Share and distribute Open Policy Agent Bundles with OpenFaaS functions

What you will learn in this post?

What is OPA (Open Policy Agent)?

How can we deploy OPA co-located with our service?

  • As a Go library
  • As a daemon

How can OpenFaaS help us with the OPA?


  • A Kubernetes cluster (kind, minikube, etc.)
  • OpenFaaS CLI
  • Arkade
  • Kubectl
  • KinD


1. Setup Tools

  • Arkade
$ curl -sLS | sudo sh
  • KinD
$ arkade get kind
  • Kubectl
$ arkade get kubectl
  • faas-cli
$ arkade get faas-cli

2. Set Up Cluster

$ arkade get kind
$ kind create cluster

3. Deploy OpenFaaS

  • Install OpenFaaS using Arkade
$ arkade install openfaas
  • Verify Deployment
$ kubectl rollout status -n openfaas deploy/gateway
  • Enable local access to Gateway
$ kubectl port-forward -n openfaas svc/gateway 8080:8080 &

4. Configure faas-cli

  • Access password that available in the basic-auth secret in openfaas namespace
$ PASSWORD=$(kubectl get secret -n openfaas basic-auth -o jsonpath="{.data.basic-auth-password}" | base64 --decode; echo)
  • Login with using the password to Gateway
$ echo -n $PASSWORD | faas-cli login --username admin --password-stdin

5. Deploy Function

  • Go to the functions directory, pull the right template and deploy the function
$ cd functions
$ faas-cli template store pull golang-middleware
$ faas-cli up -f bundle-api.yml

6. Load Images

  • Load images from Docker Hub to the KinD
$ docker image pull openpolicyagent/opa:latest
$ kind load docker-image openpolicyagent/opa:latest
$ docker image pull openpolicyagent/demo-restful-api:0.2
$ kind load docker-image openpolicyagent/demo-restful-api:0.27. Deploy the application
$ cd ../hack/manifests <br>
$ kubectl apply -f deployment.yaml
  • Verify Deployment
$ kubectl rollout status deployment demo-restful-api
  • Enable local access to the application
$ kubectl port-forward svc/demo-restful-api 5000:80 &


  • People can see their own salaries (GET /finance/salary/{user} is permitted for {user})
  • A manager can see their direct reports’ salaries (GET /finance/salary/{user} is permitted for {user}’s manager)

Check that Alice can see her own salary

  • This command will succeed because Alice wants to see your own salary.
$ curl --user alice:password localhost:5000/finance/salary/alice

Check that bob CANNOT see charlie’s salary.

  • bob is not charlie’s manager, so the following command will fail.
$ curl --user bob:password localhost:5000/finance/salary/charlie
  • bob is Alice's manager, so the following command will succeed.
$ curl --user bob:password localhost:5000/finance/salary/alice





Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store