Cloud Native / Networking / Security

Open Policy Agent for the Enterprise: Styra’s Declarative Authorization Service

18 Nov 2020 9:00am, by

Honeycomb sponsored The New Stack’s coverage of Kubecon+CloudNativeCon North America 2020.

Long, long before we were coding policy enforcement into our clouds, we tried to code it into our programs. Most of the answers we created were hard-coded, difficult to maintain, and nigh unto impossible to update. But, in 2016, Open Policy Agent (OPA, pronounced “oh-pa”) for cloud native environments was created, and policy enforcement in code became much more practical. Now, its developers, under their company, Styra, have announced a new three-tier product offering for Styra Declarative Authorization Service (DAS).

Before diving into DAS, though, let’s make sure we’re all on the same page with OPA and policies in general.

OPA is an open source, general-purpose policy engine that unifies policy enforcement across the stack. You write these policies in its high-level declarative language Rego, which, in turn, is based on the old Prolog-based Datalog query language. With Rego, you can specify policy as code and create simple APIs to offload policy decision-making from your software. You can then use OPA to enforce policies in microservices, Kubernetes, CI/CD pipelines, API gateways, and more.

And, what’s a policy engine you ask? Torin Sandall, Styra Software Engineer and OPA Technical Lead, explained, “policy means different things to different people in different contexts. In the context of software systems, policies are the rules that govern how the system behaves.”

So, for instance, Is this user allowed to change the config of that service? Is this VM allowed to accept TCP connections from that VM? Which host should this container be deployed on? And, so on. Using Rego policies, the OPA policy engine takes “policy and data as input and produces answers to policy questions as output.”

This approach has been very successful. OPA has been used for creating Kubernetes access policies; setting up cloud security policies; Netflix uses OPA to control internal API resources access; Chef uses it to provide Identity and Access Management (IAM) capabilities in its end-user products.

OPA is also a Cloud Native Computing Foundation (CNCF) incubator project. There it averages a rather amazing one million downloads a week.

Of course, just as in the past, you could enforce policies. But, as Mohamed Ahmed, Magalix CEO, observed that while in Kubernetes, “You can definitely use RBAC and Pod security policies to impose fine-grained control over the cluster.  But again, this will only apply to the cluster. Kubernetes RBAC is of no use except in a Kubernetes cluster. That’s where OPA comes into play. OPA was introduced to create a unified method of enforcing security policy in the stack.”

All that’s great, if you want to learn how to use OPA and write in Rego. If you’d rather spend your time working on your project rather than on learning how to automate policies, you need Styra’s DAS.

DAS is available in two new editions, DAS Free and DAS Pro editions, along with the pre-existing DAS Enterprise. With these, you get a budget-friendly and fast option to deploy OPA at scale for Kubernetes. With any of the trio, you can now deploy DAS in just minutes and have access to more than 100 built-in policies. These new offerings enable a self-service experience and eliminate the need for learning and custom coding OPA policies for Kubernetes admission control.

If you, like me, prefer to see code examples, the policies alone are worth the price of admission.

While it’s not quite turnkey — every company has their own policies — it’s close. DAS provides a single control plane for authorization both within applications and for the infrastructure they run upon. With it, you get easy-to-deploy security, compliance and operational guardrails for both Kubernetes and microservices to help customers mitigate risk, reduce errors and accelerate software development.

Styra’s not the only one singing its approach praises. According to the Gartner report, Market Guide for Compliance Automation Tools in DevOps, “As organizations migrate workloads to the cloud or move from virtualized to containerized environments, I&O leaders must evaluate existing tools that protect cloud and container-based infrastructure. These tools enable enforcing infrastructure compliance policies to minimize configuration-related risks. Opportunities exist for the orchestration of policies over distinct agile infrastructure environments. Specifically, the OPA open source initiative has started to emerge as a source for an ecosystem of startups building enterprise capabilities over OPA.”

You can see for yourself what’s all the fuss is about with the new DAS Free. This is a completely free, self-service option for up to two clusters or 10 nodes to streamline the adoption process. For teams with larger production scale needs, DAS Pro offers a clear and transparent pricing model, for up to 50 nodes, to protect and manage Kubernetes clusters as they grow from initial testing/deployment to full production environments. Finally, DAS Enterprise gives teams unlimited OPA deployments and rules with around the clock support. Regardless of the version, all have access to the same management plane, policy libraries, impact analysis, monitoring, and decision logging.

“These new editions will benefit any number of teams beginning their Kubernetes journey,” said Tim Hinrichs, co-creator of OPA and Styra’s CTO. “It will also help platform engineers new to OPA who want to deploy community best practices immediately without custom coding. Ultimately, this will help lessen the burden for anyone who needs to monitor, validate and test Kubernetes admission control with OPA.”

Featured image via Pixabay.

A newsletter digest of the week’s most important stories & analyses.