The tips below cover the OPA-Kubernetes integration that uses kube-mgmt. The OPA Gatekeeper version has its own docs.

If you are loading policies into OPA via you can check the openpolicyagent.org/policy-status annotation on ConfigMaps that contain your policies. The annotation should be set to "ok" if the policy was loaded successfully. If errors occurred during loading (e.g., because the policy contained a syntax error) the cause will be reported here.

If the annotation is missing entirely, check the kube-mgmt container logs for connection errors between the container and the Kubernetes API server.

Check the kube-mgmt container logs for error messages

When kube-mgmt is healthy, the container logs will be quiet/empty. If you are trying to enforce policies based on Kubernetes context (e.g., to check for ingress conflicts) then you need to make sure that kube-mgmt can replicate Kubernetes objects into OPA. If kube-mgmt is unable to list/watch resources in the Kubernetes API server, they will not be replicated into OPA and the policy will not get enforced.

Check for POST requests in the opa container logs

When the Kubernetes API server queries OPA for admission control decisions, it sends HTTP POST requests. If there are no POST requests contained in the container logs, it indicates that the webhook configuration is wrong or there is a network connectivity problem between the Kubernetes API server and OPA.

  • If you have access to the Kubernetes API server logs, review them to see if they indicate the cause.
  • If you are running on AWS EKS make sure your security group settings allow traffic from Kubernetes “master” nodes to the node(s) where OPA is running.

When you create the webhook according to the installation instructions, it includes a namespaceSelector so that you can decide which namespaces to ignore.

If OPA seems to not be making the decisions you expect, check if the namespace is using the label openpolicyagent.org/webhook: ignore.

If OPA is making decision on namespaces (like kube-system) that you would prefer OPA would ignore, assign the namespace the label openpolicyagent.org/webhook: ignore.

Ensure mutating policies construct JSON Patches correctly

Correct:

  1. {
  2.    "op": "add",
  3.    "path": "/metadata/annotations/acmecorp.com~1myannotation",
  4. }

Incorrect:

In addition, when your policy generates the response for the Kubernetes API server, you must use the base64.encode built-in function to encode the JSON Patch objects. DO NOT use the base64url.encode function because the Kubernetes API server will not process it:

  1. package system

Correct:

  1. main = {
  2.     "apiVersion": "admission.k8s.io/v1beta1",
  4.     "response": response,
  5. }
  7. response = {
  8.   "allowed": true,
  9.   "patch": base64url.encode(json.marshal(patches))   # <-- BAD: uses base64url.encode
  10. }
  12. patches = [
  13.   {
  14.     "op": "add",
  15.     "path": "/metadata/annotations/acmecorp.com~1myannotation",
  16.     "value": "somevalue"
  17.   }

Also, for more examples of how to construct mutating policies and integrating them with validating policies, see in https://github.com/open-policy-agent/library.