Skip to content

animale66/opa-docker-authz

BranchesTags
 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

24 Commits
.gitignore
.gitignore
 
 
Dockerfile
Dockerfile
 
 
LICENSE
LICENSE
 
 
Makefile
Makefile
 
 
README.md
README.md
 
 
build.sh
build.sh
 
 
example.rego
example.rego
 
 
glide.lock
glide.lock
 
 
glide.yaml
glide.yaml
 
 
main.go
main.go
 
 
users.json
users.json
 
 

Repository files navigation

opa-docker-authz

This project is used to show how OPA can help policy-enable an existing service.

In this example, we policy-enable the authorization functionality available in Docker 1.10 and later.

Usage

See the detailed example to setup a running example of this plugin.

Build

To build the plugin run make. The build requires Docker.

Install

The plugin can be started with no options. It may require sudo depending on your machine's Docker configuration permissions:

$ opa-docker-authz
  • By default, the plugin will listen for requests (from Docker) on :8080 and read an OPA policy out of policy.rego. See -h for options.

The following command line argument enables the authorization plugin within Docker:

--authorization-plugin=opa-docker-authz

On Ubuntu 16.04 this is done by overriding systemd configuration (requires root):

$ sudo mkdir -p /etc/systemd/system/docker.service.d
$ sudo tee -a /etc/systemd/system/docker.service.d/override.conf > /dev/null <<EOF
[Service]
ExecStart=
ExecStart=/usr/bin/docker daemon -H fd:// --authorization-plugin=opa-docker-authz
EOF
$ sudo systemctl daemon-reload
$ sudo service docker restart

About

A policy-enabled authorization plugin for Docker.

Resources

Readme

License

Apache-2.0 license
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

9 tags

Packages

 
 
 

Contributors

Languages

  • Go 86.2%
  • Shell 7.3%
  • Makefile 6.5%