Skip to content

CONCEPT Cited by 1 source

Embedded OPA library in proxy

Definition

Running Open Policy Agent as a library inside the ingress / proxy process, not as a sidecar, not as an external deployment, not as a separate HTTP service. The policy engine, its bundle loader, its decision cache, and its status / decision-log emitters all share the proxy's address space.

Why the shape matters

  • Zero network hop on the hot path. Policy decisions never leave the process; the ingress already handles every request and is the natural place to evaluate authorization against the incoming HTTP payload.
  • No separate deployment. One process to operate, one set of replicas to scale, one memory / CPU footprint to budget.
  • No sidecar inflation. On clusters with N applications, this avoids the "N OPA sidecars" or "N OPA deployments" cost tax.
  • Inherits the proxy's lifecycle guarantees — routing table hot-reload semantics, graceful drain on shutdown, fleet-wide config distribution.

The cost-of-embedding surface

Because OPA is in-process, its OOM fate is the proxy's OOM fate. Every unbounded in-memory path becomes a data-plane incident:

  • Policy bundles can grow arbitrarily large → enforce bundle size limits.
  • Request-body parsing for advanced policies (JSON body predicates, etc.) can allocate per-request → cap parse size.
  • Decision logs / status logs are typically streamed to the control plane → bound the buffer; drop or downsample on pressure.

All three are discussed in the Zalando post as patterns/bounded-telemetry-data-structures-for-policy-engine.

Contrast with the Envoy OPA plugin shape

The vanilla Envoy OPA plugin typically deploys one OPA process per application as a sidecar or external service, reached via an ext_authz gRPC call. Embedding inside the proxy collapses this into zero-hop, zero-sidecar, one- process-per-ingress-replica.

Seen in

  • sources/2024-12-05-zalando-open-policy-agent-in-skipper-ingress — Zalando's canonical embedding. "Embedding OPA directly within Skipper as a library ensures minimal latency in policy enforcement by keeping policy decisions local to the ingress data plane. It also is cost efficient compared to running an OPA deployment per application or as sidecars." Paired with virtual instances so a single Skipper process hosts many logical tenants.
Last updated · 550 distilled / 1,221 read