Difficulty: beginner
Estimated Time: 10-15 minutes

OPA Logo

In this scenario, you will learn how to enforce custom policies on Kubernetes objects using OPA.


The demo will show how to prevent users from creating Kubernetes Ingress objects that violate the following organization policy:

  • Two ingresses in different namespaces must not have the same hostname.


OPA is a lightweight general-purpose policy engine that can be co-located with your service. You can integrate OPA as a sidecar, host-level daemon, or library.

Services offload policy decisions to OPA by executing queries. OPA evaluates policies and data to produce query results (which are sent back to the client). Policies are written in a high-level declarative language and can be loaded into OPA via the filesystem or well-defined APIs.

More details can be found at https://www.openpolicyagent.org/.

OPA Logo

This scenario showed how you can leverage OPA to enforce admission control decisions in Kubernetes clusters without modifying or recompiling any Kubernetes components. Furthermore, once Kubernetes is configured to use OPA as an External Admission Controller, policies can be modified on-the-fly to satisfy changing operational requirements.

For more information about deploying OPA on top of Kubernetes, see Deployments - Kubernetes.

For more OPA tutorials see https://www.openpolicyagent.org/docs/get-started.html.

Kubernetes Admission Control with OPA (Open Policy Agent)

Step 1 of 5

Step 1 - Deploy Demo App in prod namespace

Create a prod namespace and deploy the Demo App in it.

kubectl create ns prod

kubectl apply -f demo.yaml -n prod

Wait for all the pods to transition to the Running state. Monitor the pod status using the below command:

watch kubectl -n prod get pod

After all the pods are running, open the browser by pressing the Demo tab. You should see the landing page of the demo app showing Bob's picture and his details.

Before continuing, hit clear to ctrl-c and clear the screen.