在 GKE 上使用我的应用程序部署 OPA 后容器之间的通信出现问题
Issue with communication between containers after deploying OPA with my application on GKE
在我的应用程序方面,我有一个名为 myfunction 的函数,通过这个函数,我们可以使用它的端点和 OPAinput 作为函数参数来调用 OPA,它通过“function(context,数据)”部分。这就是我调用函数的方式。
myfunction('http://localhost:8181/v1/data/play/policy', OPAinput , {
onSuccess : function(context, data) {
var permit = data.result.permit;
Log.info('permit '+ permit);
Log.info("Successfully posted data.");
}, onFail : function(context) {
Log.info("Failed to post data");
}
});
当我通过 运行 OPA 在本地使用应用程序测试此功能时,它有效 fine.But 现在我已经将 OPA 与应用程序一起部署为 GKE 上的边车容器,我尝试了同样的事情但它不起作用。它说
“无法在 jdk.scripting.nashorn/jdk.nashorn.internal.runtime.ECMAErrors.error(ECMAErrors.java:57) 在 jdk.scripting.nashorn/jdk.nashorn.internal.runtime.ECMAErrors.typeError(ECMAErrors.java:213………….”
This is the OPA logs
2020-06-26 15:38:22.000 IST {"level":"info","msg":"Initializing server.","insecure_addr":"","diagnostic-addrs":[],"addrs":[":8181"]}
2020-06-26 16:24:52.000 IST {"msg":"Received request.","req_path":"/v1/data/play/policy","req_id":1,"level":"info","req_method":"POST","client_addr":"127.0.0.1:39530"}
2020-06-26 16:24:52.000 IST {"resp_status":200,"level":"info","req_method":"POST","req_id":1,"client_addr":"127.0.0.1:39530","req_path":"/v1/data/play/policy","resp_bytes":2,"msg":"Sent response.","resp_duration":9.564696}
apiVersion: v1
kind: Deployment
metadata:
name: rss-site
namespace: myapp
spec:
replicas: 1
minReadySeconds: 30
strategy:
rollingUpdate:
maxSurge: 1
maxUnavailable: 0
type: RollingUpdate
selector:
matchLabels:
deployment: myapp
app: myapp
pod: myapp
template:
metadata:
labels:
deployment: myapp
app: myapp
pod: myapp
spec:
containers:
- name: opa
image: openpolicyagent/opa:latest
ports:
- name: http
containerPort: 8181
args:
- "run"
- "--ignore=.*" # exclude hidden dirs created by Kubernetes
- "--server"
- "/policies"
volumeMounts:
- readOnly: true
mountPath: /policies
name: example-policy
- name: myapp
image: nickchase/myapp:v1
ports:
- containerPort: 9763
protocol: TCP
volumeMounts:
- name: identity-server-conf
mountPath: /home/myapp/myapp-config-volume/repository/conf/deployment.toml
subPath: deployment.toml
serviceAccountName: "myappsvc-account"
volumes:
- name: myapp-server-conf
configMap:
name: myapp-server-conf
- name: example-policy
configMap:
name: example-policy
Could you please help me to identify this issue :(
When I tested this function by running OPA with the application locally, it worked fine.But now I have deployed OPA with the application as a sidecar container on GKE, and I tried the same thing but it doesn't work. It says that
如果它在本地工作而不是在 GKE 中工作,则意味着有些不同。由于它返回 HTTP 200 响应,因此 OPA 容器可能 运行 正常,但策略、输入或数据与您在本地 运行 的内容不同。
尝试通过 --set=decision_logs.console=true 使用 OPA 参数启用控制台决策记录器。这将在 OPA 的日志输出中向您显示它收到的输入以及发回的结果。这应该有助于指导调查。
我还会仔细检查所有政策和数据是否已按照与本地相同的方式加载到 OPA 中。目录路径的差异会影响任何加载的 *.json/*.yaml 文件,如果您有任何丢失或其他不同的 *.rego 文件,它可能也会影响结果。
在我的应用程序方面,我有一个名为 myfunction 的函数,通过这个函数,我们可以使用它的端点和 OPAinput 作为函数参数来调用 OPA,它通过“function(context,数据)”部分。这就是我调用函数的方式。
myfunction('http://localhost:8181/v1/data/play/policy', OPAinput , {
onSuccess : function(context, data) {
var permit = data.result.permit;
Log.info('permit '+ permit);
Log.info("Successfully posted data.");
}, onFail : function(context) {
Log.info("Failed to post data");
}
});
当我通过 运行 OPA 在本地使用应用程序测试此功能时,它有效 fine.But 现在我已经将 OPA 与应用程序一起部署为 GKE 上的边车容器,我尝试了同样的事情但它不起作用。它说
“无法在 jdk.scripting.nashorn/jdk.nashorn.internal.runtime.ECMAErrors.error(ECMAErrors.java:57) 在 jdk.scripting.nashorn/jdk.nashorn.internal.runtime.ECMAErrors.typeError(ECMAErrors.java:213………….”
