OPA Envoy Plugin for Istio

Question

Our team is contemplating on whether to deploy OPA as a plugin or standalone.

Link to plugin: https://github.com/open-policy-agent/opa-envoy-plugin

Clearly, the plugin has many benefits over the standalone deployment, such as:

1. Performance
   • scales with service as the plugin is deployed as a sidecar
   • avoid network hop
2. Security
   • OPA can only be accessed by envoy via localhost interface

Here are our concerns:

1. Istio Compatibility
   • does it support the latest Istio?
2. Documentation
   • there aren't that many blogs or documentation other than the github readme. If we run into production issues we won't be able to resolve.
3. Development and Support
   • is this plugin being actively developed and improved?

Any insights into these concerns would be highly appreciated.

Answer 1

does it support the latest Istio?

As far as I checked here

we only support v1.5.0 and later.

So based on that I would say they should support the latest istio version.

---

there aren't that many blogs or documentation other than the github readme. If we run into production issues we won't be able to resolve.

As mentioned on github

Use OPA GitHub Issues to request features or file bugs

so if you run into issues then you can always raise new issue on their github or ask here on stackoverflow, maybe someone will be able to help you with that.

---

is this plugin being actively developed and improved?

There are new commits and the repository looks active so it looks like it's actively developed, there are also new releases released last month.