This message was deleted Permit #opal

Join Slack

This message was deleted.

# opal

Slackbot

07/21/2023, 9:28 PM

This message was deleted.

zkhan

07/21/2023, 10:25 PM

Also, how/if it is possible to use Permit to create a policy for the admission controller along the line of “CREATE ingress resource if a key/value label is set in k8s manifest.”

Or Weis

07/21/2023, 11:32 PM

Hi @zkhan 🙂 The main draw back of not using OPAL to load the data, is the extensibility and you can have in adding more data sources; and the ability to track the life cycle of the updates with OPAL. But if those are not critical for you, it’s okay - and you can always upgrade to OPAL data updates in the future.

Or Weis

07/21/2023, 11:36 PM

Yes, this can technically be done, you could create an ABAC rule in Permit to do something like “key/value label is set in k8s manifest”; You can have the relevant data be loaded into an attribute of a resource. You’d probably need to write some Rego glue code to invoke the Permit generated policies Check the Gitops guide on mixing generated and your own Rego in Git: https://docs.permit.io/integrations/gitops/github

zkhan

07/26/2023, 3:17 PM

Hi @Or Weis, I setup Permit and my OPAL instance to reference the same git repo. I see that Permit added various rego code. I didn’t add any ABAC or RBAC rules in Permit and created a validating webhook for admission controller. Now every K8S resource fails even with no rules in place when I was expecting it to allow. The document said I can add rego in the custom directory but I feel like I’m going to have to change much more. As it suggest, I should only make updates in the custom directory otherwise I risk it getting squashed/breaking it. My rego-fu isn’t the best but I’m wondering if I’ll be able to accomplish what I’m trying to do with just adding rego in the custom directory or if I can remove/change the other rego code permit added outside of the custom directory?

Or Weis

07/26/2023, 4:38 PM

Hi @zkhan - sorry for the delayed reply was busy here -

https://www.youtube.com/watch?v=E4-mCWSsQFc▾

Few follow up questions: • Which policy rule are you invoking from the admission controller and what input are you passing with? ◦ for Permit policies you’re expected to call

/v1/data/permit/root

with input

{resource, user, action}

| ▪︎ see screen shot for more details • Can you share some logs? You could potentially add your own seperate rego policies and invoke them directly (ignoring the Permit generated code or [importing specific packages from it]; and just using the data it generates) ; the warning is mostly about not changing the Permit generated code itself, adding other packages separately should be fine Also adding @Shaul Kremer, @Asaf Cohen - re the custom folder and how much you can change without breaking

Open in Slack

Previous Next