Stackable Operator for OPA (OpenPolicyAgent)
The Getting started guide will guide you through the installation of the Operator and setting up OPA. You will also create your first Rego rule and query the OPA for a policy decision.
The OpaCluster custom resource is used to declare OPA instances, only one role is defined:
server. OPA is deployed as a DaemonSet because policy decisions must be fast and efficient. Therefore, an OPA agent must be available on every Node to reduce latency and network calls. A DaemonSet with its own ConfigMap is created for every role group. The DaemonSet will then deploy a Pod on every node. Every role group also gets its own Service definition.
Rego rules are defined in ConfigMaps, which are labeled with the
opa.stackable.tech/bundle: "true" label. Every OPA Pod has a sidecar
bundle-builder container that collects these ConfigMaps and builds them into a policy bundle. This ensures that policies can be updated on-the-fly.
The Operator also creates a service discovery ConfigMap for the OPA instance. The discovery ConfigMap contains the URL of the OPA API.