Open Policy Agent

Traefik Hub comes with an Open Policy Agent middleware that allows you to restrict access to your services. It also allows you to enrich request headers with data extracted from policies. The OPA middleware works as an OPA agent.

OPA Version

This middleware uses the v0.66.0 of the OPA specification.

Configuration Example

OPA Middlware

apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
  name: test-opa
spec:
  plugin:
    opa:
      policy: |
        package example.policies

        allow {
          [_, encoded] := split(input.headers.Authorization, " ")
          [header, payload, signature] = io.jwt.decode(encoded)
          payload["email"] == "[email protected]"
        }
      forwardHeaders:
        Group: data.package.grp

Configuration Options

Field	Description	Default	Required
`policy`	Path or the content of a policy file.	""	No (one of `policy` or `bundlePath` must be set)
`bundlePath`	The `bundlePath` option should contain the path to an OPA bundle.	""	No (one of `policy` or `bundlePath` must be set)
`allow`	The `allow` option sets the expression to evaluate that determines if the request should be authorized.	""	No (one of `allow` or `forwardHeaders` must be set)
`forwardHeaders`	The `forwardHeaders` option sets the HTTP headers to add to requests and populates them with the result of the given expression.	""	No (one of `allow` or `forwardHeaders` must be set)

Configuration Example​

Configuration Options​

Configuration Example

Configuration Options