Integrating Kubernetes with Styra DAS – Enforcing users to create pods in the default namespace.

In this article, you will learn how to enforce users to create pods by default Kubernetes namespace using OPA and Styra DAS.


  1. Styra-DAS Account (You can sign-up and create a free Styra DAS account here)
  2. Kubernetes cluster (You can create a Kubernetes cluster using K3D)

Steps for creating cluster:

  1. For creating a Kubernetes cluster in k3d, the required configuration at minimum is 2CPU and 4GiB of memory.
  2. Docker should be installed in the system.
  3. Install the latest release of K3D and kubectl.
wget -q -O - | bashsnap install kubectl --classic

4. Finally, creating a Kubernetes cluster with command.

k3d cluster create (name of the cluster)

Adding a Kubernetes System to Styra DAS:

To achieve this, we need to go through the below process.

  1. Create a Kubernetes system and install Styra CLI and the OPA config file in the machine.
  2. To install, we will find the steps in the DAS itself.
  3. Click on the Kubernetes system >> settings >> install.
  4. Use these commands to install Styra Agent on the system.
Installation commands for Kubernetes system

Define a policy:

For Kubernetes systems, you can start defining policies by selecting from built-in rules that you can configure and deploy.

The built-in rules enable you to implement common security recommendations with little or no configuration. If any configuration is required, the built-in rules provide simple parameters that you can customize to suit your organization and operational goals.

Configure the built-in rule:

  1. Under Systems in the left navigation panel, expand the system you added in Add a System.
  2. Expand Validating or Mutating, then select Rules.
  3. Click Add rule in the top section of the right pane.
  4. Select the Containers: Require Non-default Namespace
Policy for Validating


package policy["com.styra.kubernetes.validating"].rules.rulesenforce[decision] {
decision := {
"allowed": false,
"message": message

Validating the Policy:

Before you enforce the selected built-in rule, make sure to run some validation checks.

  1. Click Validate button in the top section of the right pane.
  2. Verify that the Tests column displays no tests. This column is empty because you are working with a built-in rule and have not written any custom unit tests for the rule.
  3. If you write a custom rule, you also write unit tests for that rule and check the results for running those tests before deploying your rule.
  4. Verify the results in the Compliance column to see if any resources in your current cluster violate the policy.
  5. Verify the results in the Decisions column to see a list of previous admission control decisions that may have changed if the current policy were enforced.

Create a namespace in Kubernetes cluster by running the below command:

kubectl create namespace sample

Create a new file named namespace.yaml in a text editor.

Copy and paste the following configuration settings into the namespace.yaml file:

apiVersion: v1
kind: Pod
name: mypod
namespace: default
name: mypod
- name: mypod
image: nginx

Save the file and close the text editor.

Apply the configuration from the namespace.yaml file by running the following command:

kubectl apply -f namespace.yaml

Now you can observe the error message as:

Error from server: error when creating "sample.yaml": admission webhook "" denied the request: Enforced: Resource Pod/default/mypod uses the default namespace.

And also you can observe the “Denied” message in the decision dashboard.


Now, change the namespace.yaml file to:

apiVersion: v1
kind: Pod
name: mypod
namespace: sample
name: mypod
- name: mypod
image: nginx

Now, apply the changes and run the below command:

kubectl apply -f namespace.yaml

Congratulations! Now you successfully created pod in sample namespace and enforced the user to creating pod in default namespace.


We have added a Kubernetes system in Styra DAS and installed the Styra agent in Kubernetes. And added the built-in rules and published the rules. We have created a namespace in the Kubernetes cluster and added a file named namespace.yaml and tried to create a pod in default namespace. But, it was denied and the Styra DAS agent enforced the users creating a pod in default namespace. So, that modified the namespace.yaml file and applied the changes. Now, the pod is created in the sample namespace defined in the namespace.yaml file. Also, we have observed the decisions in the decision dashboard whether it is Allowed or Denied.


  1. Styra Docs
  2. K3D
  3. Docker