Skip to main content

Open Policy Agent policies

Policies are version controlled in the cloud-platform-infrastructure repository.

Adding a policy

Create a new .rego file in the location above. Our policies are currently all defined in the cloud_platform.admission package and uses the deny rule to evaluate any checks:

For example, the following policy would deny all Services of type Loadbalancer

package cloud_platform.admission

import data.kubernetes.namespaces

deny[msg] {
  input.request.kind.kind == "Service"
  input.request.object.spec.type == "LoadBalancer"
}

Writing tests

Testing the policies against live data is not a straightforward process and debugging policies is quite minimal at the moment. The best way to develop policies is by practicing test-driven development.

Assuming you have created my_policy.rego with your deny rule defined, you simply need to create my_policy_test.rego to define your tests. You can look at the existing policies for examples. There are a few generic mocking functions defined which you might find useful.

Finally, testing the policies, you should see something like this:

$ opa test -v .
data.cloud_platform.admission.test_ingress_create_allowed: PASS (1.956µs)
data.cloud_platform.admission.test_ingress_create_conflict: PASS (1.518µs)
data.cloud_platform.admission.test_ingress_update_same_host: PASS (1.088µs)
data.cloud_platform.admission.test_ingress_update_new_host: PASS (1.246µs)
data.cloud_platform.admission.test_ingress_update_existing_host: PASS (1.417µs)
data.cloud_platform.admission.test_ingress_update_existing_host_other_namespace: PASS (1.295µs)
--------------------------------------------------------------------------------
PASS: 6/6

Additionally, tests will be run against pull requests to the repository in a CircleCI job.

References

This page was last reviewed on 15 May 2023. It needs to be reviewed again on 15 August 2023 by the page owner #cloud-platform .
This page was set to be reviewed before 15 August 2023 by the page owner #cloud-platform. This might mean the content is out of date.