Skip to content

CLI

The RCTL utility provides the means to manage/automate the lifecycle of OPA Gatekeeper. The following operations can be performed on OPA Gatekeeper for projects within an organization.

Resource Create Get Apply Update Delete
OPA Constraint Template(s) YES YES YES YES YES
OPA Constraint(s) YES YES YES YES YES
OPA Policies YES YES YES YES YES

Create OPA Constraint Template

Use the below command to create a OPA Constraint Template

./rctl create opaconstrainttemplate -f <constrainttemplate_filename.yml>

Constraint Template Spec from Git Repo

An illustrative example of the OPA Constraint Template spec YAML file from Git Repo is shown below. The paths parameters identifies the Git Repository and the file path

apiVersion: opa.k8smgmt.io/v3
kind: OPAConstraintTemplate
metadata:
  labels:
    rafay.dev/opa: template
  name: demo-replica-constrainttemplate
  project: defaultproject
spec:
  artifact:
    artifact:
      paths:
      - name: library/general/replicalimits/template.yaml
      repository: demo-git-opa
      revision: master
    type: Yaml

Constraint Template Spec via upload

An illustrative example of the OPA Constraint Template spec YAML file via upload is shown below. The paths parameters identifies the file path

apiVersion: opa.k8smgmt.io/v3
kind: OPAConstraintTemplate
metadata:
  labels:
    rafay.dev/opa: template
  name: demo-k8scontainerlimits
  project: defaultproject
spec:
  artifact:
    artifact:
      paths:
      - name: file://artifacts/example-template/template.yaml
    options: {}
    type: Yaml

Important

The prefix file:// is mandatory for upload artifacts and the path should be relative to the parent file path


Create OPA Constraint

Use the below command to create a OPA Constraint

./rctl create opaconstraint -f <constraint_filename.yml>

Constraint Spec from Git Repo

An illustrative example of the OPA Constraint spec YAML file from Git Repo is shown below. The paths parameters identifies the Git Repository and the file path

apiVersion: opa.k8smgmt.io/v3
kind: OPAConstraint
metadata:
  labels:
    rafay.dev/opa: constraint
  name: demo-replica-constraint
  project: defaultproject
spec:
  artifact:
    artifact:
      paths:
      - name: library/general/replicalimits/demo/replicalimits/constraint.yaml
      repository: demo-git-opa
      revision: master
    type: Yaml
  templateName: demo-replica-constrainttemplate

Constraint Spec via upload

An illustrative example of the OPA Constraint spec YAML file via upload is shown below. The paths parameters identifies the file path

apiVersion: opa.k8smgmt.io/v3
kind: OPAConstraint
metadata:
  labels:
    rafay.dev/opa: constraint
  name: demo-k8scontainerlimits-constraints
  project: defaultproject
spec:
  artifact:
    artifact:
      paths:
      - name: file://artifacts/example-constraint/constraint.yaml
    options: {}
    type: Yaml
  templateName: demo-k8scontainerlimits

Important

The prefix file:// is mandatory for upload artifacts and the path should be relative to the parent file path


Create OPA Policies

Use the below command to create a OPA Policy

./rctl create opapolicy -f <policy_file.yml>

An illustrative example of the OPA Policy spec YAML file is given below

apiVersion: opa.k8smgmt.io/v3
kind: OPAPolicy
metadata:
  name: example-policy
  project: defaultproject
spec:
  constraintList:
  - name: constraint-1
  - name: constraint-2
  excludedNamespaces:
  - namespaces:
    - name: namespace-1
    processes:
    - '*'
  installationParams:
    auditFromCache: false
    auditInterval: 60
    auditMatchKindOnly: false
    constraintViolationsLimit: 20
    enableDeleteOperations: false
  sharing:
    enabled: true
    projects:
    - name: project-1
    - name: project-2
  syncObjects:
  - group: extentions
    kind: Pod
    version: v1
  version: example-version
  • The parameter installationParams is set to false by default. Users can set to true if required
  • The parameter sharing is set to true by default. Users can set to false if required
  • Remove the metadata of syncObjects from the yaml file if group, kind, and version is not required

