These notes may be of use when trying to understand why things are implemented the way that they are, but should not be required reading for regular use.
OPA replica per Node
We run an OPA on each node, because we want to avoid requiring network round trips for services making policy queries (which are often chained in serial, and block other tasks in the products).
We ensure local access via an
InternalTrafficPolicy. This means that
Pods accessing OPA via the service discovery will be routed to the OPA
Pod on the same
Node to reduce request latency and network traffic. This feature is only activated per default in Kubernetes versions
1.22 or higher.