2. Anders Eknert
â Developer advocate at Styra
â Software development
â Background in identity systems
â Two years into OPA
â Cooking and food
â Football
@anderseknert
anderseknert
10. â Open source general purpose policy engine
â Unified toolset and framework for policy across the stack
â Decouples policy from application logic
â Separates policy decision from enforcement
â Policies written in declarative language Rego
â Popular use cases ranging from kubernetes admission
control, microservice authorization, infrastructure, data source
filtering, to CI/CD pipeline policies and many more.
11. Vibrant community
â 160 contributors
â 50+ integrations
â 4500+ Github Stars
â 3600+ Slack users
â 30+ million Docker image pulls
â Ecosystem including Conftest,
Gatekeeper, VS Code and IntelliJ editor
plugins.
17. â OPA runs as a lightweight self-contained server binary.
â OPA ideally deployed as close to service as possible. This
usually means on the same host, as a daemon or in a sidecar container.
â Applications communicate with the OPA server through its REST API.
â Go library available for Go applications.
â Envoy/Istio based applications. WASM.
Deployment
18. Policy authoring and Rego
â Declarative high-level policy language used by OPA.
â Policy consists of any number of rules.
â Rules commonly return true/false but may return any
type available in JSON, like strings, lists and objects.
â 140+ built-in functions: JWTs, date/time, CIDR math ,etc.
â Policy testing is easy with provided unit test framework.
â Well documented! https://www.openpolicyagent.org/docs/latest/
â Try it out! https://play.openpolicyagent.org/
19. Policy data
â JSON Web Tokens
â As part of query input
â Push data
â Bundle API
â http.send function from inside policy
22. The Kubernetes API
Authentication
kubectl apply -f app.yaml
Authorization
Mutating admission
controller etcd
Validating admission
controller
Before a resource is persisted in etcd must first pass a series of modules
28. Validating admission controller
â By far the most popular module to extend
â Allows building policy-based guardrails around clusters
â Common policies enforce:
â Use of internal Docker registry and other image constraints
â Required labels on resources - team belonging, cost centre, etc
â Ingress host/path uniqueness
â HTTPS for services
â Deny attributes like hostPath volume mounts
â Limits on resource allocation
â Pod Security Policies
â ...anything really
30. Management APIs
Service
OP
A
Policy
(Rego)
Data
(JSON)
Request
Policy
Decision
Policy
Query
Decision
logs
Managing OPA at scale
â Bundle API - distribute policy and data from a central location
â Decision log API - allow OPA instances to report back on any
decisions made. This may be used for auditing as well as
for refinement of policies.
â Status API - allows OPA to send status and health updates to the
management server.
â Discovery API - provides OPA instances the option to periodically
fetch configuration.
31. Getting started
â Start small â write a few simple policies and tests.
â Browse the OPA documentation. Get a feel for the basics and the built-ins.
â Consider possible applications near to you - previous apps and libraries youâve worked with.
Consider the informal policies it dealt with.
â Delegate policy responsibilities to OPA. Again, start small! Perhaps a single endpoint to begin
somewhere. Deploy and build experience.
â Scale up - consider management, logging, bundle server, etc.
â Styra Academy - https://academy.styra.com
â Styra DAS - http://www.styra.com/das-free
â Join the OPA Slack community! - https://openpolicyagent.slack.com