Configure Open Policy Agent Authorization for Seldon Deploy

Authorization is an optional part of the platform which can be enabled or disabled based on your requirements.

Using namespace labels

Namespace labels can be used to authorize access to namespaced resources. For more details see the docs.

Setting Up Open Policy Agent authorization in Deploy

OPA authorization is experimental. To enable OPA authorization in Deploy the following values must be set in the Deploy Helm chart:

    enabled: true
    configMap: seldon-deploy-policies # default to this, change only if you want to use another config map.
    projectAuthEnabled: true # enable if you want to authorize project based resources (models)

This will tell Deploy to load the OPA policies stored in the given rbac.opa.configMap and use them to authorize requests.

Some important considerations when enabling OPA authorization:

  • If the specified config map does not exist, Deploy will not start.

  • If the config map does not contain policies, authorization requests will default to denying access.

For a detailed explanation of the schema of the policies, how to set up the config map, and how to migrate from namespace labels authorization to OPA authorization follow the policy management guide.

Note: rbac.opa.projectAuthEnabled requires the Model Catalog to be enabled as well since it authorizes resources in there, or resources containing models (deployments). To enable it follow the postgres setup guide.