# Enabling Deployment Firewall in Target Clusters {% hint style="info" %} This is an optional step. {% endhint %} This page lists the details on how to install the opa-mgmt or deployment firewall for the kubernetes deployments. To know in detail about OPA, refer [OPA overview](https://www.openpolicyagent.org/docs/latest/kubernetes-introduction/). Refer [OPA Installation](https://www.openpolicyagent.org/docs/latest/kubernetes-tutorial/) for the steps on how to install OPA. Follow the steps given below to configure OPA in the target environment. ### Extracting the Kubernetes Detector Secret Kubernetes Detector can be installed in two different ways. * Kubernetes detectors can be installed in the target cluster if the user downloads and installs the in-cluster file from the SSD. * Kubernetes detectors can be installed where the SSD is hosted if the user downloads and installs the remote file from the SSD. 1. Use the below command to get the secret value. ``` kubectl -n get secret kubedetector -o yaml ``` An example of secret value is shown below: {% code overflow="wrap" %} ``` sai@opsmx-hyd-l-194:~$ kubectl -n get secrets kubedetector -o yaml apiVersion: v1 data: config.yaml: dG9rZW46IGV5SmhiR2NpT2lKU1V6STFOaUlzSW10cFpDSTZJbUZrWldZM016RXpMVEppT0RFdE5EY3lNeTA0TXpNNExXSXhNR1ZrT1dRMU5HRTJaQ0lzSW5SNWNDSTZJa3BYVkNKOS5leUpwYzNNaU9pSlBjSE5OZUNJc0ltRjFaQ0ssssssssssddddddddddddxzzzzzzzzzzWpvaWMyVnlkbWxqWlMxaFkyTnZkVzUwTDNZeElpd2liM0puU1VRaU9pSmpNR0ZqTW1Fd1ppMW1OelJpTFRSa04yWXRPRGhpWkMxa05USTFPV1pqWkRBNU1UTWlMQ0p6WlhKMmFXTmxJam9pWlhoMFpYSnVZV3d0YzJWeWRtbGpaUzFyZFdKbGNtNWxkR1Z6SWl3aWFXNXpkR0Z1WTJVaU9pSXdORsssssssssssddddddddddxxxxxxxwR0lvdGdvaWdLMlduSDYwMXg5eEl1YXNYT1dCVEJSbFg0U1Qtdmp2dTRydFlUdFl0TV9XdFZxMXE1bkZITTNSRlBPWXF0NFA1Qk11dmxXSTV5MW10bEJ3bWdDMGxwSWg0c1NPQkl3d21wVnZCbVJyV0VkaEZ1VDltSllGeGhUMTNNS2tEMjdTOTVHNGVFUktwWVlfdThZd1VnbDJNLVdJd0VEYTRJcGRZQ3RsNTczU1FQMlh3enhyZkxHTDlYY1ZGVFR3ZW1MTFFOeUV4MGVKVWNqN0JpZ0tTMnpXZGo1d095VVVNcW9SY3lIUXdrdW92dU5RRTliV3BmSHVHekxZeHlPTGNDOWVEaXFZYVdxUmFMRTFWc255Wi1jNHE5UGlNVjgyUjZZOXE1WDVDeFlKLUVIWS0xTEZ3Cm5hbWVzcGFjZXNUb0FsbG93OiAjZWRpdCB0aGlzIHRvIHNjYW4gbXVsdGlwbGUgbmFtZXNwYWNlcwotIGRlZmF1bHQKLSBnaXRodWJhY3Rpb25zCi0gcWEtYXVnCg== kind: Secret metadata: name: kubedetector-oescluster namespace: exceptions type: Opaque ``` {% endcode %} 2. Use any tool to decode the value of config.yaml ``` echo | base64 -d ``` An example of decoded value is shown below: {% code overflow="wrap" %} ``` token: eyJhbGciOiJSUzI1NiIsddddddddddddddJiODEtNDcyMy04MzM4LWIxMGVkOWQ1NGE2ZCIsInR5cCI6IkpXVCJ9.eyJptttttttttttttzc2Qub3BzbXguaW8iXSwiZXhwIjoxNzUsssssaaaaaaaaaaaaaaaJ0eXBlIjoic2VydmljZS1hY2NvdW50L3YxIiwib3JnSUQisssssssssssiwiaW5zdGFuY2UiOiIwNDU2NGVmNC1lY2U5LTQ2Y2ItOdddddddddddddGE4ZTgxOTllYjIifX0.UFY3E5It5Z9Bvx0SefffffffffffffffffffIuasXOWBTBRlX4ST-vjvu4rtYTtYtM_WtVq1q5nFHM3RFPOYqt4P5BMuvlWI5ddddddd4sSOBIwwmpVvBmRrWEdhFuT9mJYFxhT13MKkD27S95G4xxxxxxxxxxxxxwEDa4IpdYCtl573SQP2XwzxrfLGL9XcVFTTwemLLQNyEx0eJUcj7BigKS2zWdj5wOyUUMqoRcyHQwkuovuNQE9bWpfHuGzLYxyOLcC9eDiqYaWqRaLE1VsnyZ-c4q9PiMV82R6Y9q5X5CxYJ-EHY-1LFw namespacesToAllow: #edit this to scan multiple namespaces - default ``` {% endcode %} 3. Copy only the token value and store in any of the text editor. ### Creation of Namespace: Create namespace using the command given below: ``` kubectl create ns ssd-firewall ``` ### Installation : 1. Clone the below repo ``` git clone https://github.com/opsmx/kube-mgmt.git ``` 2. Cd to the charts ``` cd kube-mgmt/charts ``` 3. Create a new file called **custom-values.yaml file** and copy the below content and paste it in it. {% code overflow="wrap" %} ``` # Update the SSD URL ssdurl: ## Update the Kubernetes Detector Secret Value kubedetectorsecretvalue: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IlssssddddxxxxxhIiwiaWF0IjoxNTE2MjM5MDIyfQ.-eaE5t4l6DQHh4NQK4S_DBlMGd9h3ksvZXv6ObG1otE ``` {% endcode %} {% hint style="info" %} In the above file, update the **SSD URL** and **Kubernetes Detector Secret Token Value.** Do not change file name. {% endhint %} 4. Once the installation is done, run the below commands to update the namespace labels. {% code overflow="wrap" %} ``` kubectl label ns opsmx-ssd.com/webhook=ignore ``` {% endcode %} Once the above annotation is added the opa-mgmt, allow or deny the pods deploying into the target cluster of that particular namespace.\ \ The namespace name which end user is deploying the pods need to be present in the kubernetes-detector secret under the namespacesToAllow. 5. In the UI, navigate to the Policies -> Artifact. 6. Select **Critical Vulnerability Prevention** Policy. In **Actions** column, change the action to **Prevent** from **Alert** so that it will prevents the Vulnerabilities which are critical. 7. Click **Save Changes**.
In the next run, if you try to deploy any pods to the target namespace then deployment firewall blocks those pods if there are any prevent policy failures.