Deploying OPA on AWS EKS

tip

This page contains details in addition to the base Kubernetes documentation for deploying OPA. Please see that page for details on how to deploy OPA on K8s and return here for more EKS specific notes.

Creating a Load Balancer for and OPA Cluster service

If running OPA as a cluster service, you might be interested in exposing the service to the internet or other, internal, off-cluster PEPs. Generally, OPA is invoked by other PEP applications rather than clients, and so a public IP is generally not required.

Internal Load Balancer Service
apiVersion: v1
kind: Service
metadata:
  name: opa
  annotations:
    service.beta.kubernetes.io/aws-load-balancer-nlb-target-type: ip
spec:
  selector:
    app: opa
  ports:
    - protocol: TCP
      port: 8181
      targetPort: 8181
  type: LoadBalancer

warning

If you are exposing and OPA service to the public internet, you are advised to make use of OPA's build in authentication and authorization features if not running OPA behind another service that provides these functions.

External Load Balancer Service
apiVersion: v1
kind: Service
metadata:
  name: opa
  annotations:
    service.beta.kubernetes.io/aws-load-balancer-type: external
    service.beta.kubernetes.io/aws-load-balancer-nlb-target-type: ip
    service.beta.kubernetes.io/aws-load-balancer-scheme: internet-facing
spec:
  selector:
    app: opa
  ports:
    - protocol: TCP
      port: 8181
      targetPort: 8181
  type: LoadBalancer

For more information, please see the EKS Network Load Balancer documentation.

Creating a Load Balancer for and OPA Cluster service​

Creating a Load Balancer for and OPA Cluster service