Update simple Kubernetes deployment example

Fixes open-policy-agent#874 Signed-off-by: Torin Sandall <torinsandall@gmail.com>
tsandall · Apr 17, 2019 · 4cecfb8 · 4cecfb8
1 parent af55fe4
commit 4cecfb8
Show file tree

Hide file tree

Showing 3 changed files with 23 additions and 45 deletions.
diff --git a/docs/code/deployments-kubernetes/example-pod.json b/docs/code/deployments-kubernetes/example-pod.json
diff --git a/docs/code/deployments-kubernetes/example.rego b/docs/code/deployments-kubernetes/example.rego
@@ -1,15 +1,7 @@
 package example
 
-default deny = false
-
-# Reject objects without a customer label.
-deny {
-    not input.metadata.labels.customer
-}
-
-# Reject pods referring to images outside the corporate registry.
-deny {
-    input.kind == "Pod"
-    container := input.spec.containers[_]
-    not re_match("^registry.acmecorp.com/.+$", container.image)
+greeting = msg {
+    info := opa.runtime()
+    hostname := info.env["HOSTNAME"] # Kubernetes sets the HOSTNAME environment variable.
+    msg := sprintf("hello from pod %q!", [hostname])
 }
diff --git a/docs/content/docs/deployments.md b/docs/content/docs/deployments.md
@@ -129,15 +129,17 @@ docker run openpolicyagent/opa version
 
 This section shows how to quickly deploy OPA on top of Kubernetes to try it out.
 
+> If you are interested in using OPA to enforce admission control policies in
+> Kubernetes, see the [Kubernetes Admission Control
+> Tutorial](../kubernetes-admission-control) and [Kubernetes Admission Control
+> Guide](../guides-kubernetes-admission-control) pages.
+
 > These steps assume Kubernetes is deployed with
 [minikube](https://github.com/kubernetes/minikube). If you are using a different
 Kubernetes provider, the steps should be similar. You may need to use a
 different Service configuration at the end.
 
-First, create a ConfigMap containing a test policy. The test policy will define a blacklist that rejects:
-
-* Objects missing a 'customer' label.
-* Pods referring to images outside the corporate registry.
+First, create a ConfigMap containing a test policy.
 
 In this case, the policy file does not contain sensitive information so it's
 fine to store as a ConfigMap. If the file contained sensitive information, then
@@ -216,16 +218,20 @@ Get the URL of OPA using `minikube`:
 OPA_URL=$(minikube service opa --url)
 ```
 
-Now you can query OPA's API. If you use the Pod below, `deny` will be `true`
-because the Pod refers to image outside the corporate registry.
-
-#### [`example-pod.json`](https://github.com/open-policy-agent/opa/tree/master/docs/code/deployments-kubernetes/example-pod.json)
-
-{{< code file="deployments-kubernetes/example-pod.json" lang="json" >}}
+Now you can query OPA's API:
 
 ```bash
-curl $OPA_URL/v1/data -d @example-pod.json
+curl $OPA_URL/v1/data
 ```
 
-If you update the image to refer to the corporate registry, `deny` will be
-`false`.
+OPA will respond with the greeting from the policy (the pod hostname will differ):
+
+```json
+{
+  "result": {
+    "example": {
+      "greeting": "hello from pod \"opa-78ccdfddd-xplxr\"!"
+    }
+  }
+}
+```