forked from open-policy-agent/opa-envoy-plugin
-
Notifications
You must be signed in to change notification settings - Fork 0
/
quick_start.yaml
439 lines (425 loc) · 18.2 KB
/
quick_start.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
############################################################
# Envoy External Authorization filter that will query OPA.
############################################################
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
name: ext-authz
namespace: istio-system
spec:
configPatches:
- applyTo: HTTP_FILTER
match:
context: SIDECAR_INBOUND
listener:
filterChain:
filter:
name: "envoy.http_connection_manager"
subFilter:
name: "envoy.router"
patch:
operation: INSERT_BEFORE
value:
name: envoy.ext_authz
typed_config:
'@type': type.googleapis.com/envoy.extensions.filters.http.ext_authz.v3.ExtAuthz
transport_api_version: V3
status_on_error:
code: ServiceUnavailable
with_request_body:
max_request_bytes: 8192
allow_partial_message: true
grpc_service:
# NOTE(tsandall): when this was tested with the envoy_grpc client the gRPC
# server was receiving check requests over HTTP 1.1. The gRPC server in
# OPA-Istio would immediately close the connection and log that a bogus
# preamble was sent by the client (it expected HTTP 2). Switching to the
# google_grpc client resolved this issue.
google_grpc:
target_uri: 127.0.0.1:9191
stat_prefix: "ext_authz"
---
############################################################
# Namespace for cluster-wide OPA-Istio components.
############################################################
apiVersion: v1
kind: Namespace
metadata:
name: opa-istio
---
############################################################
# TLS certificate for OPA admission controller.
############################################################
apiVersion: v1
kind: Secret
metadata:
name: server-cert
namespace: opa-istio
data:
tls.crt: |-
LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUZZRENDQTBpZ0F3SUJBZ0lKQUlWYlFzL2o3
VmJDTUEwR0NTcUdTSWIzRFFFQkN3VUFNQnN4R1RBWEJnTlYKQkFNTUVFOVFRU0JGYm5admVTQndi
SFZuYVc0d0hoY05NakF4TVRJek1UQTBORE00V2hjTk1qVXhNVEl5TVRBMApORE00V2pBVU1SSXdF
QVlEVlFRRERBbHZjR0V0Wlc1MmIza3dnZ0lpTUEwR0NTcUdTSWIzRFFFQkFRVUFBNElDCkR3QXdn
Z0lLQW9JQ0FRRCtsK2FpNUlBelZxc3U0RlFtNkRJclZaNTVHV2ZRbkFiUGxLbzl5VEtTOHhRNVBN
NkoKMHI4S2RtNE5FckdlRUVSTEN6cW1HdW9ORGhxaWwwQTZNVFd3aG4rbXFNSVNTQjU1ZmVUMEtr
