This playground uses the following technology so you will need to check they are installed:
- VS Code
- opa Extension for VSCode
- Terminal (We use Bash)
- Rego Playground
- Some knowledge of basic service mesh and ingress traffic
- Some knowledge of programming fundamenals
OPA's purpose-built, declarative language Rego. Rego includes rich support for traversing nested documents and transforming data using syntax inspired by dictionary and array access in languages like Python and JSONPath. In this playground we are going to build a web application in python and Flask via the TDD process. We will write tests to describe the functionality of the components.
To get the environment prepared for the event you will need your meetup username.
You can find while logged in at meetup.com as in the example below
Copy the username, in the above example it is DevOps Playground, and go to lab.devopsplayground.org and paste your username to the form like in the example below
Copy the IDE link
Open a new tab and paste that link into the address bar of the new tab.
You should be presented with VS Code which should look something like this:
Getting Started: In your labs folder navigate to Lab01 and open the getting started file - getting-started.md
This is a walkthrough of the basics of rego language: here we will review the types and rules of writing rego
In your labs folder navigate to Lab01 and open the getting started file - language-basic.md
OPEN the link to the rego playground https://play.openpolicyagent.org/p/pcXnGFFBb0
Rules Copy and paste the following section into your playground
allow_world if {
"world" != "world"
}
allow_new_world if {
"world" == "world"
}Copy and paste the following section into your playground Condition
greeting := true {
data.greetings == "hello world"
input.message == "worlds"
}OPEN the link to the rego playground on a new tab on your browser https://play.openpolicyagent.org/p/AyJQ4vOrHX
Demo Labs
In this lab will will be reviewing the policy we have already defined in our configmap
https://play.openpolicyagent.org/p/cFmhezkVGI
Run the following command on your workstation to inspect our configmap
kubectl get configmap opa-policy -o yaml
Lets deploy our application: Book-Info Application
Installing the book info Application
kubectl apply -f https://raw.githubusercontent.com/istio/istio/master/samples/bookinfo/platform/kube/bookinfo.yamlInstalling the book info Ingress
kubectl apply -f https://raw.githubusercontent.com/istio/istio/master/samples/bookinfo/networking/bookinfo-gateway.yamlverify that your pods are running ok
kubectl get podsRun the following coming to verify that your caan access the product package
kubectl exec "$(kubectl get pod -l app=ratings -o jsonpath='{.items[0].metadata.name}')" -c ratings -- curl -sS productpage:9080/productpage | grep -o "<title>.*</title>"You should see the following output
<title>Simple Bookstore App</title>
Test to confirm that user alice has product page access
kubectl exec "$(kubectl get pod -l app=ratings -o jsonpath='{.items[0].metadata.name}')" -c ratings -- curl -sS productpage:9080/productpage --user alice:passwordTest to confirm that user alice has API endpoint access
kubectl exec "$(kubectl get pod -l app=ratings -o jsonpath='{.items[0].metadata.name}')" -c ratings -- curl -sS productpage:9080/api/v1/products --user alice:passwordRepeat same steps for user bob who is an admin
kubectl exec "$(kubectl get pod -l app=ratings -o jsonpath='{.items[0].metadata.name}')" -c ratings -- curl -sS productpage:9080/productpage --user bob:password kubectl exec "$(kubectl get pod -l app=ratings -o jsonpath='{.items[0].metadata.name}')" -c ratings -- curl -sS productpage:9080/api/v1/products --user bob:passwordGet the current authorizationpolicy
kubectl get authorizationpolicyEdit the authorizationpolicy and change the label to app: productpage
kubectl edit authorizationpolicy-
press escape on your key board
-
and type wq! to save changes
kubectl get authorizationpolicyChecking the logs
kubectl logs opa-6fd9dbb96-89gm8|grep decision