SlideShare una empresa de Scribd logo
1 de 52
Descargar para leer sin conexión
Open Policy Agent
Policy-based control for cloud native environments.
● Community
● Overview
○ Features
○ Integrations
○ Roadmap
● Use case deep dive
○ Kubernetes admission control
○ Microservice API authorization
● Q&A
Agenda
OPA: Community
Inception
Project started in 2016 at
Styra.
Goal
Unify policy enforcement
across the stack.
Use Cases
Admission control
Authorization
ACLs
RBAC
IAM
ABAC
Risk management
Data Protection
Data Filtering
Users
Netflix
Chef
Medallia
Cloudflare
State Street
Pinterest
Intuit
Capital One
...and many more.
Today
CNCF project (Sandbox)
36 contributors
400 slack members
1.6K stars
20+ integrations
What Is OPA?
openpolicyagent.org
Service
OPA
Policy
(Rego)
Data
(JSON)
Request
DecisionQuery
OPA: General-purpose policy engine
openpolicyagent.org
Salary Service V1
OPA
Policy
(Rego)
Data
(JSON)
Request
DecisionQuery
GET /salary/bob HTTP/1.1
Authorization: alice
OPA: General-purpose policy engine
openpolicyagent.org
Salary Service V1
OPA
Policy
(Rego)
Data
(JSON)
Request
DecisionQuery
GET /salary/bob HTTP/1.1
Authorization: alice
{
"method": "GET",
"path": ["salary", "bob"],
"user": "alice"
}
true or false
OPA: General-purpose policy engine
openpolicyagent.org
Service
OPA
Policy
(Rego)
Data
(JSON)
Request
DecisionQuery
"Service" refers to any one of:
● Custom service
● API gateway
● Message broker
● Kubernetes API server
● CI/CD pipeline script
OPA: General-purpose policy engine
openpolicyagent.org
Service
OPA
Policy
(Rego)
Data
(JSON)
Request
DecisionQuery
Input can be any JSON value:
"alice"
["v1", "users", "bob"]
{"kind": "Pod", "spec": …}
Output can be any JSON value:
true
"request rejected"
{"servers": ["web1", "web2"]}
OPA: General-purpose policy engine
"Service" refers to any one of:
● Custom service
● API gateway
● Message broker
● Kubernetes API server
● CI/CD pipeline script
openpolicyagent.org
● Declarative Policy Language (Rego)
○ Can user X do operation Y on resource Z?
○ What invariants does workload W violate?
○ Which records should bob be allowed to see?
OPA: Features
Service
OPA
Policy
(Rego)
Data
(JSON)
Request
DecisionQuery
openpolicyagent.org
● Declarative Policy Language (Rego)
○ Can user X do operation Y on resource Z?
○ What invariants does workload W violate?
○ Which records should bob be allowed to see?
● Library, sidecar, host-level daemon
○ Policy and data are kept in-memory
○ Zero decision-time dependencies
OPA: Features
Service
OPA
Policy
(Rego)
Data
(JSON)
Request
DecisionQuery
openpolicyagent.org
● Declarative Policy Language (Rego)
○ Can user X do operation Y on resource Z?
○ What invariants does workload W violate?
○ Which records should bob be allowed to see?
● Library, sidecar, host-level daemon
○ Policy and data are kept in-memory
○ Zero decision-time dependencies
● Management APIs for control & observability
○ Bundle service API for sending policy & data to OPA
○ Status service API for receiving status from OPA
○ Log service API for receiving audit log from OPA
OPA: Features
Service
OPA
Policy
(Rego)
Data
(JSON)
Request
DecisionQuery
openpolicyagent.org
● Declarative Policy Language (Rego)
○ Can user X do operation Y on resource Z?
○ What invariants does workload W violate?
○ Which records should bob be allowed to see?
● Library, sidecar, host-level daemon
○ Policy and data are kept in-memory
○ Zero decision-time dependencies
● Management APIs for control & observability
○ Bundle service API for sending policy & data to OPA
○ Status service API for receiving status from OPA
○ Log service API for receiving audit log from OPA
● Tooling to build, test, and debug policy
○ opa run, opa test, opa fmt, opa deps, opa check, etc.
○ VS Code plugin, Tracing, Profiling, etc.
OPA: Features
Service
OPA
Policy
(Rego)
Data
(JSON)
Request
DecisionQuery
openpolicyagent.org
OPA: Integrations
Data Filtering
Admission Control “Restrict ingress hostnames for payments team.”
“Ensure container images come from corporate repo.”
API Authorization
“Deny test scripts access to production services.”
“Allow analysts to access APIs serving anonymized data.”
Data Protection
Linux PAM SSH & sudo “Only allow on-call engineers to SSH into production
servers.”
"Trades exceeding $10M must be executed between
9AM and 5PM and require MFA."
"Users can access files for past 6 months related to