ZWNYOUtrLy84OQoxM3hRMFU5VmlNSi9sK3RvRXBBUHJwVGNYSTByVDdBYUZwTmRrSDY0MmJCR1JI
bXBkK1lpWFRjVGZ5cXo2ZHZlCndlbmROcERQckI5UHc5N1k5amxUbXZTaTVpVFZqMitZSmd3a21L
QnRGVHNqVkdIT2VmZ0FIcURob0M4TmhocDAKYUxqTTNzaGhpM2JUd1A2VjVOT212dnVLUm1tN3pm
azdMVUJZTkxYNmZYSXpDcFIxUEpBeGdra01UWlA2Y1hFNAordm4xako3bS9lZHFZVHUyK242dEdQ
WFVST2FZKzNNTkVNbm4xY1ZzMVRLQ25jbmFnU3RvcUZ3bmhWak4yNlV1CjE3c1puZitsNXFPd0di
TmNseDdIckY2SHNpU2hBKzEzOE5pbUt4bmZtQ3l2YnZJOHBYMUkxMXV5SzB6Wmg2Mk4KRHBPdU1E
VWFGQldkR05veGNwNXFEcHNWancxUzJCWWpkZlduTzVjZWc5WnNzSmNNVXFhOHRIdVF3ejBERjhv
cQpyeGI4MFZOMDUzcWlpQnVCUGg4MVpRQnZFeitTMERFakdPcUNnMGxPV0hMWTdLanBSbUh5TVo5
K0Z0NHRNQU91Cm9CaUFzYmdoSnVMREZ5bklHcUNQNS91OHN3QTdSUHlKODFuWnV1TWZKVTlHUnF1
OUgydlEzczRXYzlFRXZaZGkKNnZhTCticXlSNFJyNlg0YXpnb1ZGRlA1dzR4WTBCR1Z4WWN6cWlS
Tnc4cHRlNm5SWlhsZk5iT1NOUUlEQVFBQgpvNEd0TUlHcU1BNEdBMVVkRHdFQi93UUVBd0lEdURB
VEJnTlZIU1VFRERBS0JnZ3JCZ0VGQlFjREFUQWRCZ05WCkhRNEVGZ1FVS1hTN2tUR2FlOHRLWVp2
UkxSUzV4U0h3cTRFd05RWURWUjBqQkM0d0xLRWZwQjB3R3pFWk1CY0cKQTFVRUF3d1FUMUJCSUVW
dWRtOTVJSEJzZFdkcGJvSUpBTmFPYlFCRlAwMWlNQzBHQTFVZEVRUW1NQ1NDSW1GawpiV2x6YzJs
dmJpMWpiMjUwY205c2JHVnlMbTl3WVMxcGMzUnBieTV6ZG1Nd0RRWUpLb1pJaHZjTkFRRUxCUUFE
CmdnSUJBS3RxZWY0dE12R3hCZU0xKy9GZTRxOVYrOUpuMHFKb1A0aWVTQXB3aGtxekFKYllJUno2
VkNrK2V2WkUKWHZ2MjVCQmVOSUQwd2pXb1hEdHdTMVgrQ0hkN0J5TEdLNjZEMitwZXpFN0hDenhD
RUxKNCtpWXRjS3JVQTR2ZQpXbkVnSW5qa1Vpb3kwZkRkWmVUWG5ISUlpeTlJVVZEVDlxN2xHalE0
YXhiSUd6NkczY2VHUStYOVFCMDAzMzNICm82emY5a1Frc1hQam00dWpsOVV2Z1JkNDVZQW04Y3FK
cTRqb3hHQjdGMVpUMVJYbkdKeXYvd3FOSk04VGQ5UGoKYXNiN0lCa09Lelh4VmREWE5UZmNLWU44
TzNFQkwwVGo0VExtM1VKUmNxeGhFNk1ZVXJvRTYvZHIybHh0ZzRZLwo1SmpYWjBiQ2ZyTnh5UFIz
NTEyNDRPWnVQMzM0ajhDOXg1cU1YaDZUMzhpS01GWmxwNmpjMEdZTUdzK3pBNGNlCk5GWk9RMjF6
ZE9vR2NQS2d3NDJjd09iU1ZaRUl0NFJIN0hVcDdDV1pCK0VpTXQxZUVKa1VkeE5jUFl3VlBmdSsK
Z2JJV3Y2ZUl6VkJJOElBdHdUQTBFcmU1RGxQQmYyTnJOclB1cmZzYjJiZ21CUTFJREN6V29yUnE2
WG1UMWUregovM1JSYVJpVUx4TmFub2szTGdSa09oWDZqR3FiM1gxRjhwdHNiK1BHUnlXcDVkdS9D
UEFucGZ3VnVtbzQ4bXBxCkRJSWRMMVBLZk1DZFlrMGFLZ0xUVnU0bDI2N1B4cklpaGs4SHFRWFdQ
YVp5NDJ0UlVaOXZFNWZoblNwMXpGQUsKcTNaMVcxVDdpMkNQdmFuNTlGckhlUG9ia0Z2Z1M4M3Zu
VXFIM2h6aGZ1QlpDMmNmCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
tls.key: |-
LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlKS0FJQkFBS0NBZ0VBL3BmbW91U0FN
MWFyTHVCVUp1Z3lLMVdlZVJsbjBKd0d6NVNxUGNreWt2TVVPVHpPCmlkSy9Dblp1RFJLeG5oQkVT
d3M2cGhycURRNGFvcGRBT2pFMXNJWi9wcWpDRWtnZWVYM2s5Q3BIbkYvU3BQLy8KUGRkOFVORlBW
