This repository contains the example files for using Open Policy Agent (OPA) for Apache Kafka authorization. This demo is related to the blog post published on Strimzi website.
Create a namespace myproject and set it as default.
If you use different namespace, change the .metadata.namespace field in the YAML files in this repository
Install Strimzi 0.19.0 and make sure it is watching the myproject namespace.
You can use any of the available methods.
The OPA policies used for both examples are part of this repository.
To make them available to the OPA server, we create a config map from them and mount this config map as a volume into OPA server.
You can create the config map using kubectl:
kubectl create configmap opa-policies --from-file=kafka_authz_example_basic.rego=basic-example-policy.rego --from-file=kafka_authz_example_crds.rego=advanced-example-policy.rego
The opa-deployment.yaml contains the deployment of the OPA server.
This is just example deployment which is not production ready.
You can install it using kubectl:
kubectl apply -f opa-deployment.yaml
The basic example had the groups hardcoded inside the OPA policy. Any changes to the groups (adding or removing users) would require change fo the policy.
Deploy the Kafka cluster from the basic-example-kafka.yaml file.
This example is also configured to use the basic example policy.
kubectl apply -f basic-example-kafka.yaml
In the file basic-example-clients-allowed.yaml you can find example consumer and producer which are using users allowed to produce and consumer messages.
kubectl apply -f ./basic-example-clients-allowed.yaml
When you deploy them, you should see that the are allowed to run.
In the file basic-example-clients-denied.yaml you can find example consumer and producer which are using users not allowed to produce and consumer messages.
kubectl apply -f ./basic-example-clients-denied.yaml
When you deploy them, you should see that the are allowed to use the Kafka cluster.
The advanced example is using groups configured as annotations on the KafkaTopic and KafkaUser resources.
The resources are loaded into OPA using the kube-mgmt sidecar and are used by the policy.
That way, changing the rights, adding or removing users etc. can be done without any changes to the policy.
Deploy the Kafka cluster from the advanced-example-kafka.yaml file.
This example is also configured to use the basic example policy.
kubectl apply -f advanced-example-kafka.yaml
In the file advanced-example-clients-allowed.yaml you can find example consumer and producer which are using users allowed to produce and consumer messages.
kubectl apply -f ./advanced-example-clients-allowed.yaml
When you deploy them, you should see that the are allowed to run.
In the file advanced-example-clients-denied.yaml you can find example consumer and producer which are using users not allowed to produce and consumer messages.
kubectl apply -f ./advanced-example-clients-denied.yaml
When you deploy them, you should see that the are allowed to use the Kafka cluster.