Some can be overwritten by environment variable
environment variable name | config field | default value | example value | description |
N/A | config.debug | `` | true |
Set true to enable debug logging |
N/A | | "" |
"athenz" |
Athenz Domain name for the identity certificates (K8s Namespace will be set implicitly if this is empty) |
N/A | config.constraints.athenz.domain.prefix | "" |
cloud-tld.region. |
Athenz Domain prefix to restrict issueing identity certificates |
N/A | config.constraints.athenz.domain.suffix | "" |
.copperargos.provider |
Athenz Domain suffix to restrict issueing identity certificates |
N/A | config.constraints.athenz.identityprovider.service | "" |
identityprovider |
A full name of Athenz Service for the cloud provider service |
N/A | config.constraints.cert.expiry.defaultminutes | `` | 43200 |
Default certificate expiry minutes if there are no specified value from the client |
N/A | config.constraints.cert.expiry.maxminutes | `` | 43200 |
Maximum certificate expiry minutes to limit the client request |
N/A | config.constraints.cert.refresh | `` | true |
To allow refreshing identity certificates |
N/A | config.constraints.cert.sandns.[].glob | [] |
[{"glob": "*.*.svc.cluster.local"}, {"glob": "**"}] |
SAN DNS constraints for server certificate |
N/A | config.constraints.keys.jwks.url | `` | |
An URL to retrieve JWK Set for verifying Kubernetes Service Account Token |
N/A | config.constraints.keys.jwks.cacert | `` | /var/run/secrets/ |
A CA certificate file path to intract with the JWK Set endpoint |
N/A | config.constraints.keys.jwks.force_cache_duration_seconds | `` | 3600 |
Cache duration for the retrieved JWK Set (set 0 to disable caching) |
N/A | config.constraints.keys.apinodes.url | `` | |
API Endpoint URL (most likely kube-apiserver) to retrieve JWK Set endpoints |
N/A | config.constraints.keys.static | `` | "" |
A static keys to verify Kubernetes Service Account Token (in pem or jwks format) |
N/A | config.constraints.kubernetes.namespaces | [] |
["kube-system"] |
Kubernetes Namespaces to restrict accepting Kubernetes Service Account Token |
N/A | config.constraints.kubernetes.serviceaccount.names | [] |
["identityprovider"] |
Kubernetes Service Account names to restrict accepting Kubernetes Service Account Token |
N/A | config.constraints.kubernetes.serviceaccount.token.issuer | `` | https://kubernetes.default.svc.cluster.local |
Kubernetes Service Account issuer to restrict accepting Kubernetes Service Account Token |
N/A | config.constraints.kubernetes.serviceaccount.token.audience | `` | https://kubernetes.default.svc |
Kubernetes Service Account audience to restrict accepting Kubernetes Service Account Token |
In order to verify the Kubernetes ServiceAccount Token, at least one option must be specified.
- JWK Set Endpoint
- API Endpoint URL (most likely kube-apiserver) to retrieve JWK Set endpoints
- A static keys to verify Kubernetes Service Account Token (in pem or jwks format)
opa test -v {policy,test}/*.rego {policy,test}/*.yaml
to see test coverage,
opa test -cv {policy,test}/*.rego {policy,test}/*.yaml
openssl genrsa 2048 > test/private.key.pem
openssl rsa -in test/private.key.pem -pubout > test/public.key.pem
step crypto jwk create --alg RS256 --kid jIoPyoDK6l7wdT2vEh_4b9sUGwCuVBz1L9z4hbd4Vbo --from-pem=test/private.key.pem --no-password --insecure -f test/public.jwk.json test/private.jwk.json
cat test/mock.yaml | yq .mock.jwt.body | dasel -ryaml -wjson | step crypto jws sign --alg RS256 --kid jIoPyoDK6l7wdT2vEh_4b9sUGwCuVBz1L9z4hbd4Vbo --key test/private.key.pem
cat test/mock.yaml | yq .mock.jwk > test/public.jwk.json
cat test/mock.yaml | yq .mock.instance.input.attestationData | step crypto jwt verify --key test/public.jwk.json --iss https://kubernetes.default.svc.cluster.local --aud https://kubernetes.default.svc
cat test/mock.yaml | yq .mock.instance.input.attestationData | step crypto jwt verify --key test/public.key.pem --alg RS256 --iss https://kubernetes.default.svc.cluster.local --aud https://kubernetes.default.svc
opa run --server --config-file=$(pwd)/local/config.yaml --addr= --ignore=.* --disable-telemetry policy/*.rego local/policy/config.yaml
curl -svX PUT -H"Content-Type:application/json" -H"Authorization: Bearer $(cat test/mock.yaml | yq .mock.instance.input.attestationData)" -d"$(cat test/mock.yaml | yq .mock.pods -ojson)"
curl -svX POST -H'Content-Type:application/json' -d@test/request.json
curl -svX POST -H'Content-Type:application/json' -d@test/request.json