First steps
After you went through the Installation, on this page you deploy OPA, deploy your first rule and query it from the command line.
Deploy OPA
To deploy OPA, you create an OpaCluster resource in Kubernetes and the operator creates the OPA Stacklet.
Create a file called opa.yaml with the following contents:
---
apiVersion: opa.stackable.tech/v1alpha1
kind: OpaCluster
metadata:
name: simple-opa
spec:
image:
productVersion: "0.67.1"
servers:
roleGroups:
default: {}yamland apply it:
kubectl apply -f opa.yamlbash
This creates an OPA cluster. The operator deploys a DaemonSet, which means that an OPA Pod is deployed on every Node of the cluster. This reduces network traffic and improves latency for decision requests, since every other Pod making decision requests only has to make its request to another port on the same Node.
Deploy a policy rule
Now deploy the first policy rule to OPA.
Rules are deployed in ConfigMaps.
Create a file simple-rule.yaml with the following contents:
---
apiVersion: v1
kind: ConfigMap
metadata:
name: test
labels:
opa.stackable.tech/bundle: "true"
data:
test.rego: |
package test
hello {
true
}
world {
false
}yamland apply it:
kubectl apply -f simple-rule.yamlbash
The operator reads the rule file, bundles it and publishes the bundle to all OPA Pods in the cluster.
Make policy requests
Now that you have deployed the rule, you can query OPA for it. First, port-forward the service so you can query it from outside the Kubernetes cluster:
kubectl port-forward svc/simple-opa 8081 > /dev/null 2>&1 &bash
Then, request the hello rule:
curl -s http://localhost:8081/v1/data/test/hellobashAs it was defined in the rule file, the response should be true:
{"result":true}jsonYou can also request the other rule, world:
curl -s http://localhost:8081/v1/data/test/worldbashAnd see a different response:
{}json
Great! You’ve set up OPA, deployed a rule and queried it!
What’s next
Have a look at the Usage guide page for more configuration options of the operator.