You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
oc create cm test1 --from-file=./examples/authorization-webhooks/unreadable_secrets.rego -n opa
minishift ssh
cd into /var/lib/minisifhit/openshift.local.config/master
Create opa-policy-controller.kubeconfig to current path with
# Kubernetes API version
apiVersion: v1
# kind of the API object
kind: Config
# clusters refers to the remote service.
clusters:
- name: opa-server
cluster:
# CA for verifying the remote service.
certificate-authority: /var/lib/minishift/openshift.local.config/master/ca-bundle.crt
# URL of remote service to query. Must use 'https'. May not include parameters.
server: https://opa.opa.svc
# users refers to the API Server's webhook configuration.
users:
- name: opa-user
user:
client-certificate: /var/lib/minishift/openshift.local.config/master/master.kubelet-client.crt # cert for the webhook plugin to use
client-key: /var/lib/minishift/openshift.local.config/master/master.kubelet-client.key # key matching the cert
# kubeconfig files require a context. Provide one for the API Server.
current-context: opa-webhook
contexts:
- context:
cluster: opa-server
user: opa-user
name: opa-webhook
Or at least (for debugging) see some logs if authorization webhook mode is properly configured or not (or what's the problem) was ittrying to send it to the webhook or not
Actual
Secrets/tokens are still viewable
Can't see 'webhook' or 'SubjectAccessReview' string in the audit.log whenever I trying to oc get/describe secrets in the demo namespace
You can start Minishift with minishift start --show-libmachine-logs -v5 to collect logs.
Please consider posting this on http://gist.github.com/ and post the link in the issue.
The text was updated successfully, but these errors were encountered:
letthefireflieslive
changed the title
How to verify if authorization webhook mode is working?
How to debug authorization webhook mode?
Dec 29, 2019
letthefireflieslive
changed the title
How to debug authorization webhook mode?
How to debug a non-working authorization webhook mode config?
Jan 9, 2020
Trying to integrate OPA with OpenShift 3.9, unfortunately, Kubernetes API is not calling the OPA controller as well. Same master-config.yaml. I really need to integrate OPA authorization in our cluster.
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.
General information
Steps to reproduce
helm template ./charts/open-policy-agent --namespace opa --set kubernetes_policy_controller.image_tag=2.0 --set kubernetes_policy_controller.image=quay.io/raffaelespazzoli/kubernetes-policy-controller --set caBundle=$CA_BUNDLE --set log_level=debug | oc apply -f - -n opa
minishift ssh
chown docker:docker opa-policy-controller.kubeconfig
chmod 7777 opa-policy-controller.kubeconfig
chown docker:docker audit-policy.yaml
chmod 7777 audit-policy.yaml
chown docker:docker master-config.yaml
chmod 7777 master-config.yaml
minishift stop
minishift start
minishift ssh
oc login -u system:admin -n demo
26.a
tail -n 100 -F audit.log
26.b
oc get secrets
/oc get secret [samplesecret] -o yaml
Expected
Actual
Logs
https://gist.github.com/lambotchi/0e9016cc33165dc212caea3f386da84f
You can start Minishift with
minishift start --show-libmachine-logs -v5
to collect logs.Please consider posting this on http://gist.github.com/ and post the link in the issue.
The text was updated successfully, but these errors were encountered: