Skip to main content

Managing Access via Open Policy Agent

note

This feature is currently in Preview and may be subject to change.

Codezero can integrate with Open Policy Agent (OPA) via the REST API for Named Policy Decisions.

You need to set the following Helm Chart variables:

Helm Chart VariableValue
opa.enabledtrue
opa.urlURL for the Named Policy Decision

Codezero sends the following inputs to the Named Policy Decision URL:

InputDescription
action.operationconsume or serve
action.condition.typedefault, user or header
action.condition.keyheader key if the condition type is header
action.condition.valueheader value if the condition type is header
auth.userIDthe Codezero user ID
resource.namespacethe namespace of the resource that a user wants to consume or serve
resource.servicethe service name of the resource that a user wants to consume or serve

For example the following Rego code restricts access to any resources in the codezero namespace:

package codezero

import rego.v1

import input.auth
import input.scope
import input.resource

default allow = false

allow if {
resource.namespace != "codezero"
}