WWpDZjVmcmFCS1FENjZVM0Z5TkswK3dHaGFUWFpCK3VObXdSa1I1cVhmbUlsMDNFMzhxcytuYgoz
c0hwM1RhUXo2d2ZUOFBlMlBZNVU1cjBvdVlrMVk5dm1DWU1KSmlnYlJVN0kxUmh6bm40QUI2ZzRh
QXZEWVlhCmRHaTR6TjdJWVl0MjA4RCtsZVRUcHI3N2lrWnB1ODM1T3kxQVdEUzErbjF5TXdxVWRU
eVFNWUpKREUyVCtuRngKT1ByNTlZeWU1djNuYW1FN3R2cCtyUmoxMUVUbW1QdHpEUkRKNTlYRmJO
VXlncDNKMm9FcmFLaGNKNFZZemR1bApMdGU3R1ozL3BlYWpzQm16WEpjZXg2eGVoN0lrb1FQdGQv
RFlwaXNaMzVnc3IyN3lQS1Y5U05kYnNpdE0yWWV0CmpRNlRyakExR2hRVm5SamFNWEtlYWc2YkZZ
OE5VdGdXSTNYMXB6dVhIb1BXYkxDWERGS212TFI3a01NOUF4ZksKS3E4Vy9ORlRkT2Q2b29nYmdU
NGZOV1VBYnhNL2t0QXhJeGpxZ29OSlRsaHkyT3lvNlVaaDhqR2ZmaGJlTFRBRApycUFZZ0xHNElT
Yml3eGNweUJxZ2orZjd2TE1BTzBUOGlmTloyYnJqSHlWUFJrYXJ2UjlyME43T0ZuUFJCTDJYCll1
cjJpL202c2tlRWErbCtHczRLRlJSVCtjT01XTkFSbGNXSE02b2tUY1BLYlh1cDBXVjVYeld6a2pV
Q0F3RUEKQVFLQ0FnQUJGWFoyNVJBaXA5RE12MG04YktxaUFwaE5IYTJTZHNlVXBLWmc0dlZqS01Q
Q1JwNytlVFkwL2pJVAp2aXVoWjZKU3kzWnhkSlhnZmxuZ3JWSXByVUgwUVc1VHNFNDdNN0ZsaFFL
dmcycVFvTnZOdGdWSkp4eXhYMksrCkUzbjRmeFlTZUZuQ3AxU2M1NHYyVGoyS3J1UHJ0d3pERHJJ
d2FtUTJNM3Q0VS90REN2eU1qWWRSR0hROWE5a0wKK1VpYzExR2dqTlBMcGxJNlMwNkcxamg4WmxV
UTV0RndCWEllQVdMMU5SRzRObWtxN0xxbWpSYVp2a1JqSXVPcApmcVYvMjBkNkxlSTB5SVZibmxj
ZTVJNldFT2hBTitFNmNzUkVzVnZXYis2Uk4yUEdPS0pUbzUzK3h4cS9UOXp4ClVNMW1aNG1RaXRw
MU5ERC91VmRkK1Z3UkJ5eEUzVGlsem1jdGZBejdyQnhaTFhKRlJDQzRMUXZ2NExveVhtTTIKSGV5
WTJkRUhPNUxGbVZrWGJSTHM2MHhhVGcxQ1JVL3ZxTjhDd3NteDhnVWp4N1dxYjVGTjdkZ3J3MXhL
OFlvWApNQXNwRml4bTU3QlREZVhlUnlNa1VoanlEVjhCQ3l6TzVaL2RDTERwb1BveXZFeU1La3hv
UWxiUWNKcGtHL2RXCmw0U2d0UkRjRExlVGhyaTRlVFlDbS9uZjN5cmlicFpVZjBSRzMwejBBV1dS
SWEvcGZNOUM0OUZ0M1NtREdQbjIKMkRSUEhyampVT21mRTB4R1VLbmkrQ3VvZ2RJdEhnZXR1U0tY
TUl0emNxTkhFRE5kdlJNdlpaZk5UNEpvWUVIbwp5OWRVa0dlME1vbEdhWm80Q0tIcFZ2UjlYNE5n
a080dFBKK1h3TE1wUGYveWI0TFRJUUtDQVFFQS82TWpSOVVnCjRhQy9RZ1c5L0dxSHMyUnRRZEtU
ZFhNeExsQnl1OWFtbEJyQS9kQUpZem5XckpZNytmVzh2ZzBCOHI4a1A2cmUKQmZvY3F4RmRrcS9J
RTl0L3JHTGJWa2lDTVRKMU80ak9jZHhKVlZGRTIwd001cmRwZE9scWp6SUE3TURiSXFiZwpEYm9n
aHVqZC8rd3dDclI2eG1jeGlkSHZXMzZOM0YzY05QTnk5MVFlS1lrWjVBc2ZVRUxBdFA1QnRUb0dC
ZkFHCkF1bExmdWVnZ2IxczU1NTBJb3Vwc2lydGhRMTdobC9mc05vSWd4eE14aHUrUUpRWjFEZlll
L096YzNJMy9sOFUKcDBzWmRROTlONmF3L3hTUGZ1Wi8ya2FucjNUazJ3NXdyeW1VUkxXMEkzSHRu
MENmRVVHeGphbWNLaU5Qd25wTwpWVHYydy90eWdnOEhiUUtDQVFFQS92UmlSNlVPQnZpNjBRVkpt
UzV5Zm5nNlJ5TnIrb2NodE9NSndLQklkRVg3ClpCV3lQMVdIbEYrYStFalhSWXdJb01SRy9maUZi
K1F1NjZtVVBPd0NwdElvSy9JTS9ROUFWaVhEQUpwemdkZE0KQzZnNFErVmFVTWd2MGZTZEZZSWZR
d3RxY0JZcnlJZzJPQ3c5clBXNEI5WURnUWhXV3FTK09OeW1CejJacFRlTQpYdjVBUDlQVDN1N2hu
cTgyVHdybWMzQjNmTzBpTmhEL295cnNoYUtZVWxqRjAxNmVpWkdVajdUbmlXNW5mLzczCnZ3ZDhH
R0RPeWxMR2pLTUtCNzgxc0RyK1F4aEV4R2puZTlFaHFtNGF1b3A2Q1VvMVhDK0p3allua3VIaHgy
T1MKUHBMUjZlRjJ0eWYzV0RPYXozNFhyVE5PQkRqV1pPY0doclYvRjJzUTZRS0NBUUVBeEJBREJ4
elhVelZPZXZ5YwpjZlBpa0J2K0QvWEpVdE0rYlI4V1lDcUpLQjQ4MW0yd1JZSWV1OCtkd0dCUW1o
S3Y0OVhsbjA4VmFkQWlITEg4CjZud1hIK1BCVUIyaHk5Tmd4d3JFRHgwbCtQM1M0TFNyOHVXcEgy
cWNYeWFHcTd6V0tMN2hVdnBaN1MxTHRTejAKMTB2MnJMOHZTdXZxZXFHZ3lyT05hZTR5N2dtcHF6
ZkF5bXAwaVFwZXdkZndwT0E4MVJuamRMcGFZZkU4RGVEbwpvWmorNWNZSm5GVXhtWXlERHdFQU5G
ZGo0T2ZZajNZdEMrUkxUb3hJSXhPUjNiOVRhciszWWtqYU5sVEsrWlVmCm5JY2tTUDhqNzFncHh1
ZFp4S0FLeGxlVTVVTW1qR3d2OU45ME9DZi8xK1Jpb1J2c3dnVERMNDFPZHVDK3FpRTMKK2JnOUlR
S0NBUUJDdExnK0hJNVYvcUFLYmtLNlpHK3FiVlI2Sm1kckRnNGdvTUo5ZHJKZVVhMGJtNTJlZW9k
VgpwOG9KS2kzQTBZbTBYb1pnanJTQytRWFp2TzIvSHRUMnhzZWg3OXU4SGxCcitjZFNraGFrb3lz
UFpiMEs3cWc1CnVKYmliUWpvaHJvZE5aQnNzVEJWY0dZWFBtUUlxK1d4anlvdGlYdm1qWElEdUo5
c0I0NzZybFQ0eWJjUHZDR1UKRTVaT2lYTkJMUTNzcUVGckd6UTNSeTFMaU1DSG1tb1dLWW5nNnNH
NkpxL2pCYWNLeXlzalR4ZU5FSzFFUjVmegpVY01IS3VWRjc1NWhkSjN2K2hxTDlSS1R6N3pxTlpL
aXVmYUNGYnR1V2pYRjdadGZEK0NkNVl4dStNVVpWMWRUClJvNnRzaHJRTFNLT3UzeXZHQnZvSEpZ
Vmlza3MzR041QW9JQkFFYURHb1JmTHhRSmxHMEUyd21YRjY5ZGpuRzgKMXdPWkxaTHI4RGRuME1E
VGY0OXBtZ0VISW5vOUxVOTEyWkVqelMxQmFaN1hqUkluTFV0TlU0WDU2V3ViWHpzVwpNc3gvSDBr
dGcxN21QcFE0d0FZNGtpZHU1cHpEdUJnek9XWHNVMFE5ZWhoU1dLWmxvcW1GaHNVbUtqaVhCQnk3
CjI3WjZET2xmMTlZeWJkR2I4WmNGb0plRUZ1YVFEN25KWll5cFFTNXAxdmR1MUNtVDRLeklNZjBt
Sm9FT0JmcFQKWDQ4ZmFDNXAvN2tQaThaeG9CMlNrTWd1UzR0bDdsdjdBUE1UTjRzajVuRGtGWUN0
L2l5UXZsUWR0bjYvRXFrawo3Q2MwOUpzN2k4SUNFekwrY01UZHg0SmFkTVVISDRuSFhSeDFlSkQ4
WUFVTTBLTXp0bEdYSys0VjkyWT0KLS0tLS1FTkQgUlNBIFBSSVZBVEUgS0VZLS0tLS0K
---
############################################################
# OPA admission control policy for injecting OPA-Istio.
############################################################
apiVersion: v1
kind: ConfigMap
metadata:
namespace: opa-istio
name: inject-policy
data:
inject.rego: |
package istio
inject = {
"apiVersion": "admission.k8s.io/v1beta1",
"kind": "AdmissionReview",
"response": {
"allowed": true,
"patchType": "JSONPatch",
"patch": base64.encode(json.marshal(patch)),
},
}
patch = [{
"op": "add",
"path": "/spec/containers/-",
"value": opa_container,
}, {
