Deploying PDP using raw Kubernetes YAMLs
In this example, we will show you how to deploy the Permit PDP on Kubernetes using raw YAMLs.
Resources included in this example:
- Deployment
- Service
- Secret
To deploy the PDP on Kubernetes, follow these steps:
- Download the YAML files from this directory.
- Replace the
PDP_API_KEYvalue in thesecret.yamlfile with your API key. - Create a new namespace for the PDP - (You can choose which namespace you want).
kubectl create namespace permit-pdp
- Apply the YAML files - make sure you are in the directory that contains the YAML files.
kubectl apply -f.
- (Optional) Wait for the PDP to be ready.
kubectl wait --for=condition=available --timeout=600s deployment/permit-pdp -n permit-pdp
Once the PDP is ready, you can start sending authorization requests to it.
Interacting with the PDP
To interact with the PDP internally (from inside the cluster), you can use the service name permit-pdp.<Your Namespace>.svc.cluster.local.
To interact with the PDP externally (from outside the cluster), you must expose the service using a load balancer or an ingress of your choice.
Liveness, Readiness and Startup Probes
The PDP exposes several endpoints that can be used for liveness, readiness, and startup probes.
Liveness Probe
The liveness probe is used to determine if the PDP is alive and healthy and should be restarted if it's not,
it returns a 200 status code if the PDP is alive and healthy. The liveness probe endpoint is /health.
An unhealthy PDP will return a 503 status code when The PDP failure rate exceeds the configured threshold.
You can configure the failure threshold using environment variables:
PDP_OPA_CLIENT_FAILURE_THRESHOLD_PERCENTAGE- The failure threshold percentage for the Policy Engine healthcheck. The default value is 10%.PDP_OPA_CLIENT_FAILURE_THRESHOLD_INTERVAL- The interval (in seconds) to calculate the failure threshold. The default value is 60 seconds.
The default configuration will return a 503 status code if at least 10% of the requests made to the PDP in the last 60 seconds failed.
Readiness Probe
The readiness probe determines if the PDP is ready to receive traffic; it returns a 200 status code if the PDP is ready to receive traffic. The readiness probe endpoint is /healthy.
An unready PDP will return a 503 status code if the Policy Engine's latest policy update fails.
Startup Probe
The startup probe is used to determine if the PDP is ready to receive traffic on startup; it returns a 200 status code if the PDP has finished the startup and is ready to receive traffic. The startup probe endpoint is /ready.
A PDP will be considered ready and return 200 once the Policy Engine has finished loading the policy from the policy store ( Git repository ) successfully.
Take a look at the following Deployments Github Repository