First steps
After you went through the Installation, on this page you will deploy OPA, deploy your first rule and query it from the command line.
Deploy OPA
To deploy OPA, you create an OpaCluster resource in Kubernetes and the operator will create the OPA instance.
Create a file called opa.yaml
with the following contents:
---
apiVersion: opa.stackable.tech/v1alpha1
kind: OpaCluster
metadata:
name: simple-opa
spec:
image:
productVersion: "0.66.0"
servers:
roleGroups:
default: {}
and apply it:
kubectl apply -f opa.yaml
This will create an OPA cluster. The operator deploys a DaemonSet, which means that an OPA Pod is deployed on every Node of the cluster. This reduces network traffic and improves latency for decision requests, since every other Pod making decision requests will only have to make its request to another port on the same Node.
Deploy a policy rule
Now deploy the first policy rule to OPA.
Rules are deployed in ConfigMaps.
Create a file simple-rule.yaml
with the following contents:
---
apiVersion: v1
kind: ConfigMap
metadata:
name: test
labels:
opa.stackable.tech/bundle: "true"
data:
test.rego: |
package test
hello {
true
}
world {
false
}
and apply it:
kubectl apply -f simple-rule.yaml
The operator will read the rule file, bundle it and publish the bundle to all OPA instances.
Make policy requests
Now that you have deployed the rule, you can query OPA for it. First, port-forward the service so you can query it from outside the Kubernetes cluster:
kubectl port-forward svc/simple-opa 8081 > /dev/null 2>&1 &
Then, request the hello
rule:
curl -s http://localhost:8081/v1/data/test/hello
As it was defined in the rule file, the response should be true
:
{"result":true}
You can also request the other rule, world
:
curl -s http://localhost:8081/v1/data/test/world
And see a different response:
{}
Great! You’ve set up OPA, deployed a rule and queried it!
What’s next
Have a look at the Usage guide page for more configuration options of the operator.