Sharing Policies Across Multiple Pods

[jledesma84]

Hi Everyone,

I've recently started exploring Open Policy Agent (OPA) and its integration with Trino. I'm planning to deploy OPA on Amazon EKS and expect to run a service with two or more pods running OPA. My goal is to manage policies through OPA's API, allowing for dynamic creation and updates, rather than handling policies through static files.

My main question is: Can multiple OPA pods share the same policies? If my Kubernetes service needs to be restarted, will the newly created service with its pods still be able to use the existing policies? Is the use case/setup that I mentioned feasible?

I'd appreciate any insights or advice on this matter.

Thanks in advance!

[ashutosh-narkar]

My goal is to manage policies through OPA's API, allowing for dynamic creation and updates, rather than handling policies through static files.

Any specific reason to use OPA's API to manage policies? I would recommend checking out OPA's bundle feature for policy and data distribution. Basically you can upload your bundles to S3 for example and then point your OPAs to it.

Can multiple OPA pods share the same policies?

If you use the bundle approach you can configure OPA to periodically pull down bundles from the same S3 bucket for instance.

If my Kubernetes service needs to be restarted, will the newly created service with its pods still be able to use the existing policies?

If OPA restarts it will again pull down the bundles. You also have the option to persist bundles to disk if the bundle server is not reachable.