-
Notifications
You must be signed in to change notification settings - Fork 1
/
open-policy-agent.yaml
135 lines (124 loc) · 3.22 KB
/
open-policy-agent.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
# Copyright 2020 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# kubectl create configmap inventory-policy -n apps --from-file policy.rego
kind: Service
apiVersion: v1
metadata:
name: opa
namespace: apps
labels:
app: opa
spec:
type: ClusterIP
selector:
app: opa
ports:
- name: http
protocol: TCP
port: 8181
targetPort: 8181
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: opa
namespace: apps
labels:
app: opa
spec:
replicas: 1
template:
metadata:
labels:
app: opa
name: opa
spec:
containers:
- name: opa
image: openpolicyagent/opa:0.16.0
ports:
- name: http
containerPort: 8181
resources:
requests:
cpu: 250m
args:
- "run"
- "--ignore=.*" # exclude hidden dirs created by Kubernetes
- "--server"
- "/policies"
volumeMounts:
- readOnly: true
mountPath: /policies
name: api-authz-policy
livenessProbe:
httpGet:
scheme: HTTP # assumes OPA listens on localhost:8181
port: 8181
initialDelaySeconds: 5 # tune these periods for your environemnt
periodSeconds: 5
readinessProbe:
httpGet:
path: /health?bundle=true # Include bundle activation in readiness
scheme: HTTP
port: 8181
initialDelaySeconds: 5
periodSeconds: 5
volumes:
- name: api-authz-policy
configMap:
name: api-authz-policy
nodeSelector:
cloud.google.com/gke-nodepool: "apps"
---
apiVersion: v1
data:
policy.rego: |
package httpapi.authz
# HTTP API request
import input
# Define admin permissions
admin_roles = ["admin", ]
admin_methods = ["GET", "POST", ]
# Define user permissions
user_roles = ["admin","user", ]
user_methods = ["GET", ]
# Define masking permissions
unmasked_roles = ["admin"]
default allow = false
# Allow any app to get inventory
allow {
input.method == user_methods[_]
input.path = ["/opa/items"]
token.payload.role == user_roles[_]
}
# Allow only admin apps to create inventory
allow {
input.method == admin_methods[_]
input.path = ["/opa/items"]
token.payload.role == admin_roles[_]
}
# Allow unmasked customer data
allow {
input.path = ["/customers"]
token.payload.role == unmasked_roles[_]
}
# Helper to get the token payload.
token = {"payload": payload} {
[header, payload, signature] := io.jwt.decode(input.token)
}
kind: ConfigMap
metadata:
name: api-authz-policy
namespace: apps