Re: RFC: OPA is up for Annual Review + Incubation Request


Li, Xiang
 

Thanks Brendan for the information. I gave a look at the project this week, and agree on most of the feedbacks azure engineers provided.

Since you mentioned the gatekeeper project, do you know if it is part of OPA (the sandbox project) or a separate project?

I took a look at OPA Kubernetes example (https://www.openpolicyagent.org/docs/kubernetes-admission-control.html), and found some potential issues:
1. require cache Kubernetes resources into OPA agent, which can be pretty expensive. Is there a cheaper way to do it? Can the agent obtain the base JSON data on demand?
2. the policy agent runs on the eventual consistent cache. This might cause wrong evaluation if previous change has not yet propagated back. 

Join cncf-toc@lists.cncf.io to automatically receive all group messages.