Admission Control OPA for private GKE cluster
773
Created On 02/10/22 18:37 PM - Last Modified 09/29/25 18:42 PM
Symptom
All the deployments were failing after the applying OPA admission control from Prisma Console.
Environment
- Private GKE cluster, All versions
- Prisma Cloud Compute SaaS and Self-hosted version above 21.04
Cause
Defender not able to reach the cluster due to missing firewall rule.
Resolution
- Check the port number used by defender in the cluster using this command
kubectl describe svc defender -n twistlock
- Go to GKE account,
VPC Network >> Firewall
- Find the correct entry, which has your cluster name
<<Cluster-name-master>
- After selecting the correct entry from Firewall list, click on that entry and click edit
- After clicking on edit, scroll down to ports and protocol section and add the correct port in tcp column Take the port number from step 1 (for e.g. 9998)
- Please save the settings.
- After saving the settings, deploy the OPA admission control (validating webhook) in the private GKE cluster.
- Deploy a privileged pod using this config for testing
apiVersion: v1 kind: Pod metadata: name: nginx labels: app: nginx spec: containers: - name: nginx image: nginx ports: - containerPort: 80 securityContext: privileged: true
- Please log into Prisma console and check
Compute>>Events>>Admission Audit
You should receive an Admission Audit for the specific private cluster
Additional Information
Please refer this document for Open Policy Agent -
https://docs.paloaltonetworks.com/prisma/prisma-cloud/prisma-cloud-admin-compute/access_control/open_policy_agent.html