Share and distribute Open Policy Agent Bundles with OpenFaaS functions

What you will learn in this post?

What is OPA (Open Policy Agent)?

How can we deploy OPA co-located with our service?

  • As a Go library
  • As a daemon

How can OpenFaaS help us with the OPA?


  • A Kubernetes cluster (kind, minikube, etc.)
  • OpenFaaS CLI
  • Arkade
  • Kubectl
  • KinD


1. Setup Tools

  • Arkade
$ curl -sLS | sudo sh
  • KinD
$ arkade get kind
  • Kubectl
$ arkade get kubectl
  • faas-cli
$ arkade get faas-cli

2. Set Up Cluster

$ arkade get kind
$ kind create cluster

3. Deploy OpenFaaS

  • Install OpenFaaS using Arkade
$ arkade install openfaas
  • Verify Deployment
$ kubectl rollout status -n openfaas deploy/gateway
  • Enable local access to Gateway
$ kubectl port-forward -n openfaas svc/gateway 8080:8080 &

4. Configure faas-cli

  • Access password that available in the basic-auth secret in openfaas namespace
$ PASSWORD=$(kubectl get secret -n openfaas basic-auth -o jsonpath="{.data.basic-auth-password}" | base64 --decode; echo)
  • Login with using the password to Gateway
$ echo -n $PASSWORD | faas-cli login --username admin --password-stdin

5. Deploy Function

  • Go to the functions directory, pull the right template and deploy the function
$ cd functions
$ faas-cli template store pull golang-middleware
$ faas-cli up -f bundle-api.yml

6. Load Images

  • Load images from Docker Hub to the KinD
$ docker image pull openpolicyagent/opa:latest
$ kind load docker-image openpolicyagent/opa:latest
$ docker image pull openpolicyagent/demo-restful-api:0.2
$ kind load docker-image openpolicyagent/demo-restful-api:0.27. Deploy the application
$ cd ../hack/manifests <br>
$ kubectl apply -f deployment.yaml
  • Verify Deployment
$ kubectl rollout status deployment demo-restful-api
  • Enable local access to the application
$ kubectl port-forward svc/demo-restful-api 5000:80 &


  • People can see their own salaries (GET /finance/salary/{user} is permitted for {user})
  • A manager can see their direct reports’ salaries (GET /finance/salary/{user} is permitted for {user}’s manager)

Check that Alice can see her own salary

  • This command will succeed because Alice wants to see your own salary.
$ curl --user alice:password localhost:5000/finance/salary/alice

Check that bob CANNOT see charlie’s salary.

  • bob is not charlie’s manager, so the following command will fail.
$ curl --user bob:password localhost:5000/finance/salary/charlie
  • bob is Alice's manager, so the following command will succeed.
$ curl --user bob:password localhost:5000/finance/salary/alice






I do mostly Go, Kubernetes, and cloud-native stuff ⛵️🐰🐳

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

How Governmental Organisations Can Stay Ahead of the Curve with DevOps

Winning Isn’t Everything—learn to define your own success

Why Start-ups Prefer Swift Over Objective-C

GKE with Istio and Config sync

A Deep Dive Into Kubernetes

Bad programming habits developers learn

Laravel Trait Make Command

Why use Kubernetes and containers?

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store


I do mostly Go, Kubernetes, and cloud-native stuff ⛵️🐰🐳

More from Medium

Set default namespace with kubectl

Multi Tenant Logs with Grafana Loki

Installing Red Hat Advanced Cluster Manager on OpenShift Cluster

Kubernetes Clusters with “kind”