OPA
OPA Required and Recommended Versions
- Minimum version 0.44 is required however numerous bugs, security and performance issues have been addressed since then.
-
There have been reports that version 0.48 has issues and should be avoided.
-
Recommended versions
| Milestone | Open Policy Agent Recommended Version |
|---|---|
| M18 | v0.54 or later |
| M21 | v0.56 or later |
| M22 | v0.68.0 or later* |
| M23 | v0.68.0 or later |
| M24 | v0.68.0 or later |
| M25 | v0.70.0 |
| M26 | v1.3.0 |
| ----------- | --------------------------------------- |
For M22 - OPA v0.67.1 has been reported to work well, but general recommendation will be to update this to v0.68.0
OPA v1.0.x
M25 and earlier releases of Policy Service are not compatible with OPA version 1.x syntax. Do not use v1.x.x release, openpolicyagent/opa:latest container tag or use the -v1-compatible flag on v0.x releases.
The --v0-compatible or the rego_version attribute in their manifest might work, however these have not yet been fully tested with OSDU. To support OPA v1 all default Policies (Rego) will have to be replaced/updated. To learn more about these planned changes to policies please see upgrading OPA.
Role
Since M20, Policy Service now has the ability to update OPA for the purpose of adding additional data partitions. To do this policy service requires the ability read and update the confimap of OPA.
Policy Service should be provided a role similar to the following:
Example Role
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: policy-opa-role
namespace: <namespace>
rules:
- apiGroups:
- ""
resources:
- configmaps
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
OPA Namespace
Policy Service uses secrets to determine it's namespace (/var/run/secrets/kubernetes.io/serviceaccount/namespace"), but this can be overridden by using NAMESPACE or AWS_SERVICE_NAMESPACE-core environment variables. It is assumed the OPA is running in the same namespace. If it's not provide the correct namespace via NAMESPACE
Service Token
Policy Serice uses the Service Token to authenticate to Kubernetes for purposes of reading and updating OPA config map. Set `automountServiceAccountToken`` to true in the helm chart for Policy Service.
OPA Config Map
The name of OPA configmap is expected to be opa-config. However if the name is different in your environment, provide this configmap name to Policy Service via the OPA_CONFIG_MAP environment variable.
Info
Details on how your policy service is configured, including namespace and configmap details, can be retrieved via the /config API
OPA Upgrade to v1.x from v0.x
Upgrade process is described in OPA upgrade guide