Wilson Mar bio photo

Wilson Mar

Hello!

Email me Calendar Skype call

LinkedIn Twitter Gitter Instagram Youtube

Github Stackoverflow Pinterest

Web service to make decisions about Kubernetes Admission Control and PaC (Policy as Code)

US (English)   Español (Spanish)   Français (French)   Deutsch (German)   Italiano   Português   Cyrillic Russian   中文 (简体) Chinese (Simplified)   日本語 Japanese   한국어 Korean

Overview

Written in the Go language, the OPA (Open Policy Agent) can be added several ways to add policy decision making. It was started in 2016 at Styra.com (by @sometorin).

    "Declarative Authorization to Secure Kubernetes - Compliance guardrails so you can move your security from tribal knowledge to policy-as-code"

OPA’s initial use case was for Kubernetes Orchestration Admission Control.

opa-all-728x424

Examples of other decisions OPA enables: [3:13:48]

  • Can user X do operation Y on resource Z?
  • Which annotations must be added to new Deployments?
  • Which users can SSH into production machines?
  • What invariants does workload W violate?
  • Which records should Bob be allowed to see?

OPA is called a general purpose policy engine because it enables the answering of such policy questions above as a separate concern from enforcement.

OPA “policy enables” micro-services as a sidecar in Service Mesh/Istio for role-based fine-grained access control (VIDEO Jun 25, 2019).

opa-usage-2382x966

OPA can be initiated as a host-level daemon via SSH to ensure that container executions are performed according to rules.

VIDEO: Netflix was an early adopter for RBAC (Role-Based Access Control).

https://github.com/open-policy-agent/gatekeeper Gatekeeper - Policy Controller for Kubernetes

Social

The Styra-run @openpolicyagent Twitter account had 1,268 followers as of October 13, 2019.

Organizations providing speakers at the Styra-run OPA Summit (#OPASummit2019) colocated (12–5PM Nov 18, 2019) at Kubecon San Diego also include Pinterest, TripAdvisor, Atlassian, Chef, Capital One.

In March 2018, OPA was donated to the CNCF (Cloud Native Computing Foundation), which also manages Kubernetes and Istio.

CLI bits

With 2,600 stars and 79 contributors as of October 13, 2019, https://github.com/open-policy-agent/opa/releases has releases for Mac, Linux, and Windows.

Note it not at version 1.0 yet, with 126 issues to go.

View its installer on Mac with Homebrew:

    brew info opa
       

Notice it’s from https://www.openpolicyagent.org

Install its CLI program on Mac:

    brew install opa
       

Get the version installed:

    
       opa 
       
Available Commands:
  build       Compile Rego policy queries
  check       Check Rego source files
  deps        Analyze Rego query dependencies
  eval        Evaluate a Rego query
  fmt         Format Rego source files
  help        Help about any command
  parse       Parse Rego source file
  run         Start OPA in interactive or server mode
  test        Execute Rego test cases
  version     Print the version of OPA

OPA has a Log service API for emitting audit logs.

OPA has a Status service API to report its service status, available from its CLI:

    
       opa check
       

OPA has a VS Code plugin for tracing, profiling.

OPA references data (in JSON)

Policy is logic applied to data.

OPA accepts policy & data from other programs via its Bundle service API.

OPA maintains both policies and data in memory (for fast access). So it operates as a host-local “cache” for policy decisions.

based on Policy definitions , with no external run-time dependencies.

https://github.com/open-policy-agent/frameworks/tree/master/constraint Enforcement Points are places where constraints can be enforced. Examples are Git hooks and Kubernetes admission controllers and audit systems.

Target is an abstract concept. It represents a coherent set of objects sharing a common identification and/or selection scheme, generic purpose, and can be analyzed in the same validation context.

Previous rules engines such as Drools were designed with a “backward chaining inference”, which was too strange and complicated. The rules were static logic.

Rego rule declarations

But OPA’s rules are dynamic over time and defined using a declarative syntax rather than a programmatic if-then-else logic referencing object classes, methods, and binary trees.

OPA declares Policy definitions in “Rego” text format, so they can be stored in GitHub.

OPA can respond with not just Boolean yes/no but also collections of values such as numbers (e.g. rate-limits), strings (e.g. hostnames), arrays (e.g. servers), or dictionaries (microservice route-mappings). For more examples, see the Open Policy Agent tutorials.

It’s the policy author that knows what the data means in the real world and writes logic to make a policy decision.

impact analysis?

Debugging

Reference

[1] VIDEO: “Securing Kubernetes with Admission Control” with Ash Narka, #ashtalk SSE (Styra, Inc.) May 17, 2019 [25:28]

[2] VIDEO: Securing Kubernetes With Admission Controllers - Dave Strebel, Microsoft CNCF [Cloud Native Computing Foundation]

[3] https://www.youtube.com/watch?v=XEHeexPpgrA OPA: The Cloud Native Policy Engine</a> May 4, 2018</a> by Torin Sandall of Styra (Intermediate Skill Level)

Shanghai, November 14-15 (http://bit.ly/kccncchina18).