-
Notifications
You must be signed in to change notification settings - Fork 27
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Install Open-policy-agent and create a ingress-conflicts policy. #242
Commits on Apr 8, 2019
-
Resource helm_release.open-policy-agent created
to deploy opa using default values from helm chart
Configuration menu - View commit details
-
Copy full SHA for 1b8d55c - Browse repository at this point
Copy the full SHA 1b8d55cView commit details -
* comment out line 7-13 to not use default policy provided in the bundle * enabled configmappolicies for namespace opa line 72-73 * defined variables for the opa and kube-mgmt image tags
Configuration menu - View commit details
-
Copy full SHA for 7828f7b - Browse repository at this point
Copy the full SHA 7828f7bView commit details -
Created null_resource.open-policy-agent_policies
To apply opa policies under resources/opa
Configuration menu - View commit details
-
Copy full SHA for f3e5410 - Browse repository at this point
Copy the full SHA f3e5410View commit details -
Configuration menu - View commit details
-
Copy full SHA for 5c63fff - Browse repository at this point
Copy the full SHA 5c63fffView commit details -
Created configmap for default-system policy
This applies a ConfigMap that contains the main OPA policy and default response. This policy is used as an entry-point for policy evaluations and returns allowed:true if policies are not matched to inbound data.
Configuration menu - View commit details
-
Copy full SHA for 46e06ad - Browse repository at this point
Copy the full SHA 46e06adView commit details -
Created a policy Ingress-conflicts
This policy prevents Ingress objects in different namespaces from sharing the same hostname
Configuration menu - View commit details
-
Copy full SHA for 1268429 - Browse repository at this point
Copy the full SHA 1268429View commit details -
Updated opa values.yaml.tpl file to get
ingress-conflicts policy necessary restrictions/permissions * updated admissionControllerRules: line 26-29 to restrict the kinds of operations and resources that are subject to ingress-conflicts policy checks * mgmt/replicate: line 79-81 configured to pull resource metadata that needed for ingress-conflicts policy *rbac: line 113-139 ClusterRole permissions needed for ingress-conflicts policy
Configuration menu - View commit details
-
Copy full SHA for a50c883 - Browse repository at this point
Copy the full SHA a50c883View commit details
Commits on Apr 10, 2019
-
Configuration menu - View commit details
-
Copy full SHA for 6b962ae - Browse repository at this point
Copy the full SHA 6b962aeView commit details -
Configuration menu - View commit details
-
Copy full SHA for 951277d - Browse repository at this point
Copy the full SHA 951277dView commit details
Commits on Apr 11, 2019
-
Update ingress conflict policy
Use := for assignment and == for equality. This makes the policy easier to read and is recommended practice. The previous policy would fail to run properly in the opa repl. Additionally, it removes the operation type check (redundant, we want to check both CREATE and UPDATE) which is set at the ValidatingWebhookConfig level. Also removes the namespace check (which invalidates the check for ingresses within the same namespace).
Configuration menu - View commit details
-
Copy full SHA for 7c7c416 - Browse repository at this point
Copy the full SHA 7c7c416View commit details -
Remove imageTag variables from opa values
There is no need to override the values from terraform. Removing them makes maintainance easier since we don't need to remember to update those values and can rely on defaults.
Configuration menu - View commit details
-
Copy full SHA for 0601f82 - Browse repository at this point
Copy the full SHA 0601f82View commit details