CNCF Incubates Open Policy Agent, a Policy-As-Code Project
As a young programmer, one of the early lessons you might learn is that if you find yourself writing the same code over and over again, you should separate that code out into a class or a function, both to increase efficiency and to make it easier to change functionality across numerous uses of that functionality. Nowadays, that idea has extended into DevOps practices with things like infrastructure as code (IaC), wherein the management and provisioning of a technology stack are separated out for automation and one-stop access. More recently, policy-as-code has emerged to provide the same automation and ease-of-access to applying policy to multiple purposes and scenarios.
The Open Policy Agent (OPA) project is one such provider of policy as code and the project has just been accepted as an incubation-level hosted project with the Cloud Native Computing Foundation (CNCF). The OPA, according to a company statement, is “an open source, general-purpose policy engine that enables unified, context-aware policy enforcement across the entire stack” that “provides greater flexibility and expressiveness than hard-coded service logic or ad-hoc domain-specific languages.”
“One of the core ideas behind the project is that you decouple policy decision making from policy enforcement. The OPA gives architects, developers, and security practitioners a really good way of expressing security policy as code and then delivering on it,” said Sandall. “You can use it for microservices, you can use it with API gateways, you can use it with a script and your CI/CD pipeline. You can apply it all over the place in your stack to solve all kinds of different policy related problems. Whether you’re talking about access control and microservice environments or putting constraints on containerized workloads, the mission has been the same for OPA, which is to help large organizations enforce constraints, guardrails, or rules and governance over those kinds of resources.”
OPA provides universal language compatibility by way of RESTful APIs using JSON over HTTP, and is easily deployable with no dependencies. It can run as a daemon side-by-side with your service or, for services written with Go, OPA can instead be embedded and used as a library, eliminating the need to run a separate daemon. It also provides an interactive shell for users to experiment with queries and data sets.
Sandall says that the OPA’s acceptance as an incubation level project shows how far the project has come, with some big players using the technology. Other projects hosted at the CNCF incubation level include OpenTracing, Fluentd, gRPC, rkt, CNI, Jaeger, Notary, TUF, Vitess, NATS, Linkerd, Helm, Rook, Harbor and etcd.
“Over the last year, there’s been a lot of growth in the number of people running the project in production. Netflix runs the project as part of their internal security platform and companies like Intuit and Capital One are running the project for Kubernetes admission control in production,” said Sandall. “There’s just a lot more people using the project in production to enforce important policies. The move from sandbox update probation is a reflection of the progress that the project has made in the past year.”
A visit to the OPA repository on GitHub shows several integrations with third-party technologies, such as Kubernetes, Docker, and Istio, among others, and Sandall says that he expects the increased visibility to lead to further development of integrations.
Looking forward, Sandall said the project would be focusing on continuing to harden and optimize the core of the project, but also at expanding open support for compiling an OPA policy into a WebAssembly binary that can be distributed and embedded. The project also recently launched the Gatekeeper sub-project with Styra, Google and Microsoft, which “integrates OPA with Kubernetes to help admins enforce admission control policies and audit clusters for existing policy violations” and will come with a standard library of commune use case policies such as registry whitelisting or label management, according to the company statement.
The Cloud Native Computing Foundation is a sponsor of The New Stack.
Feature photo is a screen grab if Torin Sandall from the CNCF video.