In the labs of OPA for kubernetes in the Q5
the configmap to be created is not with the label (Openpolicyagent.org/policy: rego ) in the solution. However, when creating the configmap this one has a related annotation and then the configmap with OPA without the label.
Is this because there’s some admission controller that checks the configmaps?
k create configmap untrusted-registry --from-file /root/untrusted-registry.rego
The configmap didn't have the label but yes an annotation of opa
root@controlplane ~ ➜ k get -o yaml cm untrusted-registry
apiVersion: v1
data:
untrusted-registry.rego: |2
package kubernetes.admission
deny[msg] {
input.request.kind.kind == "Pod"
image := input.request.object.spec.containers[_].image
not startswith(image, "hooli.com/")
msg := sprintf("image '%v' comes from untrusted registry", [image])
}
kind: ConfigMap
metadata:
annotations:
openpolicyagent.org/policy-status: '{"status":"ok"}'
creationTimestamp: "2022-07-07T08:49:31Z"
name: untrusted-registry
namespace: opa
resourceVersion: "1743"
uid: 1934a54a-059d-445f-a572-70dc4e8f9bbb