This is the OPA logs
2020-06-26 15:38:22.000 IST {"level":"info","msg":"Initializing server.","insecure_addr":"","diagnostic-addrs":[],"addrs":[":8181"]}
2020-06-26 16:24:52.000 IST {"msg":"Received request.","req_path":"/v1/data/play/policy","req_id":1,"level":"info","req_method":"POST","client_addr":"127.0.0.1:39530"}
2020-06-26 16:24:52.000 IST {"resp_status":200,"level":"info","req_method":"POST","req_id":1,"client_addr":"127.0.0.1:39530","req_path":"/v1/data/play/policy","resp_bytes":2,"msg":"Sent response.","resp_duration":9.564696}
apiVersion: v1
kind: Deployment
metadata:
name: rss-site
namespace: myapp
spec:
replicas: 1
minReadySeconds: 30
strategy:
rollingUpdate:
maxSurge: 1
maxUnavailable: 0
type: RollingUpdate
selector:
matchLabels:
deployment: myapp
app: myapp
pod: myapp
template:
metadata:
labels:
deployment: myapp
app: myapp
pod: myapp
spec:
containers:
- name: opa
image: openpolicyagent/opa:latest
ports:
- name: http
containerPort: 8181
args:
- "run"
- "--ignore=.*" # exclude hidden dirs created by Kubernetes
- "--server"
- "/policies"
volumeMounts:
- readOnly: true
mountPath: /policies
name: example-policy
- name: myapp
image: nickchase/myapp:v1
ports:
- containerPort: 9763
protocol: TCP
volumeMounts:
- name: identity-server-conf
mountPath: /home/myapp/myapp-config-volume/repository/conf/deployment.toml
subPath: deployment.toml
serviceAccountName: "myappsvc-account"
volumes:
- name: myapp-server-conf
configMap:
name: myapp-server-conf
- name: example-policy
configMap:
name: example-policy
Could you please help me to identify this issue :(
When I tested this function by running OPA with the application locally, it worked fine.But now I have deployed OPA with the application as a sidecar container on GKE, and I tried the same thing but it doesn't work. It says that
如果它在本地工作而不是在 GKE 中工作,则意味着有些不同。由于它返回 HTTP 200 响应,因此 OPA 容器可能 运行 正常,但策略、输入或数据与您在本地 运行 的内容不同。
尝试通过 --set=decision_logs.console=true 使用 OPA 参数启用控制台决策记录器。这将在 OPA 的日志输出中向您显示它收到的输入以及发回的结果。这应该有助于指导调查。
我还会仔细检查所有政策和数据是否已按照与本地相同的方式加载到 OPA 中。目录路径的差异会影响任何加载的 *.json/*.yaml 文件,如果您有任何丢失或其他不同的 *.rego 文件,它可能也会影响结果。