Using OPA
There are several ways to manage policies and data of the OPA service.
One simple approach is to use OPA kube-mgmt and manage Rego policies in Kubernetes Configmap
resources. By default Mesh for Data installs OPA with kube-mgmt enabled.
This task shows how to use OPA with kube-mgmt.
Warning
Due to size limits you must ensure that each configmap is smaller than 1MB when base64 encoded.
Using a configmap YAML
- Create a configmap with a Rego policy and a
openpolicyagent.org/policy=rego
label in them4d-system
namespace:apiVersion: v1 kind: ConfigMap metadata: name: <policy-name> namespace: m4d-system labels: openpolicyagent.org/policy: rego data: main: | <you rego policy here>
- Apply the configmap:
kubectl apply -f <policy-name>.yaml
- To remove the policy just remove the configmap:
kubectl delete -f <policy-name>.yaml
Using a Rego file
You can use kubectl
to create a configmap from a Rego file. To create a configmap named <policy-name>
from a Rego file in path <policy-name.rego>
:
kubectl create configmap <policy-name> --from-file=main=<policy-name.rego> -n m4d-system
kubectl label configmap <policy-name> openpolicyagent.org/policy=rego -n m4d-system
Delete the policy with kubectl delete configmap <policy-name> -n m4d-system
.