Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support multiple configurations within a namespace #653

Open
tsjnsn opened this issue Aug 29, 2019 · 9 comments
Open

Support multiple configurations within a namespace #653

tsjnsn opened this issue Aug 29, 2019 · 9 comments

Comments

@tsjnsn
Copy link

tsjnsn commented Aug 29, 2019

Expected Behavior

OPA istio plugin should support multiple policies & configs in a single namespace.

Actual Behavior

For the quickstart at least (policy via configmap), a single "opa-policy" configmap is configured for the whole namespace, and all pods in that namespace use that one for configuring OPA. If using bundles, the URL is stored in the config with no way to configure it per pod.

Ideally, there would be some support for one of these mechanisms:

  • Annotation on the pod template to choose the configmap or bundle URL
  • CRD for OPA policies/configs which gets applied to pods matching a label selector
@tsandall
Copy link
Member

tsandall commented Aug 29, 2019
edited
Loading

Documenting how to deploy multiple OPAs inside the same namespace with different configs and/or policies would be useful. Documenting how to automate that kind of deployment would also be good.

It's not immediately clear where these docs should live on openpolicyagent.org. We have some re-organization happening that might help with this open-policy-agent/opa#1687

@viditganpi
Copy link

Is there any update on how to do this?

@ashutosh-narkar
Copy link
Member

Are you using the plugin with Istio ? I haven't tried this out but we could configure OPA to use a Discovery bundle and then inside that use an environment variable that particular instance of OPA was started with to select the appropriate bundle. To pass an environment variable in the OPA configmap is something I'm not yet sure how to easily achieve in the existing manifest.

@viditganpi
Copy link

My use case is having a different policy set on the OPA sidecar for different application pods, not sure if that is a possiblity

@ashutosh-narkar
Copy link
Member

You can do that using OPA's Discovery feature. We'll have to pass an environment variable in the manifest and have OPA use that to decide the policy bundle to use for a particular OPA instance. How to do the former is something that will need to be tried out.

@stale
Copy link

stale bot commented Nov 22, 2021

This issue has been automatically marked as inactive because it has not had any activity in the last 30 days.

1 similar comment
@stale
Copy link

stale bot commented Dec 22, 2021

This issue has been automatically marked as inactive because it has not had any activity in the last 30 days.

@prashantthorat001
Copy link

did anyone tried above mentioned approach? Please share reference document link if any

@stale
Copy link

stale bot commented Dec 24, 2022

This issue has been automatically marked as inactive because it has not had any activity in the last 30 days.

@anderseknert anderseknert transferred this issue from open-policy-agent/opa Jan 20, 2025
@srenatus srenatus changed the title Support multiple configurations within a namespace (opa-istio-plugin) Support multiple configurations within a namespace Jan 22, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@tsandall @tsjnsn @ashutosh-narkar @viditganpi @prashantthorat001