Part 3: Blueprint
What Will You Do¶
In this part of the self-paced exercise, you will create a custom cluster blueprint with the previously created OPA Gatekeeper policy.
Step 1: Create Blueprint¶
In this step, you will create a custom cluster blueprint with OPA Gatekeeper. The "blueprint.yaml" file contains the declarative specification for the blueprint.
- Open Terminal (on macOS/Linux) or Command Prompt (Windows) and navigate to the folder where you forked the Git repository
- Navigate to the folder "
/getstarted/opa_gatekeeper/blueprint"
Important
Ensure you update the "project: defaultproject" with the name of the project in your Org
kind: Blueprint
metadata:
# blueprint name
name: opa-gs-blueprint
#project name
project: defaultproject
- Type the command below to create the blueprint
rctl create blueprint -f blueprint.yaml
If you did not encounter any errors, you can optionally verify if everything was created correctly on the controller.
- Navigate to the "defaultproject" project in your Org
- Select Infrastructure -> Blueprint
- You should see an blueprint called "opa-gs-blueprint
New Version¶
Although we have a custom blueprint, we have not provided any details on what it comprises. In this step, you will create a new version of the custom blueprint. The blueprint version references the previously created OPA Gatekeeper policy and policy version. The YAML below is a declarative spec for the new version.
Important
Ensure you update the "project: defaultproject" with the name of the project in your Org
kind: BlueprintVersion
metadata:
name: v1
project: defaultproject
description: opa getting started blueprint
spec:
blueprint: opa-gs-blueprint
baseSystemBlueprint: default
baseSystemBlueprintVersion: ""
# cluster-scoped or namespace-scoped
pspScope: cluster-scoped
rafayIngress: true
rafayMonitoringAndAlerting: true
kubevirt: false
# BlockAndNotify or DetectAndNotify
driftAction: BlockAndNotify
opaPolicy:
enabled: true
name: opa-gs-policy
version: opa-gs-policy-version
- Type the command below to add a new version
rctl create blueprint version -f blueprint-v1.yaml
If you did not encounter any errors, you can optionally verify if everything was created correctly on the controller.
- Navigate to the "defaultproject" project in your Org
- Select Infrastructure -> Blueprint
- Click on the "opa-gs-blueprint" custom cluster blueprint
Step 5: Update Cluster Blueprint¶
In this step, you will update the cluster to use the newly created custom blueprint with OPA Gatekeeper and the defined policy.
- Replace the cluster name, "opa-gs-cluster", in the command below with the name of your cluster.
- Run the updated command
rctl update cluster opa-gs-cluster -b opa-gs-blueprint --blueprint-version v1
If you did not encounter any errors, you can optionally verify if everything was created correctly on the controller.
- Navigate to the "defaultproject" project in your Org
- Select Infrastructure -> Clusters
- You should see the cluster is now using the "opa-gs-blueprint
- Navigate to Infrastructure -> Clusters
- Click on "KUBECTL" in the cluster card
- Type the command below
kubectl get pods -n rafay-system
Once the custom cluster blueprint is applied to the target cluster, all configured add-ons (managed and self managed) are automatically deployed to the cluster. You should see a result like the following showing the OPA Gatekeeper pods running.
NAME READY STATUS RESTARTS AGE
controller-manager-v3-6b748b7695-nnffs 1/1 Running 0 4m28s
edge-client-67b7695748-9qfll 1/1 Running 0 2m51s
gatekeeper-audit-7f574bdf8b-kkpz4 2/2 Running 0 104s
gatekeeper-controller-manager-867b454866-8g4mx 2/2 Running 0 104s
gatekeeper-controller-manager-867b454866-qd5zd 2/2 Running 0 104s
gatekeeper-controller-manager-867b454866-rjx2k 2/2 Running 0 104s
ingress-controller-v1-controller-bzhsb 1/1 Running 0 3m23s
ingress-controller-v1-controller-s6ckz 1/1 Running 0 4m4s
rafay-connector-v3-7f97cd668-wc9nj 1/1 Running 0 4m28s
relay-agent-5f99474d86-jkmz4 1/1 Running 0 4h8m
Recap¶
As of this step, you have created a cluster blueprint with OPA Gatekeeper and applied this blueprint to an existing cluster. You are now ready to move onto the next step where you will deploy a test workload to test the policy constraints.