search

open-policy-agent / opa

Open Policy Agent (OPA) is an open source, general-purpose policy engine.
https://www.openpolicyagent.org
Apache License 2.0
9.55k stars 1.32k forks source link

Publish the mutating admission controller tutorial #2051

Open bjethwan opened 4 years ago

bjethwan commented 4 years ago

It's not clear as to how we get both mutating & validating webhooks working for OPA in kubernetes.

I tried reading through opa/issues/943 and opa/issues/1818.

I recommend making this simpler (for people new to OPA) with additional context and publishing that as a tutorial under https://www.openpolicyagent.org/docs/latest/kubernetes-tutorial/. That way I will be confident enough to roll this out in production.

ashutosh-narkar commented 4 years ago

As mentioned in #1818 , you can specify the path param in the client service config to point to the mutating/validating webhook.

It it helps, here is an example of a mutating admission controller that uses that path param.

bjethwan commented 4 years ago

@ashutosh-narkar - It works. Thanks

https://gist.github.com/bjethwan/1926c1b64c500986018823ce611d5808

Question: Do you know if the name "opa-default-system-main" for OPA ConfigMap config has a role to play or can we separate OPA config across two ConfigMaps?

ashutosh-narkar commented 4 years ago

So you want to have one configmap with for mutation and one for validation ? That should be alright. The kube-mgmt sidecar loads config maps defined in opa namesapce by default. More info on that can be found here.

tsandall commented 4 years ago

Having a mutating admission control tutorial would be nice. I'd like the tutorial to be separate from the existing validation tutorial. If we create a new tutorial I'd expect it to live in the Kubernetes section on the website: https://www.openpolicyagent.org/docs/latest/kubernetes-introduction/. What I envision is another tutorial that shows how you can do mutation and validation TOGETHER. The composition part is key here. There a few examples of this online, one of them can be found here: https://github.com/tsandall/validating-and-mutating-example

To complete this successfully you'll need to be familiar with Kubernetes admission control and writing policy in OPA. A few things that need to be called out in the tutorial specifically:

These are covered in the link above.

The other thing to cover is installation/deployment, e.g., how to configure mutating and validating webhooks.

stale[bot] commented 2 years ago

This issue has been automatically marked as inactive because it has not had any activity in the last 30 days.