-
Notifications
You must be signed in to change notification settings - Fork 43
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #4798 from ministryofjustice/update-opa-policies
docs: ✏️ a lot of these docs are duplicated clean it up
- Loading branch information
Showing
1 changed file
with
5 additions
and
56 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,65 +1,14 @@ | ||
--- | ||
title: Add a new OPA policy | ||
weight: 9000 | ||
last_reviewed_on: 2023-05-15 | ||
review_in: 3 months | ||
last_reviewed_on: 2023-09-27 | ||
review_in: 6 months | ||
--- | ||
|
||
# Open Policy Agent policies | ||
|
||
Policies are version controlled in the [`cloud-platform-infrastructure`][policies-repo] repository. | ||
We use OPA policies to restrict (Gatekeeper refer to this as constraints) what users can and cannot do in the cluster. | ||
|
||
## Adding a policy | ||
Policies are version controlled in the [`cloud-platform-infrastructure`][policies-repo] repository. We manage these policies through [Gatekeeper](https://open-policy-agent.github.io/gatekeeper/website/). See the gatekeeper [README](https://github.com/ministryofjustice/cloud-platform-terraform-gatekeeper/blob/main/README.md) for implementation, testing and method instructions. | ||
|
||
Create a new `.rego` file in the location above. Our policies are currently all defined in the | ||
`cloud_platform.admission` package and uses the `deny` rule to evaluate any checks: | ||
|
||
For example, the following policy would deny all `Services` of type `Loadbalancer` | ||
|
||
``` | ||
package cloud_platform.admission | ||
|
||
import data.kubernetes.namespaces | ||
|
||
deny[msg] { | ||
input.request.kind.kind == "Service" | ||
input.request.object.spec.type == "LoadBalancer" | ||
} | ||
``` | ||
|
||
## Writing tests | ||
|
||
Testing the policies against live data is not a straightforward process and debugging policies is quite minimal at the | ||
moment. The best way to develop policies is by practicing test-driven development. | ||
|
||
Assuming you have created `my_policy.rego` with your `deny` rule defined, you simply need to create | ||
`my_policy_test.rego` to define your tests. You can look at the existing policies for examples. There are a few generic | ||
mocking functions defined which you might find useful. | ||
|
||
Finally, testing the policies, you should see something like this: | ||
|
||
``` | ||
$ opa test -v . | ||
data.cloud_platform.admission.test_ingress_create_allowed: PASS (1.956µs) | ||
data.cloud_platform.admission.test_ingress_create_conflict: PASS (1.518µs) | ||
data.cloud_platform.admission.test_ingress_update_same_host: PASS (1.088µs) | ||
data.cloud_platform.admission.test_ingress_update_new_host: PASS (1.246µs) | ||
data.cloud_platform.admission.test_ingress_update_existing_host: PASS (1.417µs) | ||
data.cloud_platform.admission.test_ingress_update_existing_host_other_namespace: PASS (1.295µs) | ||
-------------------------------------------------------------------------------- | ||
PASS: 6/6 | ||
``` | ||
|
||
Additionally, tests will be run against pull requests to the repository in a CircleCI job. | ||
|
||
## References | ||
|
||
- [How to write policies][write-policies] | ||
- [How to test policies][write-tests] | ||
- [Kubernetes Policy Primer | ||
][policy-primer] | ||
|
||
[policies-repo]: https://github.com/ministryofjustice/cloud-platform-terraform-opa/tree/main/resources/policies | ||
[policy-primer]: https://github.com/timothyhinrichs/opa/blob/4d5a1071e5099da42c2cde02faac2075f3ba2bf9/docs/content/docs/policy-primer-k8s.md | ||
[write-policies]: https://www.openpolicyagent.org/docs/latest/how-do-i-write-policies/ | ||
[write-tests]: https://www.openpolicyagent.org/docs/latest/how-do-i-test-policies/ | ||
[policies-repo]: https://github.com/ministryofjustice/cloud-platform-terraform-gatekeeper/tree/main/resources/constraint_templates |