Install Open-policy-agent and create a ingress-conflicts policy. #242
Conversation
to deploy opa using default values from helm chart
* comment out line 7-13 to not use default policy provided in the bundle * enabled configmappolicies for namespace opa line 72-73 * defined variables for the opa and kube-mgmt image tags
To apply opa policies under resources/opa
This applies a ConfigMap that contains the main OPA policy and default response. This policy is used as an entry-point for policy evaluations and returns allowed:true if policies are not matched to inbound data.
This policy prevents Ingress objects in different namespaces from sharing the same hostname
ingress-conflicts policy necessary restrictions/permissions * updated admissionControllerRules: line 26-29 to restrict the kinds of operations and resources that are subject to ingress-conflicts policy checks * mgmt/replicate: line 79-81 configured to pull resource metadata that needed for ingress-conflicts policy *rbac: line 113-139 ClusterRole permissions needed for ingress-conflicts policy
|
This is been applied to test-1.cloud-platform.service.justice.gov.uk cluster This can be tested by creating the same ingress on a different namespace, use the below for guidance. |
terraform/cloud-platform-components/templates/opa/values.yaml.tpl
Outdated
Show resolved
Hide resolved
terraform/cloud-platform-components/templates/opa/values.yaml.tpl
Outdated
Show resolved
Hide resolved
terraform/cloud-platform-components/templates/opa/values.yaml.tpl
Outdated
Show resolved
Hide resolved
terraform/cloud-platform-components/resources/opa/policy-ingress-conflicts.yaml
Outdated
Show resolved
Hide resolved
| - apiGroups: | ||
| - "" | ||
| resources: | ||
| - configmaps |
There was a problem hiding this comment.
As an additional comment, it's pretty bad the the helm chart will only set up a ClusterRole so we end up having to give it full access to configmaps. Since it will only ever need to parse configmaps from its own namespace, do you think it's worth the effort to extract this and create a Role and RoleBinding externally?
There was a problem hiding this comment.
No we can't :(
open-policy-agent/kube-mgmt#11
@vijay-veeranki-moj has tested this and it's the same behaviour on the latest versions
Use := for assignment and == for equality. This makes the policy easier to read and is recommended practice. The previous policy would fail to run properly in the opa repl. Additionally, it removes the operation type check (redundant, we want to check both CREATE and UPDATE) which is set at the ValidatingWebhookConfig level. Also removes the namespace check (which invalidates the check for ingresses within the same namespace).
|
@vijay-veeranki-moj I've just pushed two commits with my recommended changes. This should work fine now I but let's get someone else to test as well. |
There is no need to override the values from terraform. Removing them makes maintainance easier since we don't need to remember to update those values and can rely on defaults.
|
This PR is to install OPA(open-policy-agent) using helm chart and create a ingress-conflicts policy.
This helm chart installs OPA as a Kubernetes admission controller. Using OPA, which can enforce fine-grained invariants over arbitrary resources in Kubernetes cluster.
Created a ConfigMap that contains the main OPA policy and default response. This policy is used as an entry-point for policy evaluations and returns allowed:true if policies are not matched to inbound data.
Created a policy ingress-conflicts that prevents Ingress objects in different namespaces from sharing the same hostname.
Also updated the default values in Helm chart to get the ingress-conflicts policy necessary permissions and resource access.