Implementation Notes
These notes may be of use when trying to understand why things are implemented the way that they are, but should not be required reading for regular use.
OPA replica per Node
We run an OPA on each node, because we want to avoid requiring network round trips for services making policy queries (which are often chained in serial, and block other tasks in the products).
We ensure local access via an InternalTrafficPolicy
. This means that Pods
accessing OPA via the service discovery will be routed to the OPA Pod
on the same Node
to reduce request latency and network traffic. This feature is only activated per default in Kubernetes versions 1.22
or higher.