Skip to main content

Authorization

The Open Policy Agent server that runs as a part of the Envoy system has its APIs protected by Basic Authorization.

The system.authz policy controls which Open Policy Agent APIs are accessible. The Kubernetes system type bootstraps itself with a default Authorization policy as part of the install manifest. For V2, this is the default policy.

package system.authz

TOKEN=<generated from filesystem at install time>

default allow = false

# Allow anonymous access to the default policy decision.
allow { input.path = ["v0", "data", "main", "main"]; input.method = "POST" }
allow { input.path = ["v0", "data", "policy", "com.styra.kubernetes.mutating", "main", "main"]; input.method = "POST" }
allow { input.path = ["v0", "data", "policy", "com.styra.kubernetes.validating", "main", "main"]; input.method = "POST" }
allow { input.path = ["v0", "data", "main", "main"]; input.method = "POST" }

# This is only used for health check in liveness and readiness probe
allow { input.path = ["health"]; input.method = "GET" }

# This is only used for prometheus metrics
allow { input.path = ["metrics"]; input.method = "GET" }
allow { input.identity == "$TOKEN" }

The Open Policy Agent server will override the above default system.authz policy if one exists in the bundle. You can add an override policy to the bundle via the UI by creating a policy under the path system/authz/authz.rego.

Here's an example of what an override policy could look like. For example, let's say you do not want to enable prometheus metric exporting and that you have set up custom liveliness policies.

package system.authz

# Allow anonymous access to the default policy decision.
allow { input.path = ["v0", "data", "main", "main"]; input.method = "POST" }
allow { input.path = ["v0", "data", "policy", "com.styra.kubernetes.mutating", "main", "main"]; input.method = "POST" }
allow { input.path = ["v0", "data", "policy", "com.styra.kubernetes.validating", "main", "main"]; input.method = "POST" }
allow { input.path = ["v0", "data", "main", "main"]; input.method = "POST" }

# This is only used for health check in liveness and readiness probe
allow { input.path = ["health"]; input.method = "GET" }

# Allow the liveliness and readiness health check endpoint
allow { input.path = ["health", "live"]; input.method = "GET" }
allow { input.path = ["health", "ready"]; input.method = "GET" }