Difficulty: beginner
Estimated Time: 10-15 minutes

Digital Academy Logo

Welcome to the Digital Academy "Kubernetes CNCF" series. This is Module 7 - Open Policy Agent.

OPA is a lightweight general-purpose policy engine that can be co-located with your service. You can integrate OPA as a sidecar, host-level daemon, or library.

Services offload policy decisions to OPA by executing queries. OPA evaluates policies and data to produce query results (which are sent back to the client). Policies are written in a high-level declarative language and can be loaded into OPA via the filesystem or well-defined APIs.

For more information, see the Open Policy Agent documentation.

Developer(s): William Hearn and Zachary Seguin

Module 7 - Leveraging Open Policy Agent

Constraint Template

Show the constraint template:

cat ./resources/constraint-template.yaml

Create the create constraint template object:

kubectl create -f ./resources/constraint-template.yaml

Show the constraint:

cat ./resources/constraint.yaml

Create the constraint policy:

kubectl create -f ./resources/constraint.yaml

Reject a request:

kubectl create namespace test -o yaml

Show a compliant namespace:

cat ./resources/namespace-with-labels.yaml

Create a compliant namespace:

kubectl create -f ./resources/namespace-with-labels.yaml