Stack Overflow
Stack Overflow

Questions tagged [open-policy-agent]

Open Policy Agent is an open source, general-purpose policy engine that enables policy-based control across the stack. Use this tag for questions related to using OPA, the Rego Language, or any of its derivatives (such as Gatekeeper or Conftest).

The Open Policy Agent is an open source, general-purpose policy engine that unifies policy enforcement across the stack.

External Links

240 questions
3
votes
1 answer

How to Whitelist a Container using the Open Policy Agent Gatekeeper K8sPSPCapabilities Constraint Template

I'd like to whitelist a container in the K8sPSPCapabilities constraint template but am having some difficulty with the rego language. I'd like to disallow the NET_RAW capability for all containers except a specific container. Would appreciate it…
user1934580
  • 31
  • 2
3
votes
2 answers

rego_type_error: undefined function

I am new to OPA and rego files. I have created a rego file like this : package sample.access import data.myaccess default allow = false allow = true { myaccess.is_user_allowed(input.user) } And, I have created test rego file like this…
sharmila
  • 65
  • 6
3
votes
2 answers

open policy agent - How to persist policies from REST API?

I'm new to OPA (open policy agent) and trying to create new policy using REST API /v1/policies/{id}. It works! But, OPA server saves it to memory and after rebooting all my policies are removed. How can I fix it, which parameters should I use to…
JavaDevS
  • 33
  • 1
  • 3
3
votes
1 answer

OPA engine support for concurrent calls

How many concurrent REST Put/Patch calls can an OPA engine support to update the policy/data? I tried looking through the documentation, but couldn't find any information pertaining to this.
ShrewdCleric
  • 79
  • 1
  • 7
3
votes
1 answer

Unable to request resources using http.send

When I run the following code: data := response { response := http.send({ "method" : "GET", "url": "https://httpbin.org/status/200" }) } I get this error: 1 error occurred: policy.rego:4: rego_type_error: unsafe built-in…
Karim H
  • 1,543
  • 10
  • 24
3
votes
1 answer

Open policy agent satisfy condition for all array items

Trying to wrap my head around this issue for a while - I have a JSON input which contains an array, say something like this: { "array" : [ {"foo": "bar"}, {"foo": "buzz"}, {"misbehaving": "object"} ] } My goal is to…
FitzChivalry
  • 339
  • 2
  • 19
3
votes
1 answer

Why do we need OPA gatekeeper?

I am trying to understand what is OPA(open policy agent) and its use-cases and I'm in the basic stage . When I was reading an opa article I got to know about the OPA Gatekeeper but I don't have a clear understanding about why we need this OPA…
user10960174
3
votes
1 answer

How to do a || "b" in rego

we validate objects with and without namespaces and I always want to print what the current namespace is ... but fallback to "" or some other default value when no namespace is set. using the naive input.review.object.metadata.namespace directly…
grosser
  • 14,707
  • 7
  • 57
  • 61
2
votes
1 answer

set annotation/label with slash (/) in mutating-webhook of opa-gatekeeper

due to company policies I have to replace my Kyverno rules by OPA ones. One of my rule is, that I want to add all pods of a specific namespace to our service-mesh (we're using Kuma) So for this I have to add the following…
Zwelch
  • 153
  • 1
  • 8
2
votes
1 answer

OPA REGO: How to find all not matching items in another dictionary?

Given input as follow: { "source": "serverA", "destination": "serverB", "rules": { "tcp": { "ssh": [ 22 ], "https": [ 8443 ] }, …
Matikk
  • 35
  • 2
2
votes
1 answer

OPA/rego result is true even if a comparison evaluates to false

I just started to use OPA, so there is a high chance I'm doing something wrong. I have the following input: { "request": { "principalId": "user1", "scope": "/workspaces/1/environments/dev/deployments/123", "requiredPermissions": [ …
tiwood
  • 41
  • 5
2
votes
1 answer

Overlapping roots across multiple bundles

I was trying to understand the significance of roots. As per the docs, The roots are not overlapping (e.g., a/b/c and a/b are overlapped and will result in an error.) Note: This is not enforced across multiple bundles. Only within the same bundle…
Sulbigar Shanawaz
  • 159
  • 3
  • 13
2
votes
0 answers

Opa Bundle with aws s3 configuration

I am new to opa server. I am working on using opa as authorizer for multiple policies and use case is that I upload multiple policies to s3 bucket and then each policy has his own link like /opa/example/allow or /opa/example1/approve. Now I want to…
Vasu Gupta
  • 21
  • 1
2
votes
3 answers

VSCode Rego Plugin opa evaluate not working as expected

I'm learning OPA and rego. I'm trying to write a simple policy and have the same evaluated through VSCode Plugin. Folder Structure: learning.rego package learning test { a := "test" a == "test" } input.json {} And when I choose "OPA:…
Sulbigar Shanawaz
  • 159
  • 3
  • 13
2
votes
1 answer

Why is the exact difference between "violation" and "deny" in OPA/Rego?

In Open Policy Agent (https://www.openpolicyagent.org/) regarding to Kubernetes, depending which engine is used: Gatekeeper: https://github.com/open-policy-agent/gatekeeper OR Plain OPA with kube-mgmt:…
csviri
  • 1,159
  • 3
  • 16
  • 31
1
2
3
15 16