Home > Back-end >  OPA Gatekeeper: possible to check for Network Policies on Ingress Update?
OPA Gatekeeper: possible to check for Network Policies on Ingress Update?

Time:07-19

I want to make sure that a Network Policy exists when an Ingress is created / updated. CertManager spawns a Pod to get a ACME certificate for the URL when an Ingress is created and fails if no NetworkPolicy is defined.
Sadly I haven't found a way to access Network Policies for the Namespace the Ingress is created in.

CodePudding user response:

You can do this by a custom admission-controller. I suggest this because OPA implements policy and compliance checking and therefore has the feature to implement the same, it might not come out of the box with functionality for dependency checking.

Since, the problem you have, however, is more of a workflow/dependency problem. You want to ensure resource creation/deletion enforcement based on dependency resolution. This is best done through a custom admission-controller. This will have the ability to query your API server to get information about existing resources before allowing certain requests to be passed to it. You can read more about admission-controllers here in the k8s docs.

  • Related