Skip to main content

Best Practices

This page describes the best practices for OPA agent deployment.

  1. When will decisions be dropped?

    SLP has a configurable queue size. If SLP cannot keep up with the decisions rate, it will send errors back to OPA. OPA will buffer these rejected decisions in memory. If the buildup is too much, then OPA will go Out Of Memory (OOM) eventually, Kubernetes will restart the OPA pod, and OPA will return to normal functionality. OOM is easier to identify or monitor than silent drops of decisions somewhere in the SLP queue.

  2. How many OPA replicas should I run?

    OPA can be deployed as a Kubernetes deployment, daemonset, or sidecar, and the deployment model differs depending on the use-case. If deploying OPA as a deployment, the number of OPA replicas will need to scale with the workload placed on OPA. As a general guideline, Styra recommends at least three replicas irrespective of the cluster size for availability. For every 50 nodes in the cluster, Styra recommends an additional OPA replica. For example, a cluster with 100 nodes should use at least five OPA replicas.