Open Policy Agent

Open Policy Agent

Agent Check Agent Check

Linux OS Supported

Overview

This check collects metrics from Open Policy Agent.

Setup

Follow the instructions below to install and configure this check for an Agent running on a Kubernetes cluster. See also the Autodiscovery Integration Templates for guidance on applying these instructions.

Installation

To install the open_policy_agent check on your Kubernetes cluster:

  1. Install the developer toolkit.

  2. Clone the integrations-extras repository:

    git clone https://github.com/DataDog/integrations-extras.git.
    
  3. Update your ddev config with the integrations-extras/ path:

    ddev config set extras ./integrations-extras
    
  4. To build the open_policy_agent package, run:

    ddev -e release build open_policy_agent
    
  5. Download the Agent manifest to install the Datadog Agent as a DaemonSet.

  6. Create two PersistentVolumeClaims, one for the checks code, and one for the configuration.

  7. Add them as volumes to your Agent pod template and use them for your checks and configuration:

         env:
           - name: DD_CONFD_PATH
             value: "/confd"
           - name: DD_ADDITIONAL_CHECKSD
             value: "/checksd"
       [...]
         volumeMounts:
           - name: agent-code-storage
             mountPath: /checksd
           - name: agent-conf-storage
             mountPath: /confd
       [...]
       volumes:
         - name: agent-code-storage
           persistentVolumeClaim:
             claimName: agent-code-claim
         - name: agent-conf-storage
           persistentVolumeClaim:
             claimName: agent-conf-claim
    
  8. Deploy the Datadog Agent in your Kubernetes cluster:

    kubectl apply -f agent.yaml
    
  9. Copy the integration artifact .whl file to your Kubernetes nodes or upload it to a public URL.

  10. Run the following command to install the integrations wheel with the Agent:

    kubectl exec ds/datadog -- agent integration install -w <PATH_OF_OPEN_POLICY_AGENT_ARTIFACT_>/<OPEN_POLICY_AGENT_ARTIFACT_NAME>.whl
    
  11. Run the following commands to copy the checks and configuration to the corresponding PVCs:

    kubectl exec ds/datadog -- sh
    # cp -R /opt/datadog-agent/embedded/lib/python2.7/site-packages/datadog_checks/* /checksd
    # cp -R /etc/datadog-agent/conf.d/* /confd
    
  12. Restart the Datadog Agent pods.

Logs-generated metrics

The default dashboard includes some graphs related to a metric around OPA decisions, called open_policy_agent.decisions. This metric is created based on the OPA “Decision Logs”. To generate this metric and populate this part of the dashboard, create a new log-generated metric in Datadog.

First, create a facet for the msg field of our OPA logs, as it will only generate metrics for the “Decision Logs” type of log entry. For that, select any of the log entries coming from OPA, click on the engine log near the msg field and select “Create facet for @msg”:

Message Facet

Now create two facets, one for the input.request.kind.kind field and one for the result.response.allowed field, both available in any of the log entries type “Decision Log”.

Kind Facet Allowed Facet

Once you have created the facets, generate the needed metric for the Dashboard to be complete. Click on the menu “Logs -> Generate Metrics”. Click on “Add a new metric” and fill in the form with the following data:

OPA Decision Metric

Configuration

  1. Edit the open_policy_agent/conf.yaml file, in the /confd folder that you added to the Agent pod to start collecting your OPA performance data. See the sample open_policy_agent/conf.yaml for all available configuration options.

  2. Restart the Agent.

Validation

Run the Agent’s status subcommand and look for open_policy_agent under the Checks section.

Data Collected

Metrics

open_policy_agent.request.duration.count
(count)
The count of the HTTP request latencies in seconds for the OPA service
Shown as second
open_policy_agent.request.duration.sum
(count)
The sum of the HTTP request latencies in seconds for the OPA service
Shown as second
open_policy_agent.policies
(gauge)
The number of policies enabled in the OPA server

Events

open_policy_agent does not include any events.

Service Checks

open_policy_agent.prometheus.health
Returns CRITICAL if the agent fails to connect to the Prometheus endpoint, otherwise OK.
Statuses: ok, critical

open_policy_agent.health
Returns CRITICAL if the agent fails to connect to the OPA health endpoint, OK if it returns 200, WARNING otherwise.
Statuses: ok, warning, critical

open_policy_agent.bundles_health
Returns CRITICAL if the agent fails to connect to the OPA bundles health endpoint, OK if it returns 200, WARNING otherwise.
Statuses: ok, warning, critical

open_policy_agent.plugins_health
Returns CRITICAL if the agent fails to connect to the OPA plugins health point, OK if it returns 200, WARNING otherwise.
Statuses: ok, warning, critical

Troubleshooting

Need help? Contact Datadog support.