Closed alban closed 5 years ago
Some rules are inspired from https://github.com/open-policy-agent/kube-mgmt/pull/25/files
This PR partially fixes https://github.com/kinvolk/karydia/issues/32
The problem for karydia in the control plane is more complex and will be addressed separately, see https://github.com/kinvolk/karydia/issues/38
Starting from scratch following our install document that currently leads to
...
+ kubectl apply -f manifests/rbac.yml
serviceaccount/karydia created
clusterrole.rbac.authorization.k8s.io/karydia-view-ksp created
clusterrole.rbac.authorization.k8s.io/karydia-networkpolicies created
clusterrolebinding.rbac.authorization.k8s.io/karydia-view created
clusterrolebinding.rbac.authorization.k8s.io/karydia-networkpolicies created
clusterrolebinding.rbac.authorization.k8s.io/karydia-view-ksp created
Error from server (NotFound): error when creating "manifests/rbac.yml": namespaces "opa" not found
Error from server (NotFound): error when creating "manifests/rbac.yml": namespaces "opa" not found
So I think we need to create the opa
namespace beforehand.
@schu thanks for testing. I updated the PR, it should work now.
I tested successfully all items from docs/demo.md.
For the OPA part, I had to install the OPA rule manually. Since this is not explained in docs/install.md
, docs/demo.md
should explain how to do it.
karydia potentially needs to view everything via kube-mgmt. It also needs to view karydiasecuritypolicies (different API group). It needs RW access to network policies. And finally, it needs RW access to configmaps in the opa namespace via kube-mgmt.