This message was deleted.
# opal
s
This message was deleted.
o
Or Kubernetes as OPAL client
o
Hi @Oleg Gumbar yes, simply instead of having the OPAL client run OPA inlien for you, you can have it connect and administer an external OPA:
s
GK doesn’t expose any OPA APIs. so it’s a no, I’m afraid.
(Or consume bundles. GK only does its very own things.)
o
So that probably means I need one OPA to manage Kubenetes auth and OPAL to manage external systems =/
s
If you use GK for admission control, you cannot use it with OPAL. But you can totally use plain OPA for the k8s admission control, too.
o
You can still use the k8s admission control webhook with OPA and OPAL
s
yeah. that’s what I meant. No need for GK unless you want its other features.
👍 1
o
Seems to be working option. Are there good starting points to explore how to organise policy repo?
o
Really depends on what your scenario is. A common patterns would be to have clusters or tenants split into different folders under the repo. Also if you use OPAL scopes you can also use different repoa altogether https://docs.opal.ac/overview/scopes
o
Not good, since different folders for different clusters implies a lot of copy-paste in case if they have a lot of common policies
o
As I said it's just an example, you can devide the policies in your repo as you see fit.
o
Is there a possibility to reuse policies?
o
Btw scopes can also be used for different branches and not full repos. But topics are folder based by default
Yes of course you can reuse policies, you simply import them as packages in your rego code
o
Oh, true)
o
The topics/folders or scopes only control what gets synced to each OPA istance, not how you invoke it
o
That’s rego
Thanks, will try to make some PoCing
💜 1