Stackable Operator for OPA (OpenPolicyAgent)
The Stackable operator for the OpenPolicyAgent (OPA) manages OPA instances. OPA is an open-source policy engine that allows you to define, manage and enforce policies across a number of software systems. OPA promotes "policy-as-code"; policies are defined in the declarative Rego language.
Getting started
The Getting started guide will guide you through the installation of the operator and setting up OPA. You will also create your first Rego rule and query the OPA for a policy decision.
Operator model
The OpaCluster custom resource is used to declare OPA instances, only one role is defined: server
.
OPA is deployed as a DaemonSet because policy decisions must be fast and efficient.
Therefore, an OPA agent must be available on every Node to reduce latency and network calls.
A DaemonSet with its own ConfigMap is created for every role group.
The DaemonSet will then deploy a Pod on every node.
Every role group also gets its own Service definition.
Rego rules are defined in ConfigMaps, which are labeled with the opa.stackable.tech/bundle: "true"
label.
Every OPA Pod has a sidecar bundle-builder
container that collects these ConfigMaps and builds them into a policy bundle.
This ensures that policies can be updated on-the-fly.
The operator also creates a service discovery ConfigMap for the OPA instance. The discovery ConfigMap contains the URL of the OPA API.
Supported products
Currently the following products on the Stackable Data Platform support policy decisions with OPA:
Supported versions
The Stackable operator for OPA currently supports the OPA versions listed below. To use a specific OPA version in your OpaCluster, you have to specify an image - this is explained in the Product image selection documentation. The operator also supports running images from a custom registry or running entirely customized images; both of these cases are explained under Product image selection as well.
-
0.67.1
-
0.66.0 (deprecated)
Useful links
-
The opa-operator GitHub repository
-
The operator feature overview in the feature tracker
-
The OpaCluster CRD documentation