Skip to content

Update OPA to 0.36.1 and MGMT to 3.2.1

Jack Henschel requested to merge jack-update-api-versions into master

Since we are upgrading from the chart from 1.x to 3.x, several aspects have changed:

  1. admissionController configuration has been moved into its own section
  2. RBAC rules can no longer be injected into the chart, so we need to provision the ClusterRole and ClusterRoleBinding ourselves. Then, we attach it the the ServiceAccount created by the Helm chart
  3. Probes are no longer configurable (not necessary due to 4)
  4. Enable OPA decision logs instead of HTTP logs
  5. Between admission.k8s.io/v1beta1 and v1 there are two changes we need to respect in our "default-system-main" rule: we need to return the UID send in the request and for the patches need to specify the patchType (in our case JSON).

The new version of the MGMT chart also includes the fix submitted by Alex to make cert-manager certs duration configurable: https://github.com/open-policy-agent/kube-mgmt/pull/120

https://github.com/open-policy-agent/opa/releases/tag/v0.36.1

Required for OKD 4.9 upgrade, since Kubernetes 1.22 removed several beta APIs.

Edited by Jack Henschel

Merge request reports