Skip to content

Part 3: Blueprint

What Will You Do

In this part of the self-paced exercise, you will create a custom cluster blueprint with the previously created OPA Gatekeeper policy.

Step 1: Create Blueprint

In this step, you will create a custom cluster blueprint with OPA Gatekeeper. The "blueprint.yaml" file contains the declarative specification for the blueprint.

  • Open Terminal (on macOS/Linux) or Command Prompt (Windows) and navigate to the folder where you forked the Git repository
  • Navigate to the folder "/getstarted/opa_gatekeeper/blueprint"

Important

Ensure you update the "project: defaultproject" with the name of the project in your Org

kind: Blueprint
metadata:
  # blueprint name
  name: opa-gs-blueprint
  #project name
  project: defaultproject
  • Type the command below to create the blueprint
rctl create blueprint -f blueprint.yaml

If you did not encounter any errors, you can optionally verify if everything was created correctly on the controller.

  • Navigate to the "defaultproject" project in your Org
  • Select Infrastructure -> Blueprint
  • You should see an blueprint called "opa-gs-blueprint

Blueprint

New Version

Although we have a custom blueprint, we have not provided any details on what it comprises. In this step, you will create a new version of the custom blueprint. The blueprint version references the previously created OPA Gatekeeper policy and policy version. The YAML below is a declarative spec for the new version.

Important

Ensure you update the "project: defaultproject" with the name of the project in your Org

kind: BlueprintVersion
metadata:
  name: v1
  project: defaultproject
  description: opa getting started blueprint
spec:
  blueprint: opa-gs-blueprint
  baseSystemBlueprint: default
  baseSystemBlueprintVersion: ""
  # cluster-scoped or namespace-scoped
  pspScope: cluster-scoped
  rafayIngress: true
  rafayMonitoringAndAlerting: true
  kubevirt: false
  # BlockAndNotify or DetectAndNotify
  driftAction: BlockAndNotify
  opaPolicy:
   enabled: true
   name: opa-gs-policy
   version: opa-gs-policy-version
  • Type the command below to add a new version
rctl create blueprint version -f blueprint-v1.yaml

If you did not encounter any errors, you can optionally verify if everything was created correctly on the controller.

  • Navigate to the "defaultproject" project in your Org
  • Select Infrastructure -> Blueprint
  • Click on the "opa-gs-blueprint" custom cluster blueprint

Blueprint Version

Step 5: Update Cluster Blueprint

In this step, you will update the cluster to use the newly created custom blueprint with OPA Gatekeeper and the defined policy.

  • Replace the cluster name, "opa-gs-cluster", in the command below with the name of your cluster.
  • Run the updated command
rctl update cluster opa-gs-cluster -b opa-gs-blueprint --blueprint-version v1

If you did not encounter any errors, you can optionally verify if everything was created correctly on the controller.

  • Navigate to the "defaultproject" project in your Org
  • Select Infrastructure -> Clusters
  • You should see the cluster is now using the "opa-gs-blueprint

Cluster Blueprint

  • Navigate to Infrastructure -> Clusters
  • Click on "KUBECTL" in the cluster card
  • Type the command below 
kubectl get pods -n rafay-system

Once the custom cluster blueprint is applied to the target cluster, all configured add-ons (managed and self managed) are automatically deployed to the cluster. You should see a result like the following showing the OPA Gatekeeper pods running.

NAME                                             READY   STATUS    RESTARTS   AGE
controller-manager-v3-6b748b7695-nnffs           1/1     Running   0          4m28s
edge-client-67b7695748-9qfll                     1/1     Running   0          2m51s
gatekeeper-audit-7f574bdf8b-kkpz4                2/2     Running   0          104s
gatekeeper-controller-manager-867b454866-8g4mx   2/2     Running   0          104s
gatekeeper-controller-manager-867b454866-qd5zd   2/2     Running   0          104s
gatekeeper-controller-manager-867b454866-rjx2k   2/2     Running   0          104s
ingress-controller-v1-controller-bzhsb           1/1     Running   0          3m23s
ingress-controller-v1-controller-s6ckz           1/1     Running   0          4m4s
rafay-connector-v3-7f97cd668-wc9nj               1/1     Running   0          4m28s
relay-agent-5f99474d86-jkmz4                     1/1     Running   0          4h8m

Recap

As of this step, you have created a cluster blueprint with OPA Gatekeeper and applied this blueprint to an existing cluster. You are now ready to move onto the next step where you will deploy a test workload to test the policy constraints.