Skip to content

CLI

The RCTL utility provides the means to manage/automate the lifecycle of OPA Gatekeeper. The following operations can be performed on OPA Gatekeeper for projects within an organization.

Resource Create Get Apply Update Delete
OPA Installation Profile(s) YES YES YES NO YES
OPA Constraint Template(s) YES YES YES YES YES
OPA Constraint(s) YES YES YES YES YES
OPA Policies YES YES YES NO YES

Create Installation Profile

Run the below command to create a Network Policy Profile using the spec yaml file

./rctl apply -f profile_filename.yaml

An illustrative example of the profile spec YAML file is shown below

apiVersion: opa.k8smgmt.io/v3
kind: OPAProfile
metadata:
  name: test-profile
  project: defaultproject
spec:
  excludedNamespaces:
  - namespaces:
    - name: ns1
    processes:
    - '*'
  installationParams:
    auditFromCache: true
    auditInterval: 61
    auditMatchKindOnly: true
    constraintViolationsLimit: 21
    enableDeleteOperations: true
  sharing:
    enabled: true
    projects:
    - name: project-1
  version: v1

Create OPA Constraint Template

Use the below command to create a OPA Constraint Template

./rctl create opaconstrainttemplate -f <constrainttemplate_filename.yml>

Constraint Template Spec from Git Repo

An illustrative example of the OPA Constraint Template spec YAML file from Git Repo is shown below. The paths parameters identifies the Git Repository and the file path

apiVersion: opa.k8smgmt.io/v3
kind: OPAConstraintTemplate
metadata:
  labels:
    rafay.dev/opa: template
  name: demo-replica-constrainttemplate
  project: defaultproject
spec:
  artifact:
    artifact:
      paths:
      - name: library/general/replicalimits/template.yaml
      repository: demo-git-opa
      revision: master
    type: Yaml

Constraint Template Spec via upload

An illustrative example of the OPA Constraint Template spec YAML file via upload is shown below. The paths parameters identifies the file path

apiVersion: opa.k8smgmt.io/v3
kind: OPAConstraintTemplate
metadata:
  labels:
    rafay.dev/opa: template
  name: demo-k8scontainerlimits
  project: defaultproject
spec:
  artifact:
    artifact:
      paths:
      - name: file://artifacts/example-template/template.yaml
    options: {}
    type: Yaml

Important

The prefix file:// is mandatory for upload artifacts and the path should be relative to the parent file path


Create OPA Constraint

Use the below command to create a OPA Constraint

./rctl create opaconstraint -f <constraint_filename.yml>

Constraint Spec from Git Repo

An illustrative example of the OPA Constraint spec YAML file from Git Repo is shown below. The paths parameters identifies the Git Repository and the file path

apiVersion: opa.k8smgmt.io/v3
kind: OPAConstraint
metadata:
  labels:
    rafay.dev/opa: constraint
  name: demo-replica-constraint
  project: defaultproject
spec:
  artifact:
    artifact:
      paths:
      - name: library/general/replicalimits/demo/replicalimits/constraint.yaml
      repository: demo-git-opa
      revision: master
    type: Yaml
  published: true
  templateName: demo-replica-constrainttemplate
  version: v1

Constraint Spec via upload

An illustrative example of the OPA Constraint spec YAML file via upload is shown below. The paths parameters identifies the file path

apiVersion: opa.k8smgmt.io/v3
kind: OPAConstraint
metadata:
  labels:
    rafay.dev/opa: constraint
  name: demo-k8scontainerlimits-constraints
  project: defaultproject
spec:
  artifact:
    artifact:
      paths:
      - name: file://artifacts/example-constraint/constraint.yaml
    options: {}
    type: Yaml
  published: true
  templateName: demo-k8scontainerlimits
  version: v1

Important

The prefix file:// is mandatory for upload artifacts and the path should be relative to the parent file path


Create OPA Policies

Use the below command to create a OPA Policy

./rctl create opapolicy -f <policy_file.yml>

An illustrative example of the OPA Policy spec YAML file is given below

apiVersion: opa.k8smgmt.io/v3
kind: OPAPolicy
metadata:
  name: example-policy
  project: defaultproject
spec:
  constraintList:
  - name: constraint-1
    version: v1
  - name: constraint-2
    version: v2
  sharing:
    enabled: true
    projects:
    - name: project-1
    - name: project-2
  version: v2

OPA Gatekeeper Policy in Blueprint

Once OPA Gatekeeper installation profiles and policies are creates, users can deploy them via blueprint spec yaml. An illustrative example of the blueprint spec YAML is shown below.

