All Products
Search

This Product

    Alibaba Cloud Service Mesh:Control the injection scope of OPA sidecar proxies

    Document Center

    Alibaba Cloud Service Mesh:Control the injection scope of OPA sidecar proxies

    Last Updated:Mar 11, 2024

    Open Policy Agent (OPA) allows you to define access control policies after you inject an OPA sidecar proxy into an application. If you want to implement fine-grained authorization and access control on applications in specific namespaces, you can enable the feature of controlling the injection scope of OPA sidecar proxies. OPA sidecar proxies are injected into only pods in namespaces that contain the opa-istio-injection=enabled label.

    Prerequisites

    • A Container Service for Kubernetes (ACK) cluster is added to a Service Mesh (ASM) instance whose version is 1.12.4.19 or later. For more information, see Add a cluster to an ASM instance.

    • Two namespaces named default and develop are created. For more information, see Manage namespaces and resource quotas.

    • An NGINX application is deployed in the default namespace and a sleep application is deployed in the develop namespace. For more information, see Create a stateless application by using a Deployment.

      Show how to create an NGINX application and a sleep application

      1. Create an nginx.yaml file and a sleep.yaml file with the corresponding code shown in the following code blocks:

        nginx.yaml

        apiVersion: apps/v1 # for versions before 1.9.0 use apps/v1beta2
kind: Deployment
metadata:
  name: nginx-deployment
spec:
  selector:
    matchLabels:
      app: nginx
  replicas: 1
  template:
    metadata:
      labels:
        app: nginx
        sidecarset-injected: "true"
    spec:
      containers:
      - name: nginx
        image: nginx:1.14.2
        ports:
        - containerPort: 80
---
apiVersion: v1
kind: Service
metadata:
  name: nginx
spec:
  ports:
    - name: http
      port: 80
      protocol: TCP
      targetPort: 80
  selector:
    app: nginx
  type: ClusterIP

        sleep.yaml

        apiVersion: v1
kind: ServiceAccount
metadata:
  name: sleep
---
apiVersion: v1
kind: Service
metadata:
  name: sleep
  labels:
    app: sleep
    service: sleep
spec:
  ports:
  - port: 80
    name: http
  selector:
    app: sleep
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: sleep
spec:
  replicas: 1
  selector:
    matchLabels:
      app: sleep
  template:
    metadata:
      labels:
        app: sleep
    spec:
      terminationGracePeriodSeconds: 0
      serviceAccountName: sleep
      containers:
      - name: sleep
        image: curlimages/curl
        command: ["/bin/sleep", "infinity"]
        imagePullPolicy: IfNotPresent
        volumeMounts:
        - mountPath: /etc/sleep/tls
          name: secret-volume
      volumes:
      - name: secret-volume
        secret:
          secretName: sleep-secret
          optional: true
---

      2. Run the following commands to deploy the NGINX application in the default namespace and deploy the sleep application in the develop namespace: 

        kubectl apply -f nginx.yaml -n default
kubectl apply -f sleep.yaml -n develop

    Step 1: Enable the OPA plug-in and the feature of controlling the injection scope of OPA sidecar proxies

    In this example, after you enable the OPA plug-in and the feature of controlling the injection scope of OPA sidecar proxies, add the opa-istio-injection=enabled label to the default namespace and do not add the opa-istio-injection=enabled label to the develop namespace. Verify that the injection scope of OPA sidecar proxies is controlled by checking whether OPA sidecar proxies are injected into both the NGINX application and the sleep application.

    1. Log on to the ASM console. In the left-side navigation pane, choose Service Mesh > Mesh Management.

    2. On the Mesh Management page, click the name of the ASM instance. In the left-side navigation pane, choose Mesh Security Center > OPA Policy.

    3. On the OPA Policy page, select Enable Open Policy Agent (OPA) Plug-in and Enable OPA Injection Range Control, and then click Enable OPA. In the Note message, click OK.

    Step 2: Add the required label to a namespace

    The following section describes how to add the opa-istio-injection=enabled label to the default namespace in the ACK console. You can also use kubectl to connect to the ACK cluster and run the kubectl label namespace default opa-istio-injection=enabled --overwrite command to add the opa-istio-injection=enabled label to the default namespace. For more information about how to connect to a cluster, see Obtain the kubeconfig file of a cluster and use kubectl to connect to the cluster.

    1. Log on to the ACK console. In the left-side navigation pane, click Clusters.

    2. On the Clusters page, click the name of the cluster that you want to manage and click Namespaces and Quotas in the left-side navigation pane.

    3. On the Namespace page, click Edit in the Actions column of the default namespace.

    4. In the Edit Namespace dialog box, set label name to opa-istio-injection, set label value to enabled, click Add, and then click OK.

    Step 3: Restart applications

    In this step, restart applications by deleting pods. After an application is restarted, an OPA sidecar proxy is automatically injected into the application if the namespace to which the application belongs has the required label.

    1. Log on to the ACK console. In the left-side navigation pane, click Clusters.

    2. On the Clusters page, click the name of the cluster that you want to manage and choose Workloads > Pods in the left-side navigation pane.

    3. In the upper part of the Pods page, set Namespace to default and choose More > Delete in the Actions column of the pod on which the NGINX application is deployed. In the Note dialog box, click OK.

      If the application has multiple pods, you need to delete all these pods to restart the application. If the state of a pod is Running, the pod is restarted.

    4. Repeat the preceding operations in this step to restart the pod of the sleep application in the develop namespace.

    Step 4: Check whether the control on the injection scope is successful

    1. Log on to the ACK console. In the left-side navigation pane, click Clusters.

    2. On the Clusters page, click the name of the cluster that you want to manage and choose Workloads > Pods in the left-side navigation pane.

    3. On the Pods page, check whether OPA sidecar proxies are injected into the NGINX and sleep applications.

      • Set Namespace to default and click the pod name of the NGINX application. opa-istio is displayed on the Container tab, which indicates that an OPA sidecar proxy is injected into the NGINX application.注入OPA

      • Set Namespace to develop and click the pod name of the sleep application. opa-istio is not displayed on the Container tab, which indicates that no OPA sidecar proxy is injected into the sleep application.sleep

      The verification results show that after you enable the feature of controlling the injection scope of OPA sidecar proxies, an OPA sidecar is injected into only an application that is in a namespace with the opa-istio-injection=enabled label. This means that you have controlled the injection scope of OPA sidecar proxies.