This repository has been archived by the owner on Dec 29, 2021. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 3
/
opa-deployment.yaml
144 lines (138 loc) · 2.84 KB
/
opa-deployment.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
apiVersion: v1
kind: ServiceAccount
metadata:
name: opa
labels:
app: opa
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: strimzi-view
labels:
app: strimzi
# Add these permissions to the "view" default role.
rbac.authorization.k8s.io/aggregate-to-view: "true"
rules:
- apiGroups:
- "kafka.strimzi.io"
resources:
- kafkas
- kafkaconnects
- kafkaconnects2is
- kafkamirrormakers
- kafkausers
- kafkatopics
- kafkabridges
- kafkaconnectors
- kafkamirrormaker2s
- kafkarebalances
verbs:
- get
- list
- watch
---
# Grant OPA/kube-mgmt read-only access to resources. This lets kube-mgmt
# replicate resources into OPA so they can be used in policies.
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: opa-viewer
labels:
app: opa
roleRef:
kind: ClusterRole
name: view
apiGroup: rbac.authorization.k8s.io
subjects:
- kind: ServiceAccount
name: opa
namespace: myproject
---
# Define role for OPA/kube-mgmt to update configmaps with policy status.
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: configmap-modifier
labels:
app: opa
rules:
- apiGroups: [""]
resources: ["configmaps"]
verbs: ["update", "patch"]
---
# Grant OPA/kube-mgmt role defined above.
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: opa-configmap-modifier
labels:
app: opa
roleRef:
kind: Role
name: configmap-modifier
apiGroup: rbac.authorization.k8s.io
subjects:
- kind: ServiceAccount
name: opa
namespace: myproject
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: opa
labels:
app: opa
spec:
replicas: 1
selector:
matchLabels:
app: opa
template:
metadata:
labels:
app: opa
name: opa
spec:
serviceAccountName: opa
containers:
- name: opa
image: openpolicyagent/opa:latest
ports:
- name: http
containerPort: 8181
args:
- "run"
- "--ignore=.*" # exclude hidden dirs created by Kubernetes
- "--log-level=debug"
- "--server"
- "--set=decision_logs.console=true"
- "/policies"
volumeMounts:
- readOnly: true
mountPath: /policies
name: opa-policies
- name: kube-mgmt
image: openpolicyagent/kube-mgmt:0.11
args:
- "--replicate=kafka.strimzi.io/v1beta1/kafkatopics"
- "--replicate=kafka.strimzi.io/v1beta1/kafkausers"
volumes:
- name: opa-policies
configMap:
name: opa-policies
---
kind: Service
apiVersion: v1
metadata:
name: opa
labels:
app: opa
spec:
selector:
app: opa
ports:
- name: http
protocol: TCP
port: 8181
targetPort: 8181