apiVersion: infra.k8smgmt.io/v3
kind: Blueprint
metadata:
  name: example-blueprint
  project: defaultproject
spec:
  base:
    name: default
    version: 1.17.0
  defaultAddons:
    csiSecretStoreConfig:
      providers: {}
    enableIngress: true
    enableLogging: false
    enableMonitoring: true
    enableVM: false
  drift:
    enabled: false
  networkPolicy: {}
  opaPolicy:
    opaPolicy:
    - name: test-policy1
      version: v1
    - name: test-policy2
      version: v3
    profile:
      name: test-profile
      version: v1
  placement: {}
  sharing:
    enabled: false
  version: v3-test

List OPA Installation Profiles

Use this command to retrieve the list of OPA Installation Profiles in the configured Project. An illustrative example is shown below where RCTL retrieves the list of profiles.

./rctl get opaprofile

+-----------------------+---------+
| PROFILE NAME          | VERSION |
+-----------------------+---------+
| initial-am-policy1-v1 | v4      |
+-----------------------+---------+
| test-opa              | v1      |
+-----------------------+---------+

Get Specific OPA Installation Profile

Below is an example to retrieve a specific OPA Constraint Template

./rctl get opaprofile test-opa
+--------------+---------+
| PROFILE NAME | VERSION |
+--------------+---------+
| test-opa     | v1      |
+--------------+---------+

List OPA Constraint Templates

Use this command to retrieve the list of OPA Constraint Templates in the configured Project. An illustrative example is shown below where RCTL retrieves the list of constraint templates (both from Git Repo and upload)

./rctl get opaconstrainttemplate
+--------------------------------+---------------+-----------------------------------------------------------------------------------------------------+-------------+
| CONSTRAINT TEMPLATE NAME       | ARTIFACT TYPE | ARTIFACT FILES                                                                                      | REPOSITORY  |
+--------------------------------+---------------+-----------------------------------------------------------------------------------------------------+-------------+
| k8srequiredlabels              | Yaml          | paths:{name:"file://artifacts/k8srequiredlabels/k8srequiredlabels_contrainttemplate.yaml"}          |             |
+--------------------------------+---------------+-----------------------------------------------------------------------------------------------------+-------------+
| demo-1                         | Yaml          | demo-files/constrainttemplates/artifacts/two/gatekeeper-allowedrepos-constraint-template-regex.yaml | ankit-opa   |
+--------------------------------+---------------+-----------------------------------------------------------------------------------------------------+-------------+
| demo-replica-constrainttemplate| Yaml          | library/general/replicalimits/template.yaml                                                         | demo-git-opa |
+--------------------------------+---------------+-----------------------------------------------------------------------------------------------------+-------------+
| demo-k8scontainerlimits        | Yaml          | paths:{name:"file://artifacts/demo-k8scontainerlimits/k8scontainerlimits_contrainttemplate.yaml"}    |             |
+--------------------------------+---------------+-----------------------------------------------------------------------------------------------------+-------------+

Get Specific OPA Constraint Template

Below is an example to retrieve a specific OPA Constraint Template

./rctl get opaconstrainttemplate k8srequiredlabels
+--------------------------------+---------------+-----------------------------------------------------------------------------------------------------+-------------+
| CONSTRAINT TEMPLATE NAME       | ARTIFACT TYPE | ARTIFACT FILES                                                                                      | REPOSITORY  |
+--------------------------------+---------------+-----------------------------------------------------------------------------------------------------+-------------+
| k8srequiredlabels              | Yaml          | paths:{name:"file://artifacts/k8srequiredlabels/k8srequiredlabels_contrainttemplate.yaml"}          |             |
+--------------------------------+---------------+-----------------------------------------------------------------------------------------------------+-------------+

List OPA Constraints

Use this command to retrieve the list of OPA Constraints in the configured Project. An illustrative example is shown below where RCTL retrieves the list of constraints (both from Git Repo and upload)

