Stackable Operator for OPA (OpenPolicyAgent)

The Stackable Operator for the OpenPolicyAgent (OPA) manages OPA instances. OPA is an open-source policy engine that allows you to define, manage and enforce policies across a number of software systems. OPA promotes "policy-as-code"; policies are defined in the declarative Rego language.

Getting started

The Getting started guide will guide you through the installation of the Operator and setting up OPA. You will also create your first Rego rule and query the OPA for a policy decision.

Operator model

The OpaCluster custom resource is used to declare OPA instances, only one role is defined: server. OPA is deployed as a DaemonSet because policy decisions must be fast and efficient. Therefore, an OPA agent must be available on every Node to reduce latency and network calls. A DaemonSet with its own ConfigMap is created for every role group. The DaemonSet will then deploy a Pod on every node. Every role group also gets its own Service definition.

A diagram depicting the Kubernetes resources created by the Stackable Operator for OPA

Rego rules are defined in ConfigMaps, which are labeled with the opa.stackable.tech/bundle: "true" label. Every OPA Pod has a sidecar bundle-builder container that collects these ConfigMaps and builds them into a policy bundle. This ensures that policies can be updated on-the-fly.

The Operator also creates a service discovery ConfigMap for the OPA instance. The discovery ConfigMap contains the URL of the OPA API.

Dependencies

OPA and the Stackable Operator for OPA do not have any dependencies.

Supported products

Currently the following products on the Stackable Data Platform support policy decisions with OPA:

Supported versions

The Stackable Operator for OPA currently supports the following versions of OPA:

  • 0.61.0

  • 0.57.0 (deprecated)