open-policy-agent
doc: looking for external data provider max response size
Hi,
I would like to understand what is the maximum response size from a external data provider. As mentioned in Ratify issue 1195, Ratify allow users to pass through artifact contents in the verifier report which is embedded in the response body to GK. Response body can now potentially be unbounded , are there any guidance on external data provider to restrict the payload length?
thanks!
I don't know if there are any hard numbers on this that I can give you, but:
- A larger response will take more RAM
- A larger response will add to latency
Gatekeeper sets no limits on response size. Users do have the ability to "tune" G8r by increasing the amount of RAM it can use or adding CPU power (though I think Rego is evaluated single-threaded, so that's only helpful up to scheduling an entire CPU core).
Gatekeeper's mutation webhooks have a default timeout of 1 second and its validating webhooks have a timeout of 3 seconds.
I'd probably try to set some "reasonable" limits by choosing a standard G8r footprint for a typical Ratify user, use a typical constraint, then do some load testing.
Figure out at what size you start seeing problems (pods OOMing, requests taking longer than 3 or 1 seconds, etc.) and see what that gets you. Once you have a "ballpark" size, I'd consider choosing a much smaller maximum size (1/2, 1/10, 1/100, depending on what is reasonable for particular use cases) just to give you some headroom for either complexity of policies growing in the future, or users operating on smaller footprints.
You could also consider letting the user configure the limit sizes, so they can tune things to meet their needs (the above may still be useful for setting a default value)
thanks for your comment @maxsmythe. That is all we will need for now, issue closed.