Skip to content

lab-6-opa-envoy: bundle-sever deployment fails due to use of old Rego syntax #4

Open
Open
lab-6-opa-envoy: bundle-sever deployment fails due to use of old Rego syntax#4
@gnurugs

Description

@gnurugs
gnurugs
opened on Aug 7, 2025

Environment

  • OS/ version: Ubuntu 24.04.1 LTS
  • OPA version: 1.6.0

Description

This issue is raised for lab-6-opa-envoy. In this lab, bundle-server is deployed in the cluster to host OPA container that picks up the policy and external data, adds them to a bundle, and run a bundle server within the cluster for OPA to reach out to using kubectl apply -f config/bundle-server.yaml . This deployment fails as old Rego syntax is used in the bundle/policy.rego file.

Expected behaviour

pod/bundle-server condition met should be resulted for kubectl wait pods -n default -l app=bundle-server --for condition=Ready --timeout=120s

Actual behaviour

kubectl wait pods -n default -l app=bundle-server --for condition=Ready --timeout=120s

error: timed out waiting for the condition on pods/bundle-server

Detail investigation

  1. view status of bundle-server pod
kubectl get pods -n default -l app=bundle-server                                      
NAME                    READY   STATUS                  RESTARTS       AGE
bundle-server            0/1     Init:CrashLoopBackOff   7 (2m8s ago)   13m
  1. describe pod
kubectl describe pod bundle-server -n default
Init Containers:
  opa-builder:
    Container ID:  containerd://6845737548688f0c2f2a46cd48de3cf23c8f85d054d7039a1cbbacfb30f65bfe
    Image:         openpolicyagent/opa:latest
    Image ID:      docker.io/openpolicyagent/opa@sha256:e14c54bddfd680d051db44eab44d4b7ec96609a60d4359e04273b9a1457ce3c4
    Port:          <none>
    Host Port:     <none>
    Args:
      build
      --bundle
      /opt/policy/
      --output
      /opt/output/bundle.tar.gz
    State:          Waiting
      Reason:       CrashLoopBackOff
    Last State:     Terminated
      Reason:       Error
      Exit Code:    1
      Started:      Thu, 07 Aug 2025 11:32:48 +0100
      Finished:     Thu, 07 Aug 2025 11:32:48 +0100
    Ready:          False
    Restart Count:  7
    Environment:    <none>
    Mounts:
      /opt/output/ from index (rw)
      /opt/policy/authz from policy (rw)
      /opt/policy/user_data/data.json from data-bundle (rw,path="data.json")
      /var/run/secrets/kubernetes.io/serviceaccount from kube-api-access-88p9j (ro)
  1. view logs for init container opa-builder
kubectl logs bundle-server -c opa-builder -n default
error: load error: bundle /opt/policy/: 8 errors occurred:
/opt/policy/authz/..2025_08_07_10_21_47.82419995/policy.rego:9: rego_parse_error: `if` keyword is required before rule body
/opt/policy/authz/..2025_08_07_10_21_47.82419995/policy.rego:14: rego_parse_error: `if` keyword is required before rule body
/opt/policy/authz/..2025_08_07_10_21_47.82419995/policy.rego:30: rego_parse_error: `if` keyword is required before rule body
/opt/policy/authz/..2025_08_07_10_21_47.82419995/policy.rego:35: rego_parse_error: `if` keyword is required before rule body
/opt/policy/authz/..2025_08_07_10_21_47.82419995/policy.rego:39: rego_parse_error: `if` keyword is required before rule body
/opt/policy/authz/..2025_08_07_10_21_47.82419995/policy.rego:43: rego_parse_error: `if` keyword is required before rule body
/opt/policy/authz/..2025_08_07_10_21_47.82419995/policy.rego:47: rego_parse_error: `if` keyword is required before rule body
/opt/policy/authz/..2025_08_07_10_21_47.82419995/policy.rego:53: rego_parse_error: `if` keyword is required before rule body

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions