Skip to content

Latest commit

 

History

History
72 lines (52 loc) · 2.21 KB

README.md

File metadata and controls

72 lines (52 loc) · 2.21 KB

Kubernetes authorization webhook using OPA

Runnable Kubernetes authorization webhook example using OPA for authorization policy decisions.

Running

Prerequisites

Setup

With those installed, simply run:

./setup.sh

The demo uses Kind to launch a local Kubernetes cluster and then deploys OPA to that, with Kubernetes authorization policies deployed from the policy directory. Kind uses kubeadm so that's the config format used for providing the authorization webhook flags to the API server (see kind-conf.yaml.

Testing the authorization webhook

With the cluster up and running, you may now issue the usual kubectl commands to interact with your local Kubernetes API. Since the default user for kind is a cluster admin with all priveleges granted it won't autmoatically be evaluated by the authorizer webhook (as the RBAC module is configured in front of it). In order to work around this, you could either setup a service account - or perhaps easier; just simulate requests from other users by using the impersonation feature of kubectl:

$ kubectl get pods \
        --namespace kube-system \
        --as=someuser \
        --as-group=system:authenticated \
        --as-group=devops

Error from server (Forbidden): OPA: denied access to namespace kube-system

The OPA server is configured to print decisions to stdout, so simply view the logs of the OPA pod (in the opa namespace) to see requests and responses.

Updating policy

Change the policy under the policy directory and run kubectl apply -k . Note that it may take a while before the policy change is reflected in the running system.

Tests

There's a couple of end-to-end tests using kubectl to test authorization policy enforcement in the test.sh script. Simply run it to have them executed:

$ ./test.sh
All tests successful

Cleanup

kind delete cluster --name opa-authorizer