Skip to content

Open Policy Agent (OPA)

Traefik Enterprise comes with an Open Policy Agent middleware that allows you to restrict access to your services. It also allows you to enrich request headers with data extracted from policies. The OPA middleware works as an OPA agent.

OPA Version

This middleware uses the v0.24.0 of the OPA specification.

Middleware Options

policy

Optional (one of policy or bundlePath must be set), Default=""

The policy option should contain the path or the content of a policy.

labels:
  - "traefik.http.middlewares.test-opa.plugin.opa.policy=/usr/traefikee/policy.rego"
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
  name: test-opa
spec:
  plugin:
    opa:
      policy: /usr/traefikee/policy.rego
- "traefik.http.middlewares.test-opa.plugin.opa.policy=/usr/traefikee/policy.rego"
"labels": {
    "traefik.http.middlewares.test-opa.plugin.opa.policy": "/usr/traefikee/policy.rego"
}
labels:
  - "traefik.http.middlewares.test-opa.plugin.opa.policy=/usr/traefikee/policy.rego"
http:
  middlewares:
    test-opa:
      plugin:
        opa:
          policy: /usr/traefikee/policy.rego
[http.middlewares]
  [http.middlewares.test-opa.plugin.opa]
    policy = "/usr/traefikee/policy.rego"

bundlePath

Optional (one of policy or bundlePath must be set), Default=false

The bundlePath option should contain the path to an OPA bundle.

labels:
  - "traefik.http.middlewares.test-opa.plugin.opa.bundlePath=/usr/traefikee/bundle.tar.gz"
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
  name: test-opa
spec:
  plugin:
    opa:
      bundlePath: /usr/traefikee/bundle.tar.gz
- "traefik.http.middlewares.test-opa.plugin.opa.bundlePath=/usr/traefikee/bundle.tar.gz"
"labels": {
    "traefik.http.middlewares.test-opa.plugin.opa.bundlePath": "/usr/traefikee/bundle.tar.gz"
}
labels:
  - "traefik.http.middlewares.test-opa.plugin.opa.bundlePath=/usr/traefikee/bundle.tar.gz"
http:
  middlewares:
    test-jwt:
      plugin:
        opa:
          bundlePath: /usr/traefikee/bundle.tar.gz
[http.middlewares]
  [http.middlewares.test-opa.plugin.opa]
    bundlePath = /usr/traefikee/bundle.tar.gz

allow

Optional (one of allow or forwardHeaders must be set), Default=""

The allow option sets the expression to evaluate that determines if the request should be authorized.

labels:
  - "traefik.http.middlewares.test-opa.plugin.opa.allow=data.package.allow"
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
  name: test-opa
spec:
  plugin:
    opa:
      allow: data.package.allow
- "traefik.http.middlewares.test-opa.plugin.opa.allow=data.package.allow"
"labels": {
  "traefik.http.middlewares.test-opa.plugin.opa.allow": "data.package.allow"
}
labels:
  - "traefik.http.middlewares.test-opa.plugin.opa.allow=data.package.allow"
http:
  middlewares:
    test-opa:
      plugin:
        opa:
          allow: data.package.allow
[http.middlewares]
  [http.middlewares.test-opa.plugin.opa]
    allow = "data.package.allow"

forwardHeaders

Optional (one of allow or forwardHeaders must be set), Default=None

The forwardHeaders option sets the HTTP headers to add to requests and populates them with the result of the given expression.

labels:
  - "traefik.http.middlewares.test-opa.plugin.opa.forwardHeaders.Group=data.package.grp"
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
  name: test-opa
spec:
  plugin:
    opa:
      forwardHeaders:
        Group: data.package.grp
- "traefik.http.middlewares.test-opa.plugin.opa.forwardHeaders.Group=data.package.grp"
"labels": {
    "traefik.http.middlewares.test-opa.plugin.opa.forwardHeaders.Group": "data.package.grp"
}
labels:
  - "traefik.http.middlewares.test-opa.plugin.opa.forwardHeaders.Group=data.package.grp"
http:
  middlewares:
    test-jwt:
      plugin:
        opa:
          forwardHeaders:
            Group: data.package.grp
[http.middlewares]
  [http.middlewares.test-opa.plugin.opa]
    [http.middlewares.test-opa.plugin.opa.forwardHeaders]
      Group = "data.package.grp"