Skip to main content

Deploying OPA on AKS

tip

This page contains details in addition to the base Kubernetes documentation for deploying OPA. Please see that page for details on how to deploy OPA on K8s and return here for more AKS specific notes.

Creating a Load Balancer for and OPA Cluster service

If running OPA as a cluster service, you might be interested in exposing the service to the internet or other, internal, off-cluster PEPs. Generally, OPA is invoked by other PEP applications rather than clients, and so a public IP is generally not required.

Internal Load Balancer Service
apiVersion: v1
kind: Service
metadata:
name: opa
annotations:
service.beta.kubernetes.io/azure-load-balancer-internal: "true"
spec:
selector:
app: opa
ports:
- protocol: TCP
port: 8181
targetPort: 8181
type: LoadBalancer
warning

If you are exposing an OPA service to the public internet, you are advised to make use of OPA's built in authentication and authorization features if not running OPA behind another service that provides these functions.

External Load Balancer Service
apiVersion: v1
kind: Service
metadata:
name: opa
annotations:
service.beta.kubernetes.io/azure-load-balancer-internal: "false"
spec:
selector:
app: opa
ports:
- protocol: TCP
port: 8181
targetPort: 8181
type: LoadBalancer

For more information, please see the AKS documentation on load balancers: