plan
# Terraform apply
make apply
To test if the policy is working you can use the busybox
pod under app
. When trying to apply the pod to your cluster it should result in an error when the policy is working corretly
# First create namespace for test
kubectl create ns opa-test
# Second try to apply busybox to created ns
kubectl -n opa-test apply -f app/busybox.yaml
After running this, you should see an error similar to the following.
Error from server ([azurepolicy-require-opa-label-5cbc81520134ce86ea47] you must provide labels: {"opa-test"}):
error when creating "busybox.yaml": admission webhook "validation.gatekeeper.sh" denied the request:
[azurepolicy-require-opa-label-5cbc81520134ce86ea47] you must provide labels: {"opa-test"}
Adding the opa-test
label to pod definition like the following should fix the error.
metadata:
name: busybox-opa
namespace: opa-test
labels:
app: busybox-opa
opa-test: hooray
After again running kubectl -n opa-test apply -f app/busybox.yaml
you should the following message
pod/busybox-opa created
- https://github.com/open-policy-agent/frameworks/tree/master/constraint
- https://github.com/open-policy-agent/gatekeeper-library/tree/master/library/general
- https://docs.microsoft.com/en-ie/azure/governance/policy/concepts/policy-for-kubernetes
- https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/policy_definition