Skip to content

docs: fixes for OPA sidecar + Unix Domain Socket task #8142

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
zirain merged 1 commit into from
Jan 31, 2026
+7 −5
Merged

docs: fixes for OPA sidecar + Unix Domain Socket task #8142

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
12 changes: 7 additions & 5 deletions site/content/en/latest/tasks/extensibility/opa-sidecar-unix-domain-socket.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -48,8 +48,10 @@ Note that the OPA sidecar with Unix Domain Sockets pattern does _not_ require th

1. Enable the `Backend` extension API so Envoy can reference a Unix Domain Socket.
2. Create an OPA policy in a `ConfigMap` and mount it into an OPA sidecar in the Envoy pods.
3. Configure a `SecurityPolicy` that delegates authorization to OPA via the Unix Domain Socket `Backend`. For demonstration purposes we'll also configure JWT authentication.
4. Create an HTTPRoute that requires protection and verify traffic flow.
3. Configure the Envoy Proxy pods to have an OPA sidecar
4. Configure a `SecurityPolicy` that delegates authorization to OPA via the Unix Domain Socket `Backend`. For demonstration purposes we'll also configure JWT authentication.
5. Create an HTTPRoute that requires protection
6. Test the configuration

## Step 1: Enable the Backend extension API

Expand Down Expand Up @@ -114,7 +116,7 @@ On MacOS you can apply that by copying it and running `pbpaste | kubectl apply -

In this policy we extract a `x-jwt-iss` header from the request. That header is not automatically available on `ext_authz` filter requests. We will configure Envoy to add that header from the decoded JWT. That configuration happens in the SecurityPolicy in step 4.

## Step 3: Configure the Envoy Proxy pods with an OPA sidecar
## Step 3: Configure the Envoy Proxy pods to have an OPA sidecar

Create an `EnvoyProxy` resource that mounts the OPA policy `ConfigMap`, shares a Unix Domain Socket between Envoy and OPA, and configures the "ext_authz" filter order so OPA receives JWT headers from the JWT authentication filter.

Expand Down Expand Up @@ -151,7 +153,7 @@ spec:
configMap:
name: opa-policy
containers:
# Add the Unox domain socket volume to the existing envoy
# Add the Unix Domain Socket volume to the existing envoy
# proxy container named "envoy".
- name: envoy
volumeMounts:
Expand Down Expand Up @@ -336,7 +338,7 @@ spec:
port: 3000
```

## Step 5: Test the configuration
## Step 6: Test the configuration

Prepare some env vars:

Expand Down