"op": "add",
"path": "/spec/volumes/-",
"value": opa_config_volume,
}, {
"op": "add",
"path": "/spec/volumes/-",
"value": opa_policy_volume,
}]
opa_container = {
"image": "openpolicyagent/opa:latest-istio",
"name": "opa-istio",
"args": [
"run",
"--server",
"--config-file=/config/config.yaml",
"--addr=localhost:8181",
"--diagnostic-addr=0.0.0.0:8282",
"/policy/policy.rego",
],
"volumeMounts": [{
"mountPath": "/config",
"name": "opa-istio-config",
}, {
"mountPath": "/policy",
"name": "opa-policy",
}],
"readinessProbe": {
"httpGet": {
"path": "/health?plugins",
"port": 8282,
},
},
"livenessProbe": {
"httpGet": {
"path": "/health?plugins",
"port": 8282,
},
}
}
opa_config_volume = {
"name": "opa-istio-config",
"configMap": {"name": "opa-istio-config"},
}
opa_policy_volume = {
"name": "opa-policy",
"configMap": {"name": "opa-policy"},
}
---
############################################################
# Service to expose OPA admission controller (required by Kubernetes.)
############################################################
apiVersion: v1
kind: Service
metadata:
name: admission-controller
namespace: opa-istio
labels:
app: admission-controller
spec:
ports:
- port: 443
name: https
selector:
app: admission-controller
---
############################################################
# OPA admission controller deployment for injecting OPA-Istio.
############################################################
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app: admission-controller
namespace: opa-istio
name: admission-controller
spec:
replicas: 1
selector:
matchLabels:
app: admission-controller
template:
metadata:
labels:
app: admission-controller
name: admission-controller
spec:
containers:
- image: openpolicyagent/opa:latest
name: opa
ports:
- containerPort: 443
args:
- "run"
- "--server"
- "--tls-cert-file=/certs/tls.crt"
- "--tls-private-key-file=/certs/tls.key"
- "--addr=0.0.0.0:443"
- "/policies/inject.rego"
livenessProbe:
httpGet:
path: /health?plugins
scheme: HTTPS
port: 443
initialDelaySeconds: 5
periodSeconds: 5
readinessProbe:
httpGet:
path: /health?plugins
scheme: HTTPS
port: 443
initialDelaySeconds: 5
periodSeconds: 5
volumeMounts:
- readOnly: true
mountPath: /certs
name: server-cert
- readOnly: true
mountPath: /policies
name: inject-policy
volumes:
- name: inject-policy
configMap:
name: inject-policy
- name: server-cert
secret:
