Implementation Notes

These notes may be of use when trying to understand why things are implemented the way that they are, but should not be required reading for regular use.

OPA replica per Node

We run an OPA on each node, because we want to avoid requiring network round trips for services making policy queries (which are often chained in serial, and block other tasks in the products).

We ensure local access via an InternalTrafficPolicy. This means that Pods accessing OPA via the service discovery will be routed to the OPA Pod on the same Node to reduce request latency and network traffic. This feature is only activated per default in Kubernetes versions 1.22 or higher.

OPA Bundle Builder

Each OPA pod runs a container that watches for ConfigMap objects labeled opa.stackable.tech/bundle. All ConfigMap`s are bundled together in a single `bundle.tar.gz file that is served to the colocated OPA container.