the region they licensed."
Roadmap
(2018/11 through 2019/02)
openpolicyagent.org
Major Features
● Extend Wasm coverage
● Improve support for hierarchical permissions
● Solve variable scoping problem
● LDAP built-in function(s)
● Rego playground
openpolicyagent.org
Timeline
November December January February
● Fuzzing
● Frontpage refresh
● Wasm negation
● Wasm composites
● Variable scoping
● LDAP built-in(s)
● Wasm built-in functions
● JS SDK
● Playground
● Hierarchy
● Documentation refresh
● Wasm context
● Wasm with keyword
● Wasm rules
● Wasm comprehensions
● Wasm non-boolean
results
openpolicyagent.org
● As of #990, OPA policies can be compiled into
WebAssembly (Wasm). Wasm provides a
safe, efficient, portable runtime for policy
enforcement on platforms like CDNs, AWS
Lambda, and more.
● Over the next few months, Wasm support will
be extended to cover more of the policy
language and enable daemonless OPA
integrations in a variety of languages. See
#1024 for details.
WebAssembly
openpolicyagent.org
Hierarchical Permissions
● Hierarchical permission models are
common (e.g., parent node permissions
are a superset of child node permissions,
recursively.) Today, OPA does not permit
recursion in policies. This prevents policies
from performing traversal operations that
would check these kinds of permissions.
See #947.
● Plan: evaluate options for supporting
hierarchical permission models in OPA
and implement solution.
Possible Solutions:
1. Add support for limited forms of
recursion.
2. Add support for keyword/operator
like transitive closure.
3. Keep existing constraints but
document & optimize pattern for
fixed-depth solution. E.g., (😱):
tc(tree, key) = {key} | x1 | x2 | x3 {
x1 := {x | x := tree[key][_]}
x2 := {x | x := tree[x1[_]][_]}
x3 := {x | x := tree[x2[_]][_]}
}
openpolicyagent.org
Rego Playground
● Users don't have a good way to easily share snippets of
Rego. Mediums like Slack and Gists are fine for trivial
examples but are lacking in terms of discoverability,
readability, etc.
● Providing an online playground (similar to play.golang.org)
would allow users to easily experiment with and share
snippets of Rego.
● The MVP for the playground will provide users with a way
to write, check, evaluate, and publish snippets of policy so
that they can be shared with others.
package foo
allow {
...
}
allow {
...
}
allow {
...
}
Output
{
"allow": true
}
Rego Playground Share
openpolicyagent.org
LDAP Built-in Functions
● LDAP is a common source of context for policy decisions. Today, we
recommend that integrations embed that context into a token during
authentication. In some cases, this approach does not scale well and/or it
may create undesirable coupling between the auth/n server and the policy.
● Goal: Add built-in functions to Rego that allow policies to execute LDAP
queries during evaluation. See #938.
openpolicyagent.org
Variable Scoping
● Earlier this year OPA added dedicated
operators for assignment and
comparison (:= and ==). While less
powerful than the unification operator (=)
their scoping rules are more obvious to
new users and avoid capturing issues in
large policy files.
● OPA does not currently have a similar
solution for variables that appear as
reference operands.
Goal
Introduce syntax so that authors can make
variables in references shadow globals.
Example (current behaviour)
x = 1
p {
q[x] # refers to global x
}
openpolicyagent.org
Fuzz Testing
● In #948 we discovered a panic in the error handling portion in OPA's parser.
To uncover similar issues and reduce the likelihood of panics in the future, we
are going to apply a fuzzer (go-fuzz) seeded with a corpus of valid Rego
extracted from the OPA codebase.
openpolicyagent.org
Frontpage Refresh
● Over the past year, the OPA end-user community
has grown substantially. We have also seen OPA
integrated with a number of new projects.
● While the current frontpage describes the goals of
the project, it lacks concrete examples of the types
of problems OPA is helping solve today.
● The goal of the frontpage refresh is to give
newcomers a clearer idea of how they can
leverage OPA.
openpolicyagent.org
Documentation Refresh
● As OPA has matured, we have learned about what works in the
documentation (and what doesn't). We plan to rework some of the
documentation to help people ramp up on OPA concepts and mechanics
quicker.
