Stackable Operator for OPA (OpenPolicyAgent)

The Getting started guide will guide you through the installation of the operator and setting up OPA. You will also create your first Rego rule and query the OPA for a policy decision.

The OpaCluster custom resource is used to declare OPA instances, only one role is defined: server. OPA is deployed as a DaemonSet because policy decisions must be fast and efficient. Therefore, an OPA agent must be available on every Node to reduce latency and network calls. A DaemonSet with its own ConfigMap is created for every role group. The DaemonSet will then deploy a Pod on every node. Every role group also gets its own Service definition.

Rego rules are defined in ConfigMaps, which are labeled with the opa.stackable.tech/bundle: "true" label. Every OPA Pod has a sidecar bundle-builder container that collects these ConfigMaps and builds them into a policy bundle. This ensures that policies can be updated on-the-fly.

The operator also creates a service discovery ConfigMap for the OPA instance. The discovery ConfigMap contains the URL of the OPA API.

OPA and the Stackable operator for OPA do not have any dependencies.

Currently the following products on the Stackable Data Platform support policy decisions with OPA:

The Stackable operator for OPA currently supports the OPA versions listed below. To use a specific OPA version in your OpaCluster, you have to specify an image - this is explained in the Product image selection documentation. The operator also supports running images from a custom registry or running entirely customized images; both of these cases are explained under Product image selection as well.