OPA
OPA Required and Recommended Versions
- Minimum version 0.44 is required however numerous bugs, security and performance issues have been addressed since then.
-
There have been reports that version 0.48 has issues and should be avoided.
-
Recommended versions
| Milestone | Open Policy Agent Recommended Version |
|---|---|
| M18 | v0.54 or later |
| M21 | v0.56 or later |
| M22 | v0.62.1 or later |
| M23 | v0.62.1 or later |
Role
- Currently Policy Service is not compatible with OPA version 1.x syntax, so do not use the
-v1-compatibleflag. In M20, Policy Service now has the ability to update OPA for the purpose of adding additional data partitions. To do this policy service requires the ability read and update the confimap of OPA.
Policy Service should be provided a role similar to the following:
Example Role
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: policy-opa-role
namespace: <namespace>
rules:
- apiGroups:
- ""
resources:
- configmaps
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
OPA Namespace
Policy Service uses secrets to determine it's namespace (/var/run/secrets/kubernetes.io/serviceaccount/namespace"), but this can be overridden by using NAMESPACE or AWS_SERVICE_NAMESPACE-core environment variables. It is assumed the OPA is running in the same namespace. If it's not provide the correct namespace via NAMESPACE
Service Token
Policy Serice uses the Service Token to authenticate to Kubernetes for purposes of reading and updating OPA config map. Set `automountServiceAccountToken`` to true in the helm chart for Policy Service.
OPA Config Map
The name of OPA configmap is expected to be opa-config. However if the name is different in your environment, provide this configmap name to Policy Service via the OPA_CONFIG_MAP environment variable.
Info
Details on how your policy service is configured, including namespace and configmap details, can be retrieved via the /config API