In this section we will compare the pros and cons of using OPA-SDK vs OPA Side car
OPA-SDK
In this case, OPA PDP engine will directly call OPA-SDK go functions for deploying and un deploying policies. OPA-SDK will run within the process space as OPA-PDP container.
OPA-Side Car
In this case, OPA policy Engine will be run a separate side Car in OPA-PDP Pod.
OPA-PDP will act as router, it will call appropriate API’s of OPA Policy Engine for deploying/Un deploying policies and updating data.
...
OPA-SDK | OPA- Sidecar | |
|---|---|---|
Integration Method with OPA-PDP | Go Lib | Rest API |
Communication | Go Lib functions in Same OS process | Rest API invocation |
Security | No Need | Must secure API ( calls routed via OPA-PDP) |
Code Impact | need to implement required functionality | Available out of box, OPA-PDP need to call the required Rest API”s for policy deployment/un-deployment |
Upgrade | Any change in SDK needs to be implemented | OPA container can be upgraded using new opa image |
Configuration: 20 min 10 users Performance metrics results for S3p tests conducted with POC code | ||
Avg Decision throughput | 273 req/sec | 156 req/sec |
Avg Latency of decision req | 4.5 milli seconds | 9 milli seconds |
Errors | 0 | 0.3% connectivity Errors |
Based on the tests, it was observed that using a OPA-Side car would cause some delay due to REST API invocation from OPA-PDP towards side car. However in case of OPA-SDK, this delay was not observed. Also, few connectivity errors were observed with OPA Side car and the through put was also reduced. Hence due to latency and through put reasons it was decided to go ahead with OPA-SDK integration within OPA-PDP.