Open bjethwan opened 4 years ago
As mentioned in #1818 , you can specify the path param in the client service config to point to the mutating/validating webhook.
It it helps, here is an example of a mutating admission controller that uses that path
param.
@ashutosh-narkar - It works. Thanks
https://gist.github.com/bjethwan/1926c1b64c500986018823ce611d5808
Question: Do you know if the name "opa-default-system-main" for OPA ConfigMap config has a role to play or can we separate OPA config across two ConfigMaps?
So you want to have one configmap with for mutation and one for validation ? That should be alright. The kube-mgmt
sidecar loads config maps defined in opa namesapce by default. More info on that can be found here.
Having a mutating admission control tutorial would be nice. I'd like the tutorial to be separate from the existing validation tutorial. If we create a new tutorial I'd expect it to live in the Kubernetes section on the website: https://www.openpolicyagent.org/docs/latest/kubernetes-introduction/. What I envision is another tutorial that shows how you can do mutation and validation TOGETHER. The composition part is key here. There a few examples of this online, one of them can be found here: https://github.com/tsandall/validating-and-mutating-example
To complete this successfully you'll need to be familiar with Kubernetes admission control and writing policy in OPA. A few things that need to be called out in the tutorial specifically:
These are covered in the link above.
The other thing to cover is installation/deployment, e.g., how to configure mutating and validating webhooks.
This issue has been automatically marked as inactive because it has not had any activity in the last 30 days.
It's not clear as to how we get both mutating & validating webhooks working for OPA in kubernetes.
I tried reading through opa/issues/943 and opa/issues/1818.
I recommend making this simpler (for people new to OPA) with additional context and publishing that as a tutorial under https://www.openpolicyagent.org/docs/latest/kubernetes-tutorial/. That way I will be confident enough to roll this out in production.