1

"Open Policy agent" & "Knative" each provide a tutorial for integration with "Istio". There's a lighter alternative to "Istio" : "Kourier" that requiring fewer resources.

Is there's a way to integrate "Open Policy agent" with "Kourier" ?

"Istio" & "Kourier" use envoy (proxy).

I am a newbie on "Kubernet" any help is welcome ^_^

WCDR

WCdr
  • 185
  • 4
  • 12

1 Answers1

1

I'm not sure what you're going to use OPA for here; if you're trying to constrain the types of resources which can be created, OPA + gatekeeper should work fine, though kourier only implements an internal-to-Knative interface, so you might not get as much mileage out of the integration.

If you're trying to use OPA to govern or restrict actual HTTP requests to the workload, kourier doesn't have that capability out of the box (on purpose). You could fork it and add the functionality, but at that point it might be easier just to run Istio in non-mesh mode.

E. Anderson
  • 3,405
  • 1
  • 16
  • 19
  • Thanks for the answer, I try to control access to micro-service using JWT. 1 - Users get a token 2 - Users made a query and add it to the header 3 - Galway allows access if token is OK otherwise return an error. I try script from "KNative cookbook" to deploy Istio but it's outdated ! – WCdr Mar 20 '22 at 10:11
  • For istio there's a nice tutorial to install istio on knative ; https://docs.ovh.com/us/en/kubernetes/installing-istio – WCdr Mar 20 '22 at 14:37
  • As I mentioned, Kourier doesn't have this sort of data-path authorization capability; Istio makes it easy to add policy to existing routes without needing to update the route resource itself (which may be managed by a Knative controller), but we're hopeful that the Gateway API will standardize this sort of interface: https://gateway-api.sigs.k8s.io/ – E. Anderson Mar 23 '22 at 16:01