Open Policy Agent (OPA)

In Kubernetes, Gloo stores its configuration as Custom Resource Definitions (CRDs). You can use normal Kubernetes Role Based Access Control (RBAC) to create a policy that grants users the ability to create a Gloo VirtualService. RBAC only allows administrators to grant permissions to entire objects. With the Open Policy Agent, one can specify very fine-grained control over Gloo objects. For example, with RBAC you can say, “user is allowed to create virtual service” With OPA, in addition to specifying access, you can say “virtual services must point to the domain”.

You can of-course combine both, as you see fit.

In this document we will show a simple OPA policy that dictates that all virtual services must not have a prefix re-write.


Before you get started, you will need to have the Gloo Gateway running in a Kubernetes cluster. For more information, you can follow this installation guide.


First, setup OPA as a validating web hook. In this mode, OPA validates the Kubernetes objects before they are visible to the controllers that act on them (Gloo in our case).

You can use the script for that purpose.

This script follows the docs outlined in official OPA docs with some small adaptations for the Gloo API.

Click to see the full file that should be used for this project.


OPA Policies are written in Rego. A language specifically designed for policy decisions.

Let’s apply this policy, forbidding virtual service with prefix re-write:

package kubernetes.admission

operations = {"CREATE", "UPDATE"}

deny[msg] {
	input.request.kind.kind == "VirtualService"
	msg := "prefix re-write not allowed"

Let’s break this down:

operations = {"CREATE", "UPDATE"}

This policy only applies to objects that are created or updated.

deny[msg] {

Start a policy to deny to object creation \ update, if all conditions in the braces hold.

The conditions are:

	input.request.kind.kind == "VirtualService"

(1) This object is a VirtualService


(2) This object is created or updated.


(3) This object has a prefixRewrite stanza.

If all these conditions are true, the object will be denied with this message:

	msg := "prefix re-write not allowed"

Apply Policy

You can use this command to apply the policy, by writing it to a configmap in the opa namespace

kubectl --namespace=opa create configmap vs-no-prefix-rewrite --from-file=vs-no-prefix-rewrite.rego

Give it a second, and you will see the policy status changes to ok:

kubectl get configmaps -n opa vs-no-prefix-rewrite -o yaml
apiVersion: v1
  vs-no-prefix-rewrite.rego: "package kubernetes.admission\n\noperations = {\"CREATE\",
    \"UPDATE\"}\n\ndeny[msg] {\n\tinput.request.kind.kind == \"VirtualService\"\n\toperations[input.request.operation]\n\tinput.request.object.spec.virtualHost.routes[_].options.prefixRewrite\n\tmsg
    := \"prefix re-write not allowed\"\n}\n"
kind: ConfigMap
  annotations: '{"status":"ok"}'
  creationTimestamp: "2019-08-20T11:10:55Z"
  name: vs-no-prefix-rewrite
  namespace: opa
  resourceVersion: "39558874"
  selfLink: /api/v1/namespaces/opa/configmaps/vs-no-prefix-rewrite
  uid: 2de8732f-c33b-11e9-8be1-42010a8000dc


Time to test!

We have prepared two virtual services for testing (click on each to see the content):

Valid VirtualService (vs-ok.yaml)
Denied VirtualService (vs-err.yaml)

Try it:

kubectl apply -f vs-ok.yaml created
kubectl apply -f vs-err.yaml
Error from server (prefix re-write not allowed): error when applying patch:
Resource: ", Resource=virtualservices", GroupVersionKind: ", Kind=VirtualService"
Name: "default", Namespace: "gloo-system"
Object: &{map["apiVersion":"" "kind":"VirtualService" "metadata":map["annotations":map["":"{\"apiVersion\":\"\",\"kind\":\"VirtualService\",\"metadata\":{\"annotations\":{},\"name\":\"default\",\"namespace\":\"gloo-system\"},\"spec\":{\"virtualHost\":{\"domains\":[\"*\"],\"routes\":[{\"matchers\":[{\"exact\":\"/sample-route-1\"}],\"routeAction\":{\"single\":{\"upstream\":{\"name\":\"default-petstore-8080\",\"namespace\":\"gloo-system\"}}}}]}}}\n"] "creationTimestamp":"2020-01-29T14:41:28Z" "generation":'\x06' "name":"default" "namespace":"gloo-system" "resourceVersion":"7076134" "selfLink":"/apis/" "uid":"6ed4d802-42a5-11ea-84a5-56542bf21e7d"] "spec":map["virtualHost":map["domains":["*"] "routes":[map["matchers":[map["exact":"/sample-route-1"]] "routeAction":map["single":map["upstream":map["name":"default-petstore-8080" "namespace":"gloo-system"]]]]]]] "status":map["reported_by":"gateway" "state":'\x01' "subresource_statuses":map["*v1.Proxy.gloo-system.gateway-proxy":map["reported_by":"gloo" "state":'\x01']]]]}
for: "vs-err.yaml": admission webhook "" denied the request: prefix re-write not allowed


you can use the to clean-up the resources created in this document.

For your convenience, here’s the content of

kubectl delete validatingwebhookconfiguration  opa-validating-webhook
kubectl delete namespace opa
kubectl delete clusterrolebinding opa-viewer opa-gloo-viewer

rm ca.crt ca.key server.conf server.crt server.csr server.key

kubectl label namespace kube-system

Next Steps

Now that you’ve see how to configure a basic policy with OPA, you can go further down the rabbit hole of policies, or check out some of the other security features in Gloo.

Or you might want to learn more about the various features available to Routes on a Virtual Service in our Traffic Management guides.