secretName: server-cert
---
############################################################
# OPA admission controller configuration.
############################################################
apiVersion: admissionregistration.k8s.io/v1beta1
kind: MutatingWebhookConfiguration
metadata:
name: opa-istio-admission-controller
webhooks:
- name: istio.openpolicyagent.org
clientConfig:
service:
name: admission-controller
namespace: opa-istio
path: "/v0/data/istio/inject"
caBundle: |-
LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUZZRENDQTBpZ0F3SUJBZ0lKQUlWYlFzL2o3
VmJDTUEwR0NTcUdTSWIzRFFFQkN3VUFNQnN4R1RBWEJnTlYKQkFNTUVFOVFRU0JGYm5admVTQndi
SFZuYVc0d0hoY05NakF4TVRJek1UQTBORE00V2hjTk1qVXhNVEl5TVRBMApORE00V2pBVU1SSXdF
QVlEVlFRRERBbHZjR0V0Wlc1MmIza3dnZ0lpTUEwR0NTcUdTSWIzRFFFQkFRVUFBNElDCkR3QXdn
Z0lLQW9JQ0FRRCtsK2FpNUlBelZxc3U0RlFtNkRJclZaNTVHV2ZRbkFiUGxLbzl5VEtTOHhRNVBN
NkoKMHI4S2RtNE5FckdlRUVSTEN6cW1HdW9ORGhxaWwwQTZNVFd3aG4rbXFNSVNTQjU1ZmVUMEtr
ZWNYOUtrLy84OQoxM3hRMFU5VmlNSi9sK3RvRXBBUHJwVGNYSTByVDdBYUZwTmRrSDY0MmJCR1JI
bXBkK1lpWFRjVGZ5cXo2ZHZlCndlbmROcERQckI5UHc5N1k5amxUbXZTaTVpVFZqMitZSmd3a21L
QnRGVHNqVkdIT2VmZ0FIcURob0M4TmhocDAKYUxqTTNzaGhpM2JUd1A2VjVOT212dnVLUm1tN3pm
azdMVUJZTkxYNmZYSXpDcFIxUEpBeGdra01UWlA2Y1hFNAordm4xako3bS9lZHFZVHUyK242dEdQ
WFVST2FZKzNNTkVNbm4xY1ZzMVRLQ25jbmFnU3RvcUZ3bmhWak4yNlV1CjE3c1puZitsNXFPd0di
TmNseDdIckY2SHNpU2hBKzEzOE5pbUt4bmZtQ3l2YnZJOHBYMUkxMXV5SzB6Wmg2Mk4KRHBPdU1E
VWFGQldkR05veGNwNXFEcHNWancxUzJCWWpkZlduTzVjZWc5WnNzSmNNVXFhOHRIdVF3ejBERjhv
cQpyeGI4MFZOMDUzcWlpQnVCUGg4MVpRQnZFeitTMERFakdPcUNnMGxPV0hMWTdLanBSbUh5TVo5
K0Z0NHRNQU91Cm9CaUFzYmdoSnVMREZ5bklHcUNQNS91OHN3QTdSUHlKODFuWnV1TWZKVTlHUnF1
OUgydlEzczRXYzlFRXZaZGkKNnZhTCticXlSNFJyNlg0YXpnb1ZGRlA1dzR4WTBCR1Z4WWN6cWlS
Tnc4cHRlNm5SWlhsZk5iT1NOUUlEQVFBQgpvNEd0TUlHcU1BNEdBMVVkRHdFQi93UUVBd0lEdURB
VEJnTlZIU1VFRERBS0JnZ3JCZ0VGQlFjREFUQWRCZ05WCkhRNEVGZ1FVS1hTN2tUR2FlOHRLWVp2
UkxSUzV4U0h3cTRFd05RWURWUjBqQkM0d0xLRWZwQjB3R3pFWk1CY0cKQTFVRUF3d1FUMUJCSUVW
dWRtOTVJSEJzZFdkcGJvSUpBTmFPYlFCRlAwMWlNQzBHQTFVZEVRUW1NQ1NDSW1GawpiV2x6YzJs
dmJpMWpiMjUwY205c2JHVnlMbTl3WVMxcGMzUnBieTV6ZG1Nd0RRWUpLb1pJaHZjTkFRRUxCUUFE
CmdnSUJBS3RxZWY0dE12R3hCZU0xKy9GZTRxOVYrOUpuMHFKb1A0aWVTQXB3aGtxekFKYllJUno2
VkNrK2V2WkUKWHZ2MjVCQmVOSUQwd2pXb1hEdHdTMVgrQ0hkN0J5TEdLNjZEMitwZXpFN0hDenhD
RUxKNCtpWXRjS3JVQTR2ZQpXbkVnSW5qa1Vpb3kwZkRkWmVUWG5ISUlpeTlJVVZEVDlxN2xHalE0