● New Docs:
○ "Examples" section that serves as a policy catalogue for popular projects.
○ "Cheat Sheet" section that captures common policy language idioms. See #268.
○ "Integration" section that explains OPA integration options. See #372.
● Improved Docs:
○ Refactor docs to prefer := and == over =. See #952.
○ Extend Best Practices & FAQ with more information. See #633.
openpolicyagent.org
Help Wanted
● Add authentication based on mutual TLS (#1040)
● Add stack trace support to topdown (#555)
● Integrations:
○ Prometheus integration to monitor for policy violations
■ OPA policies can audit the state of systems (e.g., Kubernetes) to detect problems
■ Query results could be pushed into Prometheus and surfaced with graphs (e.g., # of
security context violations/time.)
○ Spinnaker integration to enforce invariants
■ Similar use case to Kubernetes admission control, Terraform risk management.
■ Integrate with Spinnaker to enforce OPA policies in CD pipelines.
Issues labelled low-hanging-fruit or help-wanted are good candidates for first contribution.
How does OPA work?
openpolicyagent.org
How does OPA work?
Salary Service V1
OPA
Policy
(Rego)
Data
(JSON)
Request
DecisionQuery
Example policy
"Employees can read their own salary
and the salary of anyone they manage."
openpolicyagent.org
OPA: Declarative Language (Rego)
Example policy
Employees can read their own salary and the
salary of anyone they manage.
openpolicyagent.org
OPA: Declarative Language (Rego)
Example policy
Employees can read their own salary and the
salary of anyone they manage.
Input Data
method: "GET"
path: ["salary", "bob"]
user: "bob"
openpolicyagent.org
OPA: Declarative Language (Rego)
allow = true {
input.method = "GET"
input.path = ["salary", employee_id]
input.user = employee_id
}
Example policy
Employees can read their own salary and the
salary of anyone they manage.
Input Data
method: "GET"
path: ["salary", "bob"]
user: "bob"
openpolicyagent.org
OPA: Declarative Language (Rego)
allow = true {
input.method = "GET"
input.path = ["salary", "bob"]
input.user = "bob"
}
Example policy
Employees can read their own salary and the
salary of anyone they manage.
Input Data
method: "GET"
path: ["salary", "bob"]
user: "bob"
openpolicyagent.org
OPA: Declarative Language (Rego)
allow = true {
input.method = "GET"
input.path = ["salary", employee_id]
input.user = employee_id
}
Example policy
Employees can read their own salary and the
salary of anyone they manage.
Input Data
method: "GET"
path: ["salary", "bob"]
user: "alice"
Different user now!
openpolicyagent.org
OPA: Declarative Language (Rego)
allow = true {
input.method = "GET"
input.path = ["salary", "bob"]
input.user = "bob"
}
Example policy
Employees can read their own salary and the
salary of anyone they manage.
Input Data
method: "GET"
path: ["salary", "bob"]
user: "alice"
This statement will "FAIL"
Different user now!
openpolicyagent.org
OPA: Declarative Language (Rego)
allow = true {
input.method = "GET"
input.path = ["salary", employee_id]
input.user = employee_id
}
Example policy
Employees can read their own salary and the
salary of anyone they manage.
Input Data
method: "GET"
path: ["salary", "bob"]
user: "alice"
Context Data
{
"managers": {
"bob": ["alice", "fred"]
"alice": ["fred"]
}
}
openpolicyagent.org
OPA: Declarative Language (Rego)
import data.managers
allow = true {
input.method = "GET"
input.path = ["salary", employee_id]
input.user = employee_id
}
allow = true {
input.method = "GET"
input.path = ["salary", employee_id]
input.user = managers[employee_id][_]
}
Example policy
Employees can read their own salary and the
salary of anyone they manage.
Input Data
method: "GET"
path: ["salary", "bob"]
user: "alice"
Context Data
{
"managers": {
"bob": ["alice", "fred"]
"alice": ["fred"]
}
}
openpolicyagent.org
OPA: Declarative Language (Rego)
import data.managers
allow = true {
input.method = "GET"
input.path = ["salary", employee_id]
input.user = employee_id
}
allow = true {
input.method = "GET"
input.path = ["salary", "bob"]
input.user = managers["bob"][_]
}
Example policy
Employees can read their own salary and the
salary of anyone they manage.
Input Data
method: "GET"
path: ["salary", "bob"]
user: "alice"
Context Data
{
"managers": {
"bob": ["alice", "fred"]
"alice": ["fred"]
}
}
openpolicyagent.org
OPA: Declarative Language (Rego)
import data.managers
allow = true {
input.method = "GET"
input.path = ["salary", employee_id]
input.user = employee_id
}
allow = true {
input.method = "GET"
input.path = ["salary", "bob"]
input.user = "alice"
}
Example policy
Employees can read their own salary and the
salary of anyone they manage.
Input Data
method: "GET"
path: ["salary", "bob"]
user: "alice"
Context Data
{
"managers": {
"bob": ["alice", "fred"]
"alice": ["fred"]
}
}
openpolicyagent.org
OPA: Declarative Language (Rego)
import data.managers
allow = true {
input.method = "GET"
input.path = ["salary", employee_id]
input.user = employee_id
}
allow = true {
input.method = "GET"
input.path = ["salary", "bob"]
input.user = "alice"
}
More information at openpolicyagent.org
See How Do I Write Policies?
- Explains language constructs
See Language Reference
- Documents built-in functions: glob,
regex, JWTs, x509, etc.
See Tutorials section
- HTTP APIs, Kubernetes, Docker,
Terraform, Kafka, SSH, etc.
OPA: Use Cases
openpolicyagent.org
Use Cases
OPA
Cloud
Orchestrator
Risk Management
Linux
Container Execution, SSH, sudo
OPA
OPA
OPA
Admission Control
Linux
Microservice APIs
Data Protection &
Data Filtering
OPA
openpolicyagent.org
Use Cases: Kubernetes
apiserver
authorization admission control
scheduler
federation control plane
OPA
OPAOPA
OPA
Current Use Cases
● Federated Workload Placement
● Pod Scheduling
● Authorization
● Admission Control
● Audit
Future Use Cases
● Storage policy (in progress)
● Network policy
controllers
nodes
openpolicyagent.org
Use Cases: Kubernetes: Admission Control
apiserver
admission controllers
quota execwebhook
kubectl apply -f app.yaml
OPA
Example Policies
● Images may only be pulled from internal
registry
● Only scanned images may be deployed in
namespaces A, B, and C
● QA team must sign-off on image before
deployed to production
● Stateful deployments must use ‘recreate’
update strategy
● Developers must not modify selectors or
labels referred to by selectors after
creation
● Containers must have CPU and memory
resource requests and limits set
● Containers cannot run with privileged
security context
● Services in namespace X should have
AWS SSL annotation added
openpolicyagent.org
Use Cases: Kubernetes: Admission Control
kind: Pod
metadata:
labels:
app: nginx
name: nginx-1493591563-bvl8q
namespace: production
spec:
containers:
- image: nginx
name: nginx
securityContext:
privileged: true
dnsPolicy: ClusterFirst
nodeName: minikube
restartPolicy: Always
status:
containerStatuses:
- name: nginx
ready: true
hostIP: 192.168.99.100
phase: Running
podIP: 172.17.0.4
# references
spec.containers[0].image
# variables and iteration
container := spec.containers[index]
# expressions
container.securityContext.privileged == true
# functions
is_privileged(container) {
container.securityContext.privileged == true
}
# rules
deny {
review.user == “bob”
review.operation == “CREATE”
review.namespace == “production”
is_privileged(spec.containers[_])
}
openpolicyagent.org
Thank You!
github.com/open-policy-agent/opa
slack.openpolicyagent.org
openpolicyagent.org
Use Cases
OPA
Cloud
Orchestrator
Risk Management
Linux
Container Execution, SSH, sudo
OPA
OPA
OPA
Admission Control
Linux
Microservice APIs
Data Protection &
Data Filtering
OPA
openpolicyagent.org
Use Cases: Microservice APIs
Details Service
Reviews Service
Ratings Service
Landing Page
openpolicyagent.org
Use Cases: Microservice APIs
ratingsreviews
details
landing_page
GET /reviews/{id}
GET /details/{id}
GET /ratings/{id}
openpolicyagent.org
Use Cases: Microservice APIs
ratingsreviews
details
landing_page OPA
GET /reviews/{id}
GET /details/{id}
GET /ratings/{id}
OPA OPA
OPA
openpolicyagent.org
Use Cases: Microservice APIs
details
ratings
Policy Query
POST opa:8181/v1/data/example/allow
{
“input”: {
“path”: [“details”, “bob”],
“method”: “GET”,
“source”: “landing_page”,
“target”: “details”,
“query_params”: {},
“user”: “alice”,
“body”: null
}
}
Policy Decision
200 OK
{
“result”: true
}
OPA
OPA
OPAdetailsdetails
reviews
landing_page OPA
openpolicyagent.org
Use Cases: Microservice APIs
Example Policies
● Service Graph: “Reviews service can
talk to ratings but details cannot.”
● Org Chart: “Managers can view
reviews of team members but peers
cannot.”
● PII: “Only HR can see SSN in
employee details.”
openpolicyagent.org
Thank You!
github.com/open-policy-agent/opa
slack.openpolicyagent.org

Más contenido relacionado

La actualidad más candente

Implementing Authorization
Implementing AuthorizationImplementing Authorization
Implementing AuthorizationTorin Sandall
 
Policy Enforcement on Kubernetes with Open Policy Agent
Policy Enforcement on Kubernetes with Open Policy AgentPolicy Enforcement on Kubernetes with Open Policy Agent
Policy Enforcement on Kubernetes with Open Policy AgentVMware Tanzu
 
OPA open policy agent
OPA open policy agentOPA open policy agent
OPA open policy agentKnoldus Inc.
 
DSO-LG 2021 Reboot: Policy As Code (Anders Eknert)
DSO-LG 2021 Reboot: Policy As Code (Anders Eknert)DSO-LG 2021 Reboot: Policy As Code (Anders Eknert)
DSO-LG 2021 Reboot: Policy As Code (Anders Eknert)Michael Man
 
Overview of secret management solutions and architecture
Overview of secret management solutions and architectureOverview of secret management solutions and architecture
Overview of secret management solutions and architectureYuechuan (Mike) Chen
 
Vault Open Source vs Enterprise v2
Vault Open Source vs Enterprise v2Vault Open Source vs Enterprise v2
Vault Open Source vs Enterprise v2Stenio Ferreira
 
Hashicorp Vault Open Source vs Enterprise
Hashicorp Vault Open Source vs EnterpriseHashicorp Vault Open Source vs Enterprise
Hashicorp Vault Open Source vs EnterpriseStenio Ferreira
 
Enforcing Bespoke Policies in Kubernetes
Enforcing Bespoke Policies in KubernetesEnforcing Bespoke Policies in Kubernetes
Enforcing Bespoke Policies in KubernetesTorin Sandall
 
Introduction to Kong API Gateway
Introduction to Kong API GatewayIntroduction to Kong API Gateway
Introduction to Kong API GatewayYohann Ciurlik
 
JWT: jku x5u
JWT: jku x5uJWT: jku x5u
JWT: jku x5usnyff
 
Kubernetes Secrets Management on Production with Demo
Kubernetes Secrets Management on Production with DemoKubernetes Secrets Management on Production with Demo
Kubernetes Secrets Management on Production with DemoOpsta
 
Lightweight Zero-trust Network Implementation and Transition with Keycloak an...
Lightweight Zero-trust Network Implementation and Transition with Keycloak an...Lightweight Zero-trust Network Implementation and Transition with Keycloak an...
Lightweight Zero-trust Network Implementation and Transition with Keycloak an...Hitachi, Ltd. OSS Solution Center.
 
Argo Workflows 3.0, a detailed look at what’s new from the Argo Team
Argo Workflows 3.0, a detailed look at what’s new from the Argo TeamArgo Workflows 3.0, a detailed look at what’s new from the Argo Team
Argo Workflows 3.0, a detailed look at what’s new from the Argo TeamLibbySchulze
 
Dok Talks #111 - Scheduled Scaling with Dask and Argo Workflows
Dok Talks #111 - Scheduled Scaling with Dask and Argo WorkflowsDok Talks #111 - Scheduled Scaling with Dask and Argo Workflows
Dok Talks #111 - Scheduled Scaling with Dask and Argo WorkflowsDoKC
 
Using Vault to decouple MySQL Secrets
Using Vault to decouple MySQL SecretsUsing Vault to decouple MySQL Secrets
Using Vault to decouple MySQL SecretsDerek Downey
 
Kubernetes Security with Calico and Open Policy Agent
Kubernetes Security with Calico and Open Policy AgentKubernetes Security with Calico and Open Policy Agent
Kubernetes Security with Calico and Open Policy AgentCloudOps2005
 

La actualidad más candente (20)

Implementing Authorization
Implementing AuthorizationImplementing Authorization
Implementing Authorization
 
Policy Enforcement on Kubernetes with Open Policy Agent
Policy Enforcement on Kubernetes with Open Policy AgentPolicy Enforcement on Kubernetes with Open Policy Agent
Policy Enforcement on Kubernetes with Open Policy Agent
 
OPA open policy agent
OPA open policy agentOPA open policy agent
OPA open policy agent
 
DSO-LG 2021 Reboot: Policy As Code (Anders Eknert)
DSO-LG 2021 Reboot: Policy As Code (Anders Eknert)DSO-LG 2021 Reboot: Policy As Code (Anders Eknert)
DSO-LG 2021 Reboot: Policy As Code (Anders Eknert)
 
CNCF opa
CNCF opaCNCF opa
CNCF opa
 
Overview of secret management solutions and architecture
Overview of secret management solutions and architectureOverview of secret management solutions and architecture
Overview of secret management solutions and architecture
 
Vault Open Source vs Enterprise v2
Vault Open Source vs Enterprise v2Vault Open Source vs Enterprise v2
Vault Open Source vs Enterprise v2
 
Hashicorp Vault Open Source vs Enterprise
Hashicorp Vault Open Source vs EnterpriseHashicorp Vault Open Source vs Enterprise
Hashicorp Vault Open Source vs Enterprise
 
Enforcing Bespoke Policies in Kubernetes
Enforcing Bespoke Policies in KubernetesEnforcing Bespoke Policies in Kubernetes
Enforcing Bespoke Policies in Kubernetes
 
Introduction to Kong API Gateway
Introduction to Kong API GatewayIntroduction to Kong API Gateway
Introduction to Kong API Gateway
 
Hashicorp Vault ppt
Hashicorp Vault pptHashicorp Vault ppt
Hashicorp Vault ppt
 
JWT: jku x5u
JWT: jku x5uJWT: jku x5u
JWT: jku x5u
 
Kubernetes Secrets Management on Production with Demo
Kubernetes Secrets Management on Production with DemoKubernetes Secrets Management on Production with Demo
Kubernetes Secrets Management on Production with Demo
 
Lightweight Zero-trust Network Implementation and Transition with Keycloak an...
Lightweight Zero-trust Network Implementation and Transