Policy
The RCTL utility provides the means to manage/automate the lifecycle of OPA Gatekeeper. The following operations can be performed on OPA Gatekeeper for projects within an organization.
| Resource | Create | Get | Apply | Update | Delete |
|---|---|---|---|---|---|
| OPA Installation Profile(s) | YES | YES | YES | NO | YES |
| OPA Constraint Template(s) | YES | YES | YES | YES | YES |
| OPA Constraint(s) | YES | YES | YES | YES | YES |
| OPA Policies | YES | YES | YES | NO | YES |
Create Installation Profile¶
Run the below command to create a OPA Installation Profile using the spec yaml file
./rctl apply -f profile_filename.yaml
An illustrative example of the profile spec YAML file is shown below
apiVersion: opa.k8smgmt.io/v3
kind: OPAProfile
metadata:
name: example-profile
project: defaultproject
spec:
opaVersion: 3.14.0
excludedNamespaces:
- namespaces:
- name: alert-test
processes:
- '*'
installationParams:
auditFromCache: true
auditInterval: 90
auditMatchKindOnly: true
constraintViolationsLimit: 30
sharing:
enabled: true
projects:
- name: project-1
- name: project-2
syncObjects:
- group: r
kind: Pod
version: v1
version: example-version
Create OPA Constraint Template¶
Use the below command to create a OPA Constraint Template
./rctl create opaconstrainttemplate -f <constrainttemplate_filename.yml>
Constraint Template Spec from Git Repo¶
An illustrative example of the OPA Constraint Template spec YAML file from Git Repo is shown below. The paths parameters identifies the Git Repository and the file path
apiVersion: opa.k8smgmt.io/v3
kind: OPAConstraintTemplate
metadata:
labels:
rafay.dev/opa: template
name: demo-replica-constrainttemplate
project: defaultproject
spec:
artifact:
artifact:
paths:
- name: library/general/replicalimits/template.yaml
repository: demo-git-opa
revision: master
type: Yaml
Constraint Template Spec via upload¶
An illustrative example of the OPA Constraint Template spec YAML file via upload is shown below. The paths parameters identifies the file path
apiVersion: opa.k8smgmt.io/v3
kind: OPAConstraintTemplate
metadata:
labels:
rafay.dev/opa: template
name: demo-k8scontainerlimits
project: defaultproject
spec:
artifact:
artifact:
paths:
- name: file://artifacts/example-template/template.yaml
options: {}
type: Yaml
Important
The prefix file:// is mandatory for upload artifacts and the path should be relative to the parent file path
Create OPA Constraint¶
Use the below command to create a OPA Constraint
./rctl create opaconstraint -f <constraint_filename.yml>
Constraint Spec from Git Repo¶
An illustrative example of the OPA Constraint spec YAML file from Git Repo is shown below. The paths parameters identifies the Git Repository and the file path
apiVersion: opa.k8smgmt.io/v3
kind: OPAConstraint
metadata:
labels:
rafay.dev/opa: constraint
name: demo-replica-constraint
project: defaultproject
spec:
artifact:
artifact:
paths:
- name: library/general/replicalimits/demo/replicalimits/constraint.yaml
repository: demo-git-opa
revision: master
type: Yaml
published: true
templateName: demo-replica-constrainttemplate
version: v1
Constraint Spec via upload¶
An illustrative example of the OPA Constraint spec YAML file via upload is shown below. The paths parameters identifies the file path
apiVersion: opa.k8smgmt.io/v3
kind: OPAConstraint
metadata:
labels:
rafay.dev/opa: constraint
name: demo-k8scontainerlimits-constraints
project: defaultproject
spec:
artifact:
artifact:
paths:
- name: file://artifacts/example-constraint/constraint.yaml
options: {}
type: Yaml
published: true
templateName: demo-k8scontainerlimits
version: v1
Important
The prefix file:// is mandatory for upload artifacts and the path should be relative to the parent file path
Create OPA Policies¶
Use the below command to create a OPA Policy
./rctl create opapolicy -f <policy_file.yml>
An illustrative example of the OPA Policy spec YAML file is given below
apiVersion: opa.k8smgmt.io/v3
kind: OPAPolicy
metadata:
name: example-policy
project: defaultproject
spec:
constraintList:
- name: constraint-1
version: v1
- name: constraint-2
version: v2
sharing:
enabled: true
projects:
- name: project-1
- name: project-2
version: v2
OPA Gatekeeper Policy in Blueprint¶
Once OPA Gatekeeper installation profiles and policies are creates, users can deploy them via blueprint spec yaml. An illustrative example of the blueprint spec YAML is shown below.
