docs/docs/deploy/aws/eks.mdx
:::tip This page contains details in addition to the base Kubernetes documentation for deploying OPA. Please see that page for details on how to deploy OPA on K8s and return here for more EKS specific notes. :::
If running OPA as a cluster service, you might be interested in exposing the service to the internet or other, internal, off-cluster PEPs. Generally, OPA is invoked by other PEP applications rather than clients, and so a public IP is generally not required.
apiVersion: v1
kind: Service
metadata:
name: opa
annotations:
// highlight-next-line
service.beta.kubernetes.io/aws-load-balancer-nlb-target-type: ip
spec:
selector:
app: opa
ports:
- protocol: TCP
port: 8181
targetPort: 8181
type: LoadBalancer
:::warning If you are exposing and OPA service to the public internet, you are advised to make use of OPA's build in authentication and authorization features if not running OPA behind another service that provides these functions. :::
apiVersion: v1
kind: Service
metadata:
name: opa
annotations:
// highlight-start
service.beta.kubernetes.io/aws-load-balancer-type: external
service.beta.kubernetes.io/aws-load-balancer-nlb-target-type: ip
service.beta.kubernetes.io/aws-load-balancer-scheme: internet-facing
// highlight-end
spec:
selector:
app: opa
ports:
- protocol: TCP
port: 8181
targetPort: 8181
type: LoadBalancer
For more information, please see the EKS Network Load Balancer documentation.