tsandall
commented
5 years ago @ric79 OPA exposes an API that lets you query for policy decisions. You can also "watch" policy decisions for changes however that feature is not widely used. Nonetheless, you could model (3) inside Rego. For example, if you loaded data describing nodes and alarms into OPA you could write a policy that identifies "overflowed" nodes. I'm not exactly sure what "memory overflow" means in this context, but for the sake of the example, let's say it refers to the allocated memory on the node exceeding the total allocatable memory. Then we can write a policy as follows:
package vnf.scaling
# overflowed is a set. node_name is in the set if...
overflowed[node_name] {
some node_name
node := data.nodes[node_name]
node.allocatedMemory > node.totalMemory
count(data.alarms[node_name]) > 0
}There would need to be a component that replicates node and alarm data out of Influx and Nagios into OPA. Note that OPA keeps this data in-memory. If this data can't fit in-memory then OPA may not be a good fit (you can query for external data from inside the policy using the http.send built-in but this is somewhat experimental.)
Once you have the policy and data loaded into OPA you can query OPA for the list of overflowed nodes:
GET opa:8181/v1/data/vnf/scaling/overflowedThis will return an array/set of overflowed node names, e.g., ["node1", "node2"]. The caller could invoke the scaling workflow for each of these nodes.
Hope this helps.
ric79
Hello, I would like to know if opa could be used in this scenario.
Let us suppose that I have InfluxDB o Nagios with node/service alarms.
I would like to describe a policy in OPA in order to start (in Ansibile) a scaling workflow of the node if I an alarm if found. Example.
1) Memory overflow on Node1 2) Alarm is present in InfluxDB 3) Opa rule on overflow of Node1 is True 4) Opa calls an API on MySystem 5) MySystem runs a scaling worklow on Node1
The problem of this scenario is that OPA is "passive" and I do not understand who calls OPA...