List OPA Constraint Templates

Use this command to retrieve the list of OPA Constraint Templates in the configured Project. An illustrative example is shown below where RCTL retrieves the list of constraint templates (both from Git Repo and upload)

./rctl get opaconstrainttemplate
+--------------------------------+---------------+-----------------------------------------------------------------------------------------------------+-------------+
| CONSTRAINT TEMPLATE NAME       | ARTIFACT TYPE | ARTIFACT FILES                                                                                      | REPOSITORY  |
+--------------------------------+---------------+-----------------------------------------------------------------------------------------------------+-------------+
| k8srequiredlabels              | Yaml          | paths:{name:"file://artifacts/k8srequiredlabels/k8srequiredlabels_contrainttemplate.yaml"}          |             |
+--------------------------------+---------------+-----------------------------------------------------------------------------------------------------+-------------+
| demo-1                         | Yaml          | demo-files/constrainttemplates/artifacts/two/gatekeeper-allowedrepos-constraint-template-regex.yaml | ankit-opa   |
+--------------------------------+---------------+-----------------------------------------------------------------------------------------------------+-------------+
| demo-replica-constrainttemplate| Yaml          | library/general/replicalimits/template.yaml                                                         | demo-git-opa |
+--------------------------------+---------------+-----------------------------------------------------------------------------------------------------+-------------+
| demo-k8scontainerlimits        | Yaml          | paths:{name:"file://artifacts/demo-k8scontainerlimits/k8scontainerlimits_contrainttemplate.yaml"}    |             |
+--------------------------------+---------------+-----------------------------------------------------------------------------------------------------+-------------+

Get Specific OPA Constraint Template

Below is an example to retrieve a specific OPA Constraint Template

./rctl get opaconstrainttemplate k8srequiredlabels
+--------------------------------+---------------+-----------------------------------------------------------------------------------------------------+-------------+
| CONSTRAINT TEMPLATE NAME       | ARTIFACT TYPE | ARTIFACT FILES                                                                                      | REPOSITORY  |
+--------------------------------+---------------+-----------------------------------------------------------------------------------------------------+-------------+
| k8srequiredlabels              | Yaml          | paths:{name:"file://artifacts/k8srequiredlabels/k8srequiredlabels_contrainttemplate.yaml"}          |             |
+--------------------------------+---------------+-----------------------------------------------------------------------------------------------------+-------------+

List OPA Constraints

Use this command to retrieve the list of OPA Constraints in the configured Project. An illustrative example is shown below where RCTL retrieves the list of constraints (both from Git Repo and upload)

./rctl get opaconstraint                                          
+------------------------------------+---------------+-------------------------------------------------------------------------------------------------------+-------------+
| CONSTRAINT NAME                    | ARTIFACT TYPE | ARTIFACT FILES                                                                                        | REPOSITORY  |
+------------------------------------+---------------+-------------------------------------------------------------------------------------------------------+-------------+
| k8srequiredlabels-constraints      | Yaml          | paths:{name:"file://artifacts/k8srequiredlabels-constraints/k8srequiredlabels_contraints.yaml"}       |             |
+------------------------------------+---------------+-------------------------------------------------------------------------------------------------------+-------------+
| demo-1                              | Yaml          | demo-files/constraints/artifacts/two/gatekeeper-allowedrepos-policy-constraint.yaml                   | ankit-opa   |
+------------------------------------+---------------+-------------------------------------------------------------------------------------------------------+-------------+
| demo-label-crd                    | Yaml          | paths:{name:"file://artifacts/ankit-label-crd/crd-constraint.yaml"}                                   |             |
+------------------------------------+---------------+-------------------------------------------------------------------------------------------------------+-------------+
| k8srequiredlabels-pod              | Yaml          | paths:{name:"file://artifacts/k8srequiredlabels-pod/k8srequiredlabels_contraints_pod.yaml"}           |             |
+------------------------------------+---------------+-------------------------------------------------------------------------------------------------------+-------------+
| demo-k8scontainerlimits-constraints | Yaml          | paths:{name:"file://artifacts/demo-k8scontainerlimits-constraints/k8scontainerlimits_contraints.yaml"} |             |
+------------------------------------+---------------+-------------------------------------------------------------------------------------------------------+-------------+
| demo-replica-constraint             | Yaml          | library/general/replicalimits/samples/replicalimits/constraint.yaml                                   | demo-git-opa |
+------------------------------------+---------------+-------------------------------------------------------------------------------------------------------+-------------+

