Sample App

The first component of the setup features a simple Go app which provides information about employees in a company. It exposes a endpoint to get and create employees. The app’s source code can be found .

Envoy

Next, is the Envoy proxy that runs alongside the example application. The Envoy configuration below defines an external authorization filter envoy.ext_authz for a gRPC authorization server. The config uses Envoy’s in-built gRPC client which is a minimal custom implementation of gRPC to make the external gRPC call.

OPA-Envoy Plugin

Now let’s deploy OPA as an External Authorization server. Below is a sample configuration for the OPA-Envoy container:

Following are some scenarios to perform benchmarks on. The results could be used to compare OPA-Envoy plugin’s latency and resource consumption with the baseline (no-opa) case for instance.

  • App Only

In this case, requests are sent directly to the application ie. no Envoy and OPA in the request path.

  • App and Envoy

In this case, OPA is not included in the request path but Envoy is (ie. Envoy External Authorization API disabled).

In this case, performance measurements are observed with enabled. This means Envoy will make a call to OPA on every incoming request with the below NOP policy loaded into OPA.

  • App, Envoy and OPA (RBAC policy)

In this case, performance measurements are observed with Envoy External Authorization API enabled and a sample real-world RBAC policy as shown below loaded into OPA.

  • App, Envoy and OPA (Header Injection policy)

This section describes some metrics that should help to measure the cost of the OPA-Envoy plugin in terms of CPU and memory consumed as well as latency added.

  • End-to-end Latency is the latency measured from the end user’s perspective. This includes time spent on the network, in the application, in OPA and so on. The sample shows how to measure this metric.

  • OPA Evaluation is the time taken to evaluate the policy.

  • Resource utilization refers to the CPU and memory usage of the OPA-Envoy container. kubectl top utility can be leveraged to measure this.