YXhiSUd6NkczY2VHUStYOVFCMDAzMzNICm82emY5a1Frc1hQam00dWpsOVV2Z1JkNDVZQW04Y3FK
cTRqb3hHQjdGMVpUMVJYbkdKeXYvd3FOSk04VGQ5UGoKYXNiN0lCa09Lelh4VmREWE5UZmNLWU44
TzNFQkwwVGo0VExtM1VKUmNxeGhFNk1ZVXJvRTYvZHIybHh0ZzRZLwo1SmpYWjBiQ2ZyTnh5UFIz
NTEyNDRPWnVQMzM0ajhDOXg1cU1YaDZUMzhpS01GWmxwNmpjMEdZTUdzK3pBNGNlCk5GWk9RMjF6
ZE9vR2NQS2d3NDJjd09iU1ZaRUl0NFJIN0hVcDdDV1pCK0VpTXQxZUVKa1VkeE5jUFl3VlBmdSsK
Z2JJV3Y2ZUl6VkJJOElBdHdUQTBFcmU1RGxQQmYyTnJOclB1cmZzYjJiZ21CUTFJREN6V29yUnE2
WG1UMWUregovM1JSYVJpVUx4TmFub2szTGdSa09oWDZqR3FiM1gxRjhwdHNiK1BHUnlXcDVkdS9D
UEFucGZ3VnVtbzQ4bXBxCkRJSWRMMVBLZk1DZFlrMGFLZ0xUVnU0bDI2N1B4cklpaGs4SHFRWFdQ
YVp5NDJ0UlVaOXZFNWZoblNwMXpGQUsKcTNaMVcxVDdpMkNQdmFuNTlGckhlUG9ia0Z2Z1M4M3Zu
VXFIM2h6aGZ1QlpDMmNmCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
rules:
- operations: ["CREATE"]
apiGroups: [""]
apiVersions: ["v1"]
resources: ["pods"]
namespaceSelector:
matchLabels:
opa-istio-injection: enabled
failurePolicy: Fail
---
############################################################
# Example configuration to bootstrap OPA-Istio sidecars.
############################################################
apiVersion: v1
kind: ConfigMap
metadata:
name: opa-istio-config
data:
config.yaml: |
plugins:
envoy_ext_authz_grpc:
addr: :9191
path: istio/authz/allow
decision_logs:
console: true
---
############################################################
# Example policy to enforce into OPA-Istio sidecars.
############################################################
apiVersion: v1
kind: ConfigMap
metadata:
name: opa-policy
data:
policy.rego: |
package istio.authz
import input.attributes.request.http as http_request
import input.parsed_path
default allow = false
allow {
parsed_path[0] == "health"
http_request.method == "GET"
}
allow {
roles_for_user[r]
required_roles[r]
}
roles_for_user[r] {
r := user_roles[user_name][_]
}
required_roles[r] {
perm := role_perms[r][_]
perm.method = http_request.method
perm.path = http_request.path
}
user_name = parsed {
[_, encoded] := split(http_request.headers.authorization, " ")
[parsed, _] := split(base64url.decode(encoded), ":")
}
user_roles = {
"alice": ["guest"],
"bob": ["admin"]
}
role_perms = {
"guest": [
{"method": "GET", "path": "/productpage"},
],
"admin": [
{"method": "GET", "path": "/productpage"},
{"method": "GET", "path": "/api/v1/products"},
],
}