apiVersion: infra.k8smgmt.io/v3
kind: Blueprint
metadata:
name: example-blueprint
project: defaultproject
spec:
base:
name: default
version: 1.17.0
defaultAddons:
csiSecretStoreConfig:
providers: {}
enableIngress: true
enableLogging: false
enableMonitoring: true
enableVM: false
drift:
enabled: false
networkPolicy: {}
opaPolicy:
opaPolicy:
- name: test-policy1
version: v1
- name: test-policy2
version: v3
profile:
name: test-profile
version: v1
placement: {}
sharing:
enabled: false
version: v3-test
List OPA Installation Profiles¶
Use this command to retrieve the list of OPA Installation Profiles in the configured Project. An illustrative example is shown below where RCTL retrieves the list of profiles.
./rctl get opaprofile
+-----------------------+---------+
| PROFILE NAME | VERSION |
+-----------------------+---------+
| initial-am-policy1-v1 | v4 |
+-----------------------+---------+
| test-opa | v1 |
+-----------------------+---------+
Get Specific OPA Installation Profile¶
Below is an example to retrieve a specific OPA Constraint Template
./rctl get opaprofile test-opa
+--------------+---------+
| PROFILE NAME | VERSION |
+--------------+---------+
| test-opa | v1 |
+--------------+---------+
List OPA Constraint Templates¶
Use this command to retrieve the list of OPA Constraint Templates in the configured Project. An illustrative example is shown below where RCTL retrieves the list of constraint templates (both from Git Repo and upload)
./rctl get opaconstrainttemplate
+--------------------------------+---------------+-----------------------------------------------------------------------------------------------------+-------------+
| CONSTRAINT TEMPLATE NAME | ARTIFACT TYPE | ARTIFACT FILES | REPOSITORY |
+--------------------------------+---------------+-----------------------------------------------------------------------------------------------------+-------------+
| k8srequiredlabels | Yaml | paths:{name:"file://artifacts/k8srequiredlabels/k8srequiredlabels_contrainttemplate.yaml"} | |
+--------------------------------+---------------+-----------------------------------------------------------------------------------------------------+-------------+
| demo-1 | Yaml | demo-files/constrainttemplates/artifacts/two/gatekeeper-allowedrepos-constraint-template-regex.yaml | ankit-opa |
+--------------------------------+---------------+-----------------------------------------------------------------------------------------------------+-------------+
| demo-replica-constrainttemplate| Yaml | library/general/replicalimits/template.yaml | demo-git-opa |
+--------------------------------+---------------+-----------------------------------------------------------------------------------------------------+-------------+
| demo-k8scontainerlimits | Yaml | paths:{name:"file://artifacts/demo-k8scontainerlimits/k8scontainerlimits_contrainttemplate.yaml"} | |
+--------------------------------+---------------+-----------------------------------------------------------------------------------------------------+-------------+
Get Specific OPA Constraint Template¶
Below is an example to retrieve a specific OPA Constraint Template
./rctl get opaconstrainttemplate k8srequiredlabels
+--------------------------------+---------------+-----------------------------------------------------------------------------------------------------+-------------+
| CONSTRAINT TEMPLATE NAME | ARTIFACT TYPE | ARTIFACT FILES | REPOSITORY |
+--------------------------------+---------------+-----------------------------------------------------------------------------------------------------+-------------+
| k8srequiredlabels | Yaml | paths:{name:"file://artifacts/k8srequiredlabels/k8srequiredlabels_contrainttemplate.yaml"} | |
+--------------------------------+---------------+-----------------------------------------------------------------------------------------------------+-------------+
List OPA Constraints¶
Use this command to retrieve the list of OPA Constraints in the configured Project. An illustrative example is shown below where RCTL retrieves the list of constraints (both from Git Repo and upload)
./rctl get opaconstraint
+------------------------------------+---------------+-------------------------------------------------------------------------------------------------------+-------------+
| CONSTRAINT NAME | ARTIFACT TYPE | ARTIFACT FILES | REPOSITORY |
+------------------------------------+---------------+-------------------------------------------------------------------------------------------------------+-------------+
| k8srequiredlabels-constraints | Yaml | paths:{name:"file://artifacts/k8srequiredlabels-constraints/k8srequiredlabels_contraints.yaml"} | |
+------------------------------------+---------------+-------------------------------------------------------------------------------------------------------+-------------+
| demo-1 | Yaml | demo-files/constraints/artifacts/two/gatekeeper-allowedrepos-policy-constraint.yaml | ankit-opa |
+------------------------------------+---------------+-------------------------------------------------------------------------------------------------------+-------------+
