Skip to content

OPA Traefik Hub API Gateway

Traefik Hub Feature

This middleware is available exclusively in Traefik Hub. Learn more about Traefik Hub's advanced features.

Traefik Hub comes with an Open Policy Agent middleware that allows you to restrict access to your services. It also allows you to enrich request headers with data extracted from policies. The OPA middleware works as an OPA agent.

OPA Version

This middleware uses the v1.3.0 of the OPA specification.

Configuration Example

apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
  name: opa-allow-jwt-claim
  namespace: apps
spec:
  plugin:
    opa:
      policy: |
        package example.policies

        allow {
          [_, encoded] := split(input.headers.Authorization, " ")
          [header, payload, signature] = io.jwt.decode(encoded)
          payload["email"] == "[email protected]"
        }
      forwardHeaders:
        Group: data.package.grp
apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
  name: opa-deny-json
  namespace: apps
spec:
  plugin:
    opa:
      policy: |
        package example.policies

        default allow = false

        json_content {
          input.headers["Accept"] == "application/json"
        }

        allow {
          not json_content
        }
      allow: data.example.policies.allow

Configuration Options

Field Description Default Required
policy Path or the content of a policy file. "" No (one of policy or bundlePath must be set)
bundlePath The bundlePath option should contain the path to an OPA bundle. "" No (one of policy or bundlePath must be set)
allow The allow option sets the expression to evaluate that determines if the request should be authorized. "" No (one of allow or forwardHeaders must be set)
forwardHeaders The forwardHeaders option sets the HTTP headers to add to requests and populates them with the result of the given expression. "" No (one of allow or forwardHeaders must be set)

Using Traefik OSS in Production?

If you are using Traefik at work, consider adding enterprise-grade API gateway capabilities or commercial support for Traefik OSS.

Adding API Gateway capabilities to Traefik OSS is fast and seamless. There's no rip and replace and all configurations remain intact. See it in action via this short video.