docker-compose部署OPA
docker-compose.yaml
version: "3.7"
services:
ext_authz-opa-service:
image: openpolicyagent/opa:latest-envoy
volumes:
- ./policy.rego:/etc/policy.rego
ports:
- "9191:9191"
command:
- run
- --server
- --addr=localhost:8181
- --diagnostic-addr=0.0.0.0:8282
- --set=services.default.url=http://127.0.0.1:8888
- --set=bundles.default.resource=bundle.tar.gz
- --set=plugins.envoy_ext_authz_grpc.addr=:9191
- --set=plugins.envoy_ext_authz_grpc.path=envoy/authz/allow
- --set=decision_logs.console=true
- --set=status.console=true
- --ignore=.*
- /etc/policy.rego
policy.rego
package envoy.authz
import input.attributes.request.http as http_request
default allow = false
response := {
"allowed": true,
"headers": {"x-current-user": "OPA"}
}
allow = response {
http_request.method == "GET"
}
allow = response {
http_request.method == "POST"
glob.match("/livez", ["/"], http_request.path)
}