| demo-label-crd | Yaml | paths:{name:"file://artifacts/ankit-label-crd/crd-constraint.yaml"} | |
+------------------------------------+---------------+-------------------------------------------------------------------------------------------------------+-------------+
| k8srequiredlabels-pod | Yaml | paths:{name:"file://artifacts/k8srequiredlabels-pod/k8srequiredlabels_contraints_pod.yaml"} | |
+------------------------------------+---------------+-------------------------------------------------------------------------------------------------------+-------------+
| demo-k8scontainerlimits-constraints | Yaml | paths:{name:"file://artifacts/demo-k8scontainerlimits-constraints/k8scontainerlimits_contraints.yaml"} | |
+------------------------------------+---------------+-------------------------------------------------------------------------------------------------------+-------------+
| demo-replica-constraint | Yaml | library/general/replicalimits/samples/replicalimits/constraint.yaml | demo-git-opa |
+------------------------------------+---------------+-------------------------------------------------------------------------------------------------------+-------------+
Get Specific OPA Constraint¶
Below is an example to retrieve a specific OPA Constraint
./rctl get opaconstraint k8srequiredlabels-constraints
+------------------------------------+---------------+-------------------------------------------------------------------------------------------------------+-------------+
| CONSTRAINT NAME | ARTIFACT TYPE | ARTIFACT FILES | REPOSITORY |
+------------------------------------+---------------+-------------------------------------------------------------------------------------------------------+-------------+
| k8srequiredlabels-constraints | Yaml | paths:{name:"file://artifacts/k8srequiredlabels-constraints/k8srequiredlabels_contraints.yaml"} | |
+------------------------------------+---------------+-------------------------------------------------------------------------------------------------------+-------------+
List OPA Policies¶
Use this command to retrieve the list of OPA Policies in the configured Project. An illustrative example is shown below where RCTL retrieves the list of policies
./rctl get opapolicy
+--------------+-----------------------------+--------------------------------------+
| POLICY NAME | VERSION NAME | CONSTRAINTS |
+--------------+-----------------------------+--------------------------------------+
| demo-policy | v3-pod | k8srequiredlabels-pod |
+--------------+-----------------------------+--------------------------------------+
| demo1 | v1 | k8srequiredlabels-constraints |
+--------------+-----------------------------+--------------------------------------+
| demo-policy-2| v1-container-replica-labels | k8srequiredlabels-constraints |
| | | demo-k8scontainerlimits-constraints |
| | | demo-replica-constraint |
+--------------+-----------------------------+--------------------------------------+
Get Specific OPA Policy¶
Below is an example to retrieve a specific OPA Policy
./rctl get opapolicy demo-policy
+--------------+-----------------------------+------------------------------------+
| POLICY NAME | VERSION NAME | CONSTRAINTS |
+--------------+-----------------------------+------------------------------------+
| demo-policy | v3-pod | k8srequiredlabels-pod |
+--------------+-----------------------------+------------------------------------+
Apply Command¶
Based on the configuration details specified in the yaml file, the Apply command helps to create the required resource(s) in the UI using a YAML file.
./rctl apply -f <opa-file.yaml>
Update Commands¶
OPA Constraint Template¶
Use the below command to update the OPA Constraint Template changes made to the spec YAML file
./rctl update opaconstrainttemplate -f <updated-constrainttemplate.yaml>
OPA Constraint¶
Use the below command to update the OPA Constraints changes made to the spec YAML file
./rctl update opaconstraint -f <updated-constraint.yaml>
Delete Commands¶
You can use both imperative and declarative methods to delete OPA Constraints, Constraint Templates and Policies
Imperative¶
OPA Installation Profile
Use the below command to delete a OPA Constraint Template
./rctl delete opaprofile <profile_name>
OPA Constraint Template
Use the below command to delete a OPA Constraint Template
./rctl delete opaconstrainttemplate <constrainttemplate_name>
OPA Constraint
Use the below command to delete a OPA Constraint
./rctl delete opaconstraint <constraint_name>
OPA Policy
Use the below command to delete a OPA Policy
./rctl delete opapolicy <policy_name>
Declarative¶
OPA Installation Profile
Use the below command to delete a OPA Constraint Template
./rctl delete opaprofile <opaprofilefile.yaml>
OPA Constraint Template
Use the below command to delete a OPA Constraint Template
./rctl delete opaconstrainttemplate <constrainttemplatefile.yaml>
OPA Constraint
Use the below command to delete a OPA Constraint
./rctl delete opaconstraint <constraintfile.yaml>
OPA Policy
Use the below command to delete a OPA Policy
./rctl delete opapolicy <policyfile.yaml>