Question: opa-envoy-plugin - Istio Version 1.7? #2734
Comments
I believe so, although I don't see where we document compatibility for the plugin. @ashutosh-narkar can you confirm?
Keep in mind that the envoy plugin is a pretty thin wrapper around OPA, for the majority of usage any of the OPA docs/blogs/etc are relevant. Generally when users need help or have questions the best venue is on Github or the OPA community slack. There are also companies which offer commercial support for OPA https://www.openpolicyagent.org/support
Yes. The project is maintained by the OPA team, and receives updates as needed. |
Yes it does. It supports Istio v1.5.0 or later. |
|
Thanks for the responses. @ashutosh-narkar @patrick-east We have the following business cases. Can we use the plugin approach for either or both?
|
Yes it will work for this use-case. Whenever Envoy gets a request, it will call OPA for an authz decision.
Is the idea here to inject a |
Yes. So the sidecar deployment would not work here correct? Is there another plugin to ease the process of deploying OPA as a mutating admission controller? |
|
These are 2 different use-cases: 1) OPA as a mutating admission controller to inject a field in the Pod spec and 2) opa-envoy-plugin to make authorization decisions in the request path. For 1) See this tutorial for how you can use OPA as an admission controller. See this example for a reference to use OPA as a mutating admission controller. For 2) Your application pods will include an OPA sidecar along with an Envoy sidecar. When Envoy receives API requests destined for your microservice, it checks with OPA to decide if the request should be allowed. Evaluating policies locally with Envoy will be beneficial from a performance perspective and introduce low latency in the request path. |
If we don't want to use the plugin for opa sidecar, is there an alternative if we want to do ext authz? Is the plugin stable for production? |
|
Yes we release new versions of the |
|
What are the major differences between the 2 solutions below? Can either solution be used for running opa as a sidecar? |
Both the above solutions use the If you're using Istio use 2) and if you are using vanilla Envoy use 1). Both use Envoy's external authorization filter and |
|
Thanks for the explanation. Is there any legitimate use case for using #2 with Istio? |
|
The |
|
I got it backwards. My previous question was supposed to be this: is there any legitimate reason to use #1 with Istio. To me, that would not make sense because essentially we'll have 2 envoys since Istio already have 1 envoy. I'm trying to convince someone that this is an anti-pattern but want to be sure my understanding is correct. Please confirm. |
Why would we have two Envoys ? Remember the
Istio Proxy (aka |
|
|
Looks like the questsions are all answered, going to close this issue for now. Feel free to re-open if more info is needed 😄 |
Our team is contemplating on whether to deploy OPA as a plugin or standalone.
Link to plugin: https://github.com/open-policy-agent/opa-envoy-plugin
Clearly, the plugin has many benefits over the standalone deployment, such as:
Performance
scales with service as the plugin is deployed as a sidecar
avoid network hop
Security
Here are our concerns:
Any insights into these concerns would be highly appreciated.
The text was updated successfully, but these errors were encountered: