About OPA's Request Body Size Limits

[mlajkim]

Background

OPA introduced the Request Body Size Limits feature starting from v0.67.0:
https://github.com/open-policy-agent/opa/blob/main/CHANGELOG.md#breaking-change

The release notes mention that most users don’t need to change this setting, as the default limit (currently 256MB/512MB) should be sufficient for typical use cases. However, in our use-cases, we sometimes operate clusters with up to 20,000 pods, so we had to adjust this setting manually. (Before this breaking change, this wasn’t necessary since the request body size was effectively unlimited.)

What do we want to ask here

I wanted to ask if there is currently any logging that shows when a request is close to or exceeds the maximum request body size? (I've looked around and can't find it)
=>If not, would you be open to improvements?

Right now, the logs do not seem to show how large the received body was when the limit was exceeded, making it harder for OPA container managers to monitor and proactively adjust settings. If this omission was intentional, please let us know. Otherwise, can we submit a PR to improve the logging and provide clearer warnings when body size limits are approached or exceeded?

[johanfylling]

Hi Aaron!

The reason behind why configuring this parameter is a hassle for you, is it because you need to figure out what max limit to set as you go? If you have control over the network and which clients can send requests to OPA then maybe these request size OOM attacks are of less concern, and you can configure an extremely high value that is guaranteed to encompass your requests (e.g. close to int64 max value)?

It doesn't look like OPA will log the fact that a request was rejected because of the size limit. Maybe @philipaconrad can fill in if I'm mistaken here.
We're certainly open to feature requests.