kube-mgmt with istio as opa side car about kube-mgmt HOT 5 CLOSED

@ajoysinha can you elaborate on your use-case ? What role would kube-mgmt play ? Are you looking into distributing policy and data to the OPA sidecars ?

from kube-mgmt.

I am trying to update OPA with changed policy deployed in cluster. please note my policy is deployed as config map. [ not as bundle ]. I want to update / reflect changed policy in OPA as soon as i am updating the config map. I was planning to use kube-mgmt for the same.. Do not have cleat idea how to achieve it.

from kube-mgmt.

You would need some sidecar that's watching config map changes and then pushes them to OPA via OPA's REST API. There maybe parts of the kube-mgmt code that could be used for this. I would recommend using bundles for this though.

from kube-mgmt.

I will also prefer to use bundle for the same .. [ in fact i have implement it successfully ] but the only issue i find with bundle it is a pull mechanism, rather than push mechanism.

Any suggestion how i can implement the same using push mechanism.

from kube-mgmt.

Bundles are as you mentioned a pull mechanism. OPA does allow you to adjust the polling frequency and fwiw we have an open issue for faster propagation of policy and data changes with bundles #1055 which may better suit your use-case.

The push mechanism will require you to implement a service similar to kube-mgmt that reads data from Kube events and pushes it into OPA via it's REST API. This may need more development effort imo.

If using bundles with a smaller frequency addresses your use-case, then I would recommend using that. You are also welcome to contribute to #1055 !

from kube-mgmt.