Get Specific OPA Constraint

Below is an example to retrieve a specific OPA Constraint

./rctl get opaconstraint k8srequiredlabels-constraints
+------------------------------------+---------------+-------------------------------------------------------------------------------------------------------+-------------+
| CONSTRAINT NAME                    | ARTIFACT TYPE | ARTIFACT FILES                                                                                        | REPOSITORY  |
+------------------------------------+---------------+-------------------------------------------------------------------------------------------------------+-------------+
| k8srequiredlabels-constraints      | Yaml          | paths:{name:"file://artifacts/k8srequiredlabels-constraints/k8srequiredlabels_contraints.yaml"}       |             |
+------------------------------------+---------------+-------------------------------------------------------------------------------------------------------+-------------+

List OPA Policies

Use this command to retrieve the list of OPA Policies in the configured Project. An illustrative example is shown below where RCTL retrieves the list of policies

./rctl get opapolicy
+--------------+-----------------------------+--------------------------------------+
| POLICY NAME  | VERSION NAME                | CONSTRAINTS                          |
+--------------+-----------------------------+--------------------------------------+
| demo-policy  | v3-pod                      | k8srequiredlabels-pod                |
+--------------+-----------------------------+--------------------------------------+
| demo1        | v1                          | k8srequiredlabels-constraints        |
+--------------+-----------------------------+--------------------------------------+
| demo-policy-2| v1-container-replica-labels | k8srequiredlabels-constraints        |
|              |                             | demo-k8scontainerlimits-constraints  |
|              |                             | demo-replica-constraint              |
+--------------+-----------------------------+--------------------------------------+

Get Specific OPA Policy

Below is an example to retrieve a specific OPA Policy

./rctl get opapolicy demo-policy
+--------------+-----------------------------+------------------------------------+
| POLICY NAME  | VERSION NAME                | CONSTRAINTS                        |
+--------------+-----------------------------+------------------------------------+
| demo-policy  | v3-pod                      | k8srequiredlabels-pod              |
+--------------+-----------------------------+------------------------------------+

Apply Command

Based on the configuration details specified in the yaml file, the Apply command helps to create the required resource(s) in the UI using a YAML file.

./rctl apply -f <opa-file.yaml>

Update Commands

OPA Constraint Template

Use the below command to update the OPA Constraint Template changes made to the spec YAML file

./rctl update opaconstrainttemplate -f <updated-constrainttemplate.yaml>

OPA Constraint

Use the below command to update the OPA Constraints changes made to the spec YAML file

./rctl update opaconstraint -f <updated-constraint.yaml>

Delete Commands

You can use both imperative and declarative methods to delete OPA Constraints, Constraint Templates and Policies

Imperative

OPA Constraint Template

Use the below command to delete a OPA Constraint Template

./rctl delete opaconstrainttemplate <constrainttemplate_name>

OPA Constraint

Use the below command to delete a OPA Constraint

./rctl delete opaconstraint <constraint_name>

OPA Policy

Use the below command to delete a OPA Policy

./rctl delete opapolicy <policy_name>

Declarative

OPA Constraint Template

Use the below command to delete a OPA Constraint Template

./rctl delete opaconstrainttemplate <constrainttemplatefile.yaml>

OPA Constraint

Use the below command to delete a OPA Constraint

./rctl delete opaconstraint <constraintfile.yaml>

OPA Policy

Use the below command to delete a OPA Policy

./rctl delete opapolicy <policyfile.yaml>