This is a quick example of how to use OPA as a Mutating Admission Controller in Kubernetes 1.9.
- Register OPA as a MutatingAdmissionWebhook
- Load a policy to test mutation
- Exercise the policy
Torin Warwick (Sandall) tsandall
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| default allow = false | |
| allow { | |
| input.method = “PUT” | |
| input.resource = “air-conditioner” | |
| } | |
| allow { | |
| input.method = “GET” | |
| input.resource = “security-camera” |
tsandall
/ mutating.md
Created
February 21, 2018 17:26
tsandall
/ gist:c7b57b5f96b77765ef416fba6f8e9f3e
Last active
May 29, 2023 23:44
Example of verifying JWTs signed with RS256 in OPA
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| package example | |
| cert = `-----BEGIN CERTIFICATE----- | |
| MIIFiDCCA3ACCQCGV6XsfG/oRTANBgkqhkiG9w0BAQUFADCBhTELMAkGA1UEBhMC | |
| VVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFTATBgNVBAcMDFJlZHdvb2QgQ2l0eTEO | |
| MAwGA1UECgwFU3R5cmExDDAKBgNVBAsMA0RldjESMBAGA1UEAwwJbG9jYWxob3N0 | |
| MRgwFgYJKoZIhvcNAQkBFglhc2hAc3R5cmEwHhcNMTgwMzA2MDAxNTU5WhcNMTkw | |
| MzA2MDAxNTU5WjCBhTELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWEx | |
| FTATBgNVBAcMDFJlZHdvb2QgQ2l0eTEOMAwGA1UECgwFU3R5cmExDDAKBgNVBAsM | |
| A0RldjESMBAGA1UEAwwJbG9jYWxob3N0MRgwFgYJKoZIhvcNAQkBFglhc2hAc3R5 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| diff --git a/server/server.go b/server/server.go | |
| index aa905554..13839f2a 100644 | |
| --- a/server/server.go | |
| +++ b/server/server.go | |
| @@ -80,6 +80,7 @@ var unsafeBuiltinsMap = map[string]bool{ast.HTTPSend.Name: true} | |
| type Server struct { | |
| Handler http.Handler | |
| + router *mux.Router | |
| addrs []string |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| package example | |
| default allow = false | |
| allow { | |
| input.action = "GET" | |
| input.path = "/index.html" | |
| allowed_roles := ["guest", "user", "admin"] | |
| input.subject.roles[_] = allowed_roles[_] | |
| } |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| { | |
| "kubernetes": { | |
| "pods": { | |
| "default": { | |
| "nginx": { | |
| "metadata": { | |
| "name": "nginx", | |
| "namespace": "default" | |
| }, | |
| "spec": { |
Pros: Uses simple policy constructs. OPA will index the allow rules and yield constant-time eval. See https://blog.openpolicyagent.org/optimizing-opa-rule-indexing-59f03f17caf3
Cons: Maintaining policy manually could be painful. This could be solved by rendering/generating the policy.
# Allow group "techlead" to do anything on subscription "X".
allow {
input.subject.group = "techlead"
tsandall
/ main.rego
Last active
June 17, 2020 16:33
— forked from myoung34/multiple ecr mixed missing true false
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $ for file in *.json; do echo "$file"; opa eval -i "$file" -d main.rego 'data.main.deny'; done | |
| multiple ecr mixed missing true false.json | |
| { | |
| "result": [ | |
| { | |
| "expressions": [ | |
| { | |
| "value": [ | |
| "(policy/ecr.rego) Image Scanning 'Scan on push' is required to be true for all ecr repositories." | |
| ], |
tsandall
/ gist:deeaff535f9eaae5a55559067611473e
Created
October 8, 2020 16:11
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| diff --git a/topdown/http.go b/topdown/http.go | |
| index 856e790c..ae0c69af 100644 | |
| --- a/topdown/http.go | |
| +++ b/topdown/http.go | |
| @@ -79,70 +79,55 @@ func builtinHTTPSend(bctx BuiltinContext, args []*ast.Term, iter func(*ast.Term) | |
| return handleBuiltinErr(ast.HTTPSend.Name, bctx.Location, err) | |
| } | |
| - return builtinHTTPSendHelper(bctx, req, raiseError, iter) | |
| -} |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| package main | |
| import ( | |
| "context" | |
| "fmt" | |
| "github.com/open-policy-agent/opa/ast" | |
| "github.com/open-policy-agent/opa/rego" | |
| ) |