Difficulty: beginner
Estimated Time: 10-15 minutes

OPA Logo

In this scenario, you will learn how to enforce custom policies with OPA over the S3 API to the Ceph Storage Cluster which applications use to put and get data.


Ceph is a highly scalable distributed storage solution that uniquely delivers object, block, and file storage in one unified system. You can enforce fine-grained authorization over Ceph's Object Storage using OPA. Ceph's Object Storage essentially consists of a Ceph Storage Cluster and a Ceph Object Gateway.

The Ceph Object Gateway is an object storage interface built on top of librados to provide applications with a RESTful gateway to Ceph Storage Clusters.

OPA is integrated with the Ceph Object Gateway daemon (RGW), which is an HTTP server that interacts with a Ceph Storage Cluster and provides interfaces compatible with OpenStack Swift and Amazon S3.

When the Ceph Object Gateway gets a request, it checks with OPA whether the request should be allowed or not. OPA makes a decision (allow or deny) based on the policies and data it has access to and sends the decision back to the Ceph Object Gateway for enforcement.

This tutorial uses Rook to run Ceph inside a Kubernetes cluster.


OPA is a lightweight general-purpose policy engine that can be co-located with your service. You can integrate OPA as a sidecar, host-level daemon, or library.

Services offload policy decisions to OPA by executing queries. OPA evaluates policies and data to produce query results (which are sent back to the client). Policies are written in a high-level declarative language and can be loaded into OPA via the filesystem or well-defined APIs.

More details can be found at https://www.openpolicyagent.org/.


OPA Logo

This scenario showed how OPA can be used to enforce custom policies over the S3 API to the Ceph Storage Cluster. You can modify OPA's polices to get greater control over the actions performed on the Ceph Object Storage without making any changes to Ceph.

This tutorial also showed how OPA can seamlessly work with Rook without any modifications to Rook's components.

For more OPA tutorials see https://www.openpolicyagent.org/docs/get-started.html.

Ceph Authorization with OPA (Open Policy Agent)

Step 1 of 9

Step 1 - Deploy the Rook Operator

Deploy the Rook system components, which include the Rook agent and Rook operator pods.

kubectl create -f operator.yaml

Verify that rook-ceph-operator, rook-ceph-agent, and rook-discover pods are Running.

watch kubectl -n rook-ceph-system get pod

When all pods show status Running, hit clear to ctrl-c and clear the screen.