Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

docs: Add namespace selector to k8s tutorial #1435

Merged

Conversation

@timothyhinrichs
Copy link
Member

timothyhinrichs commented May 16, 2019

Avoid OPA policies stopping changes to OPA's own configuration.
Do the same thing for kube-system.

Signed-off-by: Tim Hinrichs tim@styra.com

@timothyhinrichs

This comment has been minimized.

Copy link
Member Author

timothyhinrichs commented May 16, 2019

Ran through the modified tutorial manually. Looks good.

@timothyhinrichs timothyhinrichs requested a review from tsandall May 16, 2019
Copy link
Member

tsandall left a comment

I wonder if we should put this into the guide as well?

@@ -241,6 +241,12 @@ metadata:
name: opa-validating-webhook
webhooks:
- name: validating-webhook.openpolicyagent.org
namespaceSelector:
matchExpressions:
- key: openpolicyagent.org/admission-control

This comment has been minimized.

Copy link
@tsandall

tsandall May 16, 2019

Member

I think this ought to be openpolicyagent.org/webhook.

Avoid OPA policies stopping changes to OPA's own configuration.
Do the same thing for kube-system.

Signed-off-by: Tim Hinrichs <tim@styra.com>
@timothyhinrichs timothyhinrichs force-pushed the timothyhinrichs:k8snamespaceselector branch from 41bdeb2 to 5d86f30 May 17, 2019
@timothyhinrichs

This comment has been minimized.

Copy link
Member Author

timothyhinrichs commented May 17, 2019

Went through the tutorial again. This time I toggled the webhook label on and off to ensure that the traffic OPA received was different.

@timothyhinrichs timothyhinrichs requested a review from tsandall May 17, 2019
Copy link
Contributor

patrick-east left a comment

LGTM

@timothyhinrichs timothyhinrichs merged commit b290000 into open-policy-agent:master May 17, 2019
7 checks passed
7 checks passed
Header rules - openpolicyagent No header rules processed
Details
Pages changed - openpolicyagent 2 new files uploaded
Details
DCO DCO
Details
Mixed content - openpolicyagent No mixed content detected
Details
Redirect rules - openpolicyagent 57 redirect rules processed
Details
continuous-integration/travis-ci/pr The Travis CI build passed
Details
netlify/openpolicyagent/deploy-preview Deploy preview ready!
Details
patrick-east added a commit that referenced this pull request Aug 2, 2019
I expect many install OPA following this guide (as we did). Recent PRs
have made steps to 'productionize' this (e.g.
[#1435](#1435))

We had an incident involving the controller where a stuck container was
not restarted. We would have been helped if a liveness probe was
configured. We copied the docs and this is our bad but we'd like to do
our best to make sure others don't make the same mistake.

I figured it'd be ok to use the health endpoint
[here](https://github.com/open-policy-agent/opa/blob/master/docs/content/rest-api.md#health-api)

We've made this change and it seems to be working ok for us.

Signed-off-by: Charlie Egan <charlieegan3@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked issues

Successfully merging this pull request may close these issues.

None yet

3 participants
You can’t perform that action at this time.