./rctl get opaconstraint                                          
+------------------------------------+---------------+-------------------------------------------------------------------------------------------------------+-------------+
| CONSTRAINT NAME                    | ARTIFACT TYPE | ARTIFACT FILES                                                                                        | REPOSITORY  |
+------------------------------------+---------------+-------------------------------------------------------------------------------------------------------+-------------+
| k8srequiredlabels-constraints      | Yaml          | paths:{name:"file://artifacts/k8srequiredlabels-constraints/k8srequiredlabels_contraints.yaml"}       |             |
+------------------------------------+---------------+-------------------------------------------------------------------------------------------------------+-------------+
| demo-1                              | Yaml          | demo-files/constraints/artifacts/two/gatekeeper-allowedrepos-policy-constraint.yaml                   | ankit-opa   |
+------------------------------------+---------------+-------------------------------------------------------------------------------------------------------+-------------+
| demo-label-crd                    | Yaml          | paths:{name:"file://artifacts/ankit-label-crd/crd-constraint.yaml"}                                   |             |
+------------------------------------+---------------+-------------------------------------------------------------------------------------------------------+-------------+
| k8srequiredlabels-pod              | Yaml          | paths:{name:"file://artifacts/k8srequiredlabels-pod/k8srequiredlabels_contraints_pod.yaml"}           |             |
+------------------------------------+---------------+-------------------------------------------------------------------------------------------------------+-------------+
| demo-k8scontainerlimits-constraints | Yaml          | paths:{name:"file://artifacts/demo-k8scontainerlimits-constraints/k8scontainerlimits_contraints.yaml"} |             |
+------------------------------------+---------------+-------------------------------------------------------------------------------------------------------+-------------+
| demo-replica-constraint             | Yaml          | library/general/replicalimits/samples/replicalimits/constraint.yaml                                   | demo-git-opa |
+------------------------------------+---------------+-------------------------------------------------------------------------------------------------------+-------------+

Get Specific OPA Constraint

Below is an example to retrieve a specific OPA Constraint

./rctl get opaconstraint k8srequiredlabels-constraints
+------------------------------------+---------------+-------------------------------------------------------------------------------------------------------+-------------+
| CONSTRAINT NAME                    | ARTIFACT TYPE | ARTIFACT FILES                                                                                        | REPOSITORY  |
+------------------------------------+---------------+-------------------------------------------------------------------------------------------------------+-------------+
| k8srequiredlabels-constraints      | Yaml          | paths:{name:"file://artifacts/k8srequiredlabels-constraints/k8srequiredlabels_contraints.yaml"}       |             |
+------------------------------------+---------------+-------------------------------------------------------------------------------------------------------+-------------+

List OPA Policies

Use this command to retrieve the list of OPA Policies in the configured Project. An illustrative example is shown below where RCTL retrieves the list of policies

./rctl get opapolicy
+--------------+-----------------------------+--------------------------------------+
| POLICY NAME  | VERSION NAME                | CONSTRAINTS                          |
+--------------+-----------------------------+--------------------------------------+
| demo-policy  | v3-pod                      | k8srequiredlabels-pod                |
+--------------+-----------------------------+--------------------------------------+
| demo1        | v1                          | k8srequiredlabels-constraints        |
+--------------+-----------------------------+--------------------------------------+
| demo-policy-2| v1-container-replica-labels | k8srequiredlabels-constraints        |
|              |                             | demo-k8scontainerlimits-constraints  |
|              |                             | demo-replica-constraint              |
+--------------+-----------------------------+--------------------------------------+

Get Specific OPA Policy

Below is an example to retrieve a specific OPA Policy

./rctl get opapolicy demo-policy
+--------------+-----------------------------+------------------------------------+
| POLICY NAME  | VERSION NAME                | CONSTRAINTS                        |
+--------------+-----------------------------+------------------------------------+
| demo-policy  | v3-pod                      | k8srequiredlabels-pod              |
+--------------+-----------------------------+------------------------------------+

Apply Command

Based on the configuration details specified in the yaml file, the Apply command helps to create the required resource(s) in the UI using a YAML file.

./rctl apply -f <opa-file.yaml>

Update Commands

OPA Constraint Template

Use the below command to update the OPA Constraint Template changes made to the spec YAML file

./rctl update opaconstrainttemplate -f <updated-constrainttemplate.yaml>

OPA Constraint

Use the below command to update the OPA Constraints changes made to the spec YAML file

./rctl update opaconstraint -f <updated-constraint.yaml>

Delete Commands

You can use both imperative and declarative methods to delete OPA Constraints, Constraint Templates and Policies

Imperative

OPA Installation Profile

Use the below command to delete a OPA Constraint Template

./rctl delete opaprofile <profile_name>

OPA Constraint Template

Use the below command to delete a OPA Constraint Template

./rctl delete opaconstrainttemplate <constrainttemplate_name>

OPA Constraint

Use the below command to delete a OPA Constraint

./rctl delete opaconstraint <constraint_name>

OPA Policy

Use the below command to delete a OPA Policy

./rctl delete opapolicy <policy_name>

Declarative

OPA Installation Profile

Use the below command to delete a OPA Constraint Template

./rctl delete opaprofile <opaprofilefile.yaml>

OPA Constraint Template

Use the below command to delete a OPA Constraint Template

./rctl delete opaconstrainttemplate <constrainttemplatefile.yaml>

OPA Constraint

Use the below command to delete a OPA Constraint

./rctl delete opaconstraint <constraintfile.yaml>

OPA Policy

Use the below command to delete a OPA Policy

./rctl delete opapolicy <policyfile.yaml>