Enable / Disable

The following services can be configured (some by default in M14) to use Policy Service:

• Search this requires the search.rego policy in your data partition to work.

• Storage this may require the storage.rego policy in your data partition to work.

• seismic-dms-suite seismic-store-service v4. This uses storage and requires Policy to be enabled for storage.

Disabling Updates to Policies

To disable changes to policies remove all users from service.policy.admin group for your data partition(s).

Disabling Policy Service

To disable Policy Service you need to disable policy being called by the consumers of policy service (for example search and storage services). Only after you have kept the consumers from calling policy service, can Policy Service and OPA be turned off.

There is an environment variable for search POLICY_SERVICE_ENABLED and storage OPA_ENABLED to control whether this is enabled in a running environment. This environment variable is provided to the pod to control the behavior.

How to change this greatly depends on your environment. The process most likley would be to update the one of the following (depending on how your environment is managed):

• deployment,
• configmap,
• helm chart / helm values
• terraform

Disabling Policy Service

In general there is little reason to disable policy service. Most QA and testing occurs with Policy Service enabled. So while it's technically possible to disable policy you'll want to throughly test things before deciding to turn off Policy Service in a production environment.

Performance with M22 and later shouldn't be an issue. If your workload needs it, cache settings, CPU/Memory requests & limits, scaling rules (including minReplicaCount) all can be adjusted.

If you are experiencing issues with Policy Service (or OPA) please review your custom policies. Verify your integrations with other services and external dependencies are working as expected.

If you're still experiencing issues please report it to your provider or open an issue in the forum.

Search

For search you can update the configmap for search. Some CSPs (like AWS) manage this setting from the deployment rather than configmap.

Review Configmap

If your CSP uses configmaps to provide the setting. You can review the current setting

kubectl get configmap search-config -n <osdu core namespace> -o yaml

Please note your configmap name and namespace may be different in your environment.

Edit Configmap

kubectl edit configmap <cfg-name> -n osdu-services

To disable search calling policy service, change the value of SERVICE_POLICY_ENABLED or POLICY_SERVICE_ENABLED (which ever is present) to "false".

Replace Configmap

Alternatively you can download the configmap, edit it and then replace it rather than using kubectl edit.

kubectl get configmap search-config -n <osdu core namespace> -o yaml > searchconfig.yaml

kubectl replace configmap search-config -f search-config.yaml

Edit Search Deployment

Some CSPs (like AWS) manage this setting from the deployment rather than configmap. Please note changing the deployment will get reset to default after updating OSDU.

For example:

kubectl edit deployment os-search -n r3-m22-instance-r3-m22-core

Storage

Storage Configmap

To review the current setting:

kubectl get configmap search-config -n <osdu core namespace> -o yaml

Please note your configmap name and namespace may be different in your environment. Edit or replace configmap as in previous example.

Edit Storage Deployment

Some CSPs (like AWS) manage this setting from the deployment rather than configmap. Please note changing the deployment will get reset to default after updating OSDU.

kubectl get deployment os-storage -n <osdu core namespace> -o yaml

In that case you'll want to edit the deployment:

kubectl edit deployment os-storage -n <osdu core namespace>

For example:

kubectl edit deployment os-storage -n r3-m22-instance-r3-m22-core 

Helm Values

If you're using helm to manage your environment, you can review the helm values with something like the following:

helm get values osdu-aws-core -n osdu-instance-r3m22-core

Scale Down OPA and Policy

If you wanted to scale down OPA or policy service after disabling on AWS. Please note this would get reset after an update to OSDU. Changes to scaledobject will be used with the built-in start/stop of AWS EDI. For a long term permanent change you may want to update terraform or helm values.

Change maxReplicaCount and minReplicaCount

kubectl edit scaledobject opa-agent -n osdu-instance-r3m22-core

kubectl edit scaledobject os-policy -n osdu-instance-r3m22-core