Policy-based control for Kubernetes deployments.

kube-mgmt manages instances of the Open Policy Agent on top of Kubernetes. Use kube-mgmt to:

• Load policies into OPA via Kubernetes (see Policies below.)
• Replicate Kubernetes resources into OPA (see Caching below.)

NOTE: kube-mgmt is currently in alpha. Join the discussion on slack.openpolicyagent.org.

1. Create a new Namespace to deploy OPA into:

   kubectl create namespace opa

2. Create a new Deployment that includes OPA and kube-mgmt (manifests/deployment.yml):

   kubectl -n opa create -f https://raw.githubusercontent.com/open-policy-agent/kube-mgmt/master/manifests/deployment.yml

3. Define a simple policy (example.rego) with the following content:

   package kubernetes
   
   example = "Hello, Kubernetes!"

4. Create a ConfigMap containing the policy:

   kubectl -n opa create configmap hello-world --from-file example.rego

5. Create a Service to expose OPA:

   kubectl -n opa expose deployment opa --type=NodePort

6. Execute a policy query against OPA:

   OPA_URL=$(minikube service -n opa opa --url)
   curl $OPA_URL/v1/data/kubernetes/example

kube-mgmt automatically discovers policies stored in ConfigMaps in Kubernetes and loads them into OPA. kube-mgmt assumes a ConfigMap contains policies if the ConfigMap is:

• Created in a namespace listed in the --policies option.
• Labelled with openpolicyagent.org/policy=rego.

When a policy has been successfully loaded into OPA, the openpolicyagent.org/policy-status annotation is set to {"status": "ok"}.

If loading fails for some reason (e.g., because of a parse error), the openpolicyagent.org/policy-status annotation is set to {"status": "error", "error": ...} where the error field contains details about the failure.

kube-mgmt can be configured to replicate Kubernetes resources into OPA so that you can express policies over an eventually consistent cache of Kubernetes state.

Replication is enabled with the following options:

# Replicate namespace-level resources. May be specified multiple times.
--replicate=<[group/]version/resource>

# Replicate cluster-level resources. May be specified multiple times.
--replicate-cluster=<[group/]version/resource>

The example below would replicate Deployments, Services, and Nodes into OPA:

--replicate=apps/v1beta/deployments
--replicate=v1/services
--replicate-cluster=v1/nodes

To get started with admission control policy enforcement in Kubernetes 1.9 or later see the Kubernetes Admission Control tutorial. For older versions of Kubernetes, see Admission Control (1.7).

To run all of the tests and build the Docker image run make in this directory.