Cloud Native / Open Source / Security / Sponsored / Contributed

The Open Policy Agent Journey from Sandbox to Graduation

12 Feb 2021 8:00am, by and

Tim Hinrichs
Tim Hinrichs is a co-founder of the Open Policy Agent project and CTO of Styra. Before that, he co-founded the OpenStack Congress project and was a software engineer at VMware. Tim spent the last 18 years developing declarative languages for different domains such as cloud computing, software-defined networking, configuration management, web security, and access-control. He received his Ph.D. in Computer Science from Stanford University in 2008.

As anyone who has built or introduced a new project or product knows, success doesn’t happen overnight. It takes time and patience. When we first started the Open Policy Agent (OPA) project in 2016, we didn’t just spend all of our time on code — a lot of it was spent building awareness around the project and the community. As OPA started gaining traction, we were encouraged every time we’d hear a developer talk about OPA at a conference or mention it in a blog post.

Today, we’re humbled by OPA’s growth and even more amazed by its trajectory. We still remember our first hundred downloads and our first few slack users, and today OPA is a household name among platform engineers and application developers.

OPA is the industry-standard open source, general-purpose policy engine that enables unified, context-aware policy enforcement across the entire cloud native stack.

OPA was accepted into the Cloud Native Computing Foundation’s (CNCF) sandbox in March 2018, and has grown quite a bit in the ensuing years. Like any precocious toddler, it thrived in the sandbox. It quickly matured, moving into incubating status in 2019, and then reached graduated status at the beginning of 2021.

This is a big deal, not simply because it represents the success of the project, but because it represents the success of a large, deeply invested community. None of this would have happened if the community hadn’t rallied around the need for a new kind of authorization — and helped develop the solution.

Tangled Silos

Torin Sandall
Torin is a co-founder of the Open Policy Agent (OPA) project. Torin has spent over 10 years as a software engineer working on large-scale distributed systems projects. Torin is a frequent speaker at events like KubeCon, DockerCon, Velocity, and more. Prior to working on OPA, Torin was a Senior Software Engineer at Cyan (acquired by Ciena) where he designed and developed core components of their SDN/NFV platform.

Prior to developing OPA, we watched the application space begin to become containerized and realized there was no unified way to solve authorization for the new and evolving requirements that came with it. What may have worked for authorization before, no longer worked in a diverse cloud native environment.

While the challenge was clear, we knew that creating a unified solution wouldn’t be easy. Every piece of software was wildly different and every piece solved policy problems in different ways. We heard over and over that this heterogeneous policy environment caused epic headaches for the community. Every time someone needed to update a policy or audit the existing policies, they had to utilize a laundry list of different APIs, GUIs and authorization models. This was a management nightmare, a black hole of time and resources, and rife with potential for user error.

The Open Road

While we invented a solution designed for the cloud native world (OPA for distributed decision-making and Styra’s DAS for a unified OPA control plane), the community shaped and molded that solution with adoption, integration, feedback and improvements. The choice to donate the project to CNCF was clear: For OPA to really work, it required a depth and breadth of expertise that one person or one team couldn’t possibly cover, plus the language needed to grow organically by solving real-world problems. Open sourcing it was absolutely critical to making it work.

Of course, open sourcing is only valuable if the community steps up. And in the case of OPA, they did. The community built dozens of integrations, which gave OPA vastly expanded and nuanced capabilities. Plus, the open source model invited adoption from those who might otherwise not have been interested. We know from being involved in this community that people value the ability to exert control over the software they’re adopting. They need to be able to get their hands on it and build confidence in it.

We believe that open source projects are going to be the preferred — if not the default — model for much infrastructure software going forward. Decisions are being made by the people using that software — developers, platform engineers, security engineers — and those people want to be able to tweak and customize solutions, rather than be given a one-size-fits-all solution.

Pomp and Circumstance

Graduation reflects OPA’s current maturity, but that doesn’t mean the work is done. We’re still committed to supporting our growing community of users, and we hope OPA will become the de facto standard for authorization in the cloud native environment.

OPA is well on its way and part of getting there is encouraging its users to share their use cases and spread the word. The solution is there, and it’s constantly being used to solve real-world problems. Now we need to expand the community and show more people how they can leverage OPA. It’s about good communication as much as it is about good code.

Since 2016, we’ve been proactive about reaching out to potential users, but we’re increasingly finding that they’re coming to us. That’s the mark of a useful solution — and a phenomenal, vocal community.

The Cloud Native Computing Foundation (CNCF) is a sponsor of The New Stack.

Feature image via Pixabay.

The New Stack is a wholly owned subsidiary of Insight Partners. TNS owner Insight Partners is an investor in the following companies: MADE, Velocity, Real, Bit.

A newsletter digest of the week’s most important stories & analyses.