Web service to make decisions about Kubernetes Admission Control and PaC (Policy as Code)
- "Declarative Authorization to Secure Kubernetes - Compliance guardrails so you can move your security from tribal knowledge to policy-as-code"
OPA’s initial use case was for Kubernetes Orchestration Admission Control.
Examples of other decisions OPA enables: [3:13:48]
- Can user X do operation Y on resource Z?
- Which annotations must be added to new Deployments?
- Which users can SSH into production machines?
- What invariants does workload W violate?
- Which records should Bob be allowed to see?
OPA is called a general purpose policy engine because it enables the answering of such policy questions above as a separate concern from enforcement.
OPA can be initiated as a host-level daemon via SSH to ensure that container executions are performed according to rules.
VIDEO: Netflix was an early adopter for RBAC (Role-Based Access Control).
https://github.com/open-policy-agent/gatekeeper Gatekeeper - Policy Controller for Kubernetes
The Styra-run @openpolicyagent Twitter account had 1,268 followers as of October 13, 2019.
Organizations providing speakers at the Styra-run OPA Summit (#OPASummit2019) colocated (12–5PM Nov 18, 2019) at Kubecon San Diego also include Pinterest, TripAdvisor, Atlassian, Chef, Capital One.
In March 2018, OPA was donated to the CNCF (Cloud Native Computing Foundation), which also manages Kubernetes and Istio.
With 2,600 stars and 79 contributors as of October 13, 2019, https://github.com/open-policy-agent/opa/releases has releases for Mac, Linux, and Windows.
Note it not at version 1.0 yet, with 126 issues to go.
View its installer on Mac with Homebrew:
brew info opa
Notice it’s from https://www.openpolicyagent.org
Install its CLI program on Mac:
brew install opa
Get the version installed:
Available Commands: build Compile Rego policy queries check Check Rego source files deps Analyze Rego query dependencies eval Evaluate a Rego query fmt Format Rego source files help Help about any command parse Parse Rego source file run Start OPA in interactive or server mode test Execute Rego test cases version Print the version of OPA
OPA has a Log service API for emitting audit logs.
OPA has a Status service API to report its service status, available from its CLI:
OPA has a VS Code plugin for tracing, profiling.
OPA references data (in JSON)
Policy is logic applied to data.
OPA accepts policy & data from other programs via its Bundle service API.
OPA maintains both policies and data in memory (for fast access). So it operates as a host-local “cache” for policy decisions.
based on Policy definitions , with no external run-time dependencies.
https://github.com/open-policy-agent/frameworks/tree/master/constraint Enforcement Points are places where constraints can be enforced. Examples are Git hooks and Kubernetes admission controllers and audit systems.
Target is an abstract concept. It represents a coherent set of objects sharing a common identification and/or selection scheme, generic purpose, and can be analyzed in the same validation context.
Previous rules engines such as Drools were designed with a “backward chaining inference”, which was too strange and complicated. The rules were static logic.
Rego rule declarations
But OPA’s rules are dynamic over time and defined using a declarative syntax rather than a programmatic if-then-else logic referencing object classes, methods, and binary trees.
OPA declares Policy definitions in “Rego” text format, so they can be stored in GitHub.
OPA can respond with not just Boolean yes/no but also collections of values such as numbers (e.g. rate-limits), strings (e.g. hostnames), arrays (e.g. servers), or dictionaries (microservice route-mappings). For more examples, see the Open Policy Agent tutorials.
It’s the policy author that knows what the data means in the real world and writes logic to make a policy decision.
 https://www.youtube.com/watch?v=XEHeexPpgrA OPA: The Cloud Native Policy Engine</a> May 4, 2018</a> by Torin Sandall of Styra (Intermediate Skill Level)
Shanghai, November 14-15 (http://bit.ly/kccncchina18).