Deploying OPA on Azure Container Apps
Azure Container Apps provides a fully managed platform for deploying and scaling containerized applications. It is well-suited for running off-the-shelf software, such as OPA, handling scaling, networking, and infrastructure, allowing you to focus on developing your applications.
This guide details the steps and considerations when deploying OPA as a Policy Decision Point (PDP) on Azure Container Apps.
Selecting a Container Image
It is recommended to use the openpolicyagent/opa:<version>
variant available
on Docker Hub. Users without
access to Docker Hub may need to mirror these images to a Azure Container
Registry.
Note: Avoid using the latest
tag in production environments.
Ingress, Authentication & Authorization Considerations
In Azure Container Apps, endpoints can be public or private to only Container Apps. Since OPA typically handles requests from internal services (PEPs), setting up a private endpoint is advisable where possible. For public endpoints, use additional authentication mechanisms if Azure AD cannot be used.
While OPA’s primary role is providing authorization decisions as a PDP, OPA itself should restrict access to ensure that only authorized PEPs can interact with it.
If PEP applications are authenticated using Azure AD, their tokens can identify them to OPA. Otherwise, consider using client certificates or tokens. Refer to the OPA documentation for more information on securing OPA with tokens or certificates.
CPU Scaling & Memory Allocation
OPA is lightweight, but to achieve low-latency responses in serverless environments, it is recommended to configure Azure Container Apps with a minimum of 1 OPA instance, using 1 vCPU and 2GB of memory.
By default, Container Apps can scale to 0 instances, which may cause latency issues for PEPs if not OPAs are running to serve requests.
Increase memory allocation if substantial data needs to be loaded into OPA for policy evaluations. Test deployments with realistic data and traffic to ensure satisfactory production performance.
Creating the OPA App
To deploy OPA to Container Apps, specify these settings in the initial revision t create the app. In a later step, we'll create the secret for the OPA configuration file and mount it into the container.
Throughout the following steps, we'll be using these values for the OPA Container App. Replace the values with the details from your environment before continuing to have the values set in the steps below.
Further Reading
- SDKs for building PEP applications in your language of choice.