Re: RFC: OPA is up for Annual Review + Incubation Request


Chris Aniszczyk
 

re: gatekeeper, it was moved into OPA a couple months ago: https://github.com/open-policy-agent/gatekeeper + history: https://github.com/open-policy-agent/opa/issues/1093


On Thu, Mar 7, 2019 at 11:12 AM "Li, Xiang <x.li@...> wrote:
Thanks Brendan for the information. I gave a look at the project this week, and agree on most of the feedbacks azure engineers provided.

Since you mentioned the gatekeeper project, do you know if it is part of OPA (the sandbox project) or a separate project?

I took a look at OPA Kubernetes example (https://www.openpolicyagent.org/docs/kubernetes-admission-control.html), and found some potential issues:
1. require cache Kubernetes resources into OPA agent, which can be pretty expensive. Is there a cheaper way to do it? Can the agent obtain the base JSON data on demand?
2. the policy agent runs on the eventual consistent cache. This might cause wrong evaluation if previous change has not yet propagated back. 



--
Chris Aniszczyk (@cra) | +1-512-961-6719

Join cncf-toc@lists.cncf.io to automatically receive all group messages.