working OPA deployment

Author: sionsmith

examples/multi-tenacy/open-policy-agent/clusterrolebinding.yaml

@@ -0,0 +1,38 @@
+# Grant OPA/kube-mgmt read-only access to resources. This lets kube-mgmt
+# replicate resources into OPA so they can be used in policies.
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: opa-viewer
+roleRef:
+  kind: ClusterRole
+  name: view
+  apiGroup: rbac.authorization.k8s.io
+subjects:
+  - kind: Group
+    name: system:serviceaccounts:opa
+    apiGroup: rbac.authorization.k8s.io
+---
+# Define role for OPA/kube-mgmt to update configmaps with policy status.
+kind: Role
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: configmap-modifier
+rules:
+  - apiGroups: [""]
+    resources: ["configmaps"]
+    verbs: ["update", "patch"]
+---
+# Grant OPA/kube-mgmt role defined above.
+kind: RoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: opa-configmap-modifier
+roleRef:
+  kind: Role
+  name: configmap-modifier
+  apiGroup: rbac.authorization.k8s.io
+subjects:
+  - kind: Group
+    name: system:serviceaccounts:opa
+    apiGroup: rbac.authorization.k8s.io

examples/multi-tenacy/open-policy-agent/deployment.yaml

@@ -1,79 +1,56 @@
----
-# Source: opa/templates/deployment.yaml
 apiVersion: apps/v1
 kind: Deployment
 metadata:
-  name: opa
   labels:
     app: opa
-    chart: "opa-2.0.0"
-    release: "opa"
-    heritage: "Helm"
+  name: opa
 spec:
   replicas: 1
   selector:
     matchLabels:
       app: opa
   template:
     metadata:
-      annotations:
-        checksum/certs: 8b0af3ffc1e4a45847580d3650728057e5aba2869d5bf9f51780777916e801f7
       labels:
         app: opa
       name: opa
     spec:
       containers:
         - name: opa
-          ports:
-          - name: https
-            containerPort: 443
-          image: openpolicyagent/opa:0.32.1
-          imagePullPolicy: IfNotPresent
-          resources:
-            {}
+          image: openpolicyagent/opa:0.32.0-rootless
           args:
             - "run"
             - "--server"
             - "--tls-cert-file=/certs/tls.crt"
             - "--tls-private-key-file=/certs/tls.key"
-            - "--addr=0.0.0.0:443"
-            - "--log-level=info"
-            - "--log-format=json"
+            - "--addr=0.0.0.0:8443"
+            - "--addr=http://127.0.0.1:8181"
+            - "--log-format=json-pretty"
+            - "--set=decision_logs.console=true"
           volumeMounts:
-            - name: certs
-              readOnly: true
+            - readOnly: true
               mountPath: /certs
+              name: opa-server
           readinessProbe:
             httpGet:
-              path: /health
+              path: /health?plugins&bundle
               scheme: HTTPS
-              port: 443
-            initialDelaySeconds: 5
-            periodSeconds: 10
+              port: 8443
+            initialDelaySeconds: 3
+            periodSeconds: 5
           livenessProbe:
             httpGet:
               path: /health
               scheme: HTTPS
-              port: 443
-            initialDelaySeconds: 10
-            periodSeconds: 15
-        - name: sarproxy
-          image: lachlanevenson/k8s-kubectl:latest
-          imagePullPolicy: IfNotPresent
-          resources:
-            {}
-          command:
-            - kubectl
-            - proxy
-            - --accept-paths=^/apis/authorization.k8s.io/v1/subjectaccessreviews$
-      serviceAccountName: opa
+              port: 8443
+            initialDelaySeconds: 3
+            periodSeconds: 5
+        - name: kube-mgmt
+          image: openpolicyagent/kube-mgmt:0.11
+          args:
+            - "--replicate-cluster=v1/namespaces"
+            - "--replicate=extensions/v1beta1/ingresses"
       volumes:
-        - name: certs
+        - name: opa-server
           secret:
-            secretName: opa-cert
-      affinity:
-        {}
-      nodeSelector:
-        {}
-      tolerations:
-        []
+            secretName: opa-server

examples/multi-tenacy/open-policy-agent/kustomization.yaml

@@ -3,11 +3,9 @@ kind: Kustomization
 namespace: opa
 resources:
   - namespace.yaml
-  - sar-clusterrole.yaml
-  - sar-clusterrolebinding.yaml
-  - serviceaccount.yaml
+  - clusterrolebinding.yaml
+  - opa-server.yaml
   - service.yaml
-  - webhookconfiguration.yaml
   - deployment.yaml
 
 configMapGenerator:

examples/multi-tenacy/open-policy-agent/sar-clusterrole.yaml

@@ -1,19 +1,12 @@
----
-# Source: opa/templates/service.yaml
 kind: Service
 apiVersion: v1
 metadata:
   name: opa
-  labels:
-    app: opa
-    chart: "opa-2.0.0"
-    release: "opa"
-    heritage: "Helm"
 spec:
   selector:
     app: opa
   ports:
-  - name: https
-    protocol: TCP
-    port: 443
-    targetPort: 443
+    - name: https
+      protocol: TCP
+      port: 443
+      targetPort: 8443

examples/multi-tenacy/open-policy-agent/sar-clusterrolebinding.yaml

@@ -0,0 +1,13 @@
+#!/usr/bin/env bash
+
+openssl genrsa -out ca.key 2048
+openssl req -x509 -new -nodes -key ca.key -days 100000 -out ca.crt -subj "/CN=admission_ca"
+
+openssl genrsa -out server.key 2048
+openssl req -new -key server.key -out server.csr -config server.conf
+openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt -days 100000 -extensions v3_req -extfile server.conf
+
+kubectl create secret tls opa-server \
+--dry-run=client \
+--cert=server.crt \
+--key=server.key -o yaml > ../../examples/multi-tenacy/open-policy-agent/opa-server.yaml

examples/multi-tenacy/open-policy-agent/service.yaml

@@ -0,0 +1,13 @@
+[req]
+req_extensions = v3_req
+distinguished_name = req_distinguished_name
+prompt = no
+[req_distinguished_name]
+CN = opa.opa.svc
+[ v3_req ]
+basicConstraints = CA:FALSE
+keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+extendedKeyUsage = clientAuth, serverAuth
+subjectAltName = @alt_names
+[alt_names]
+DNS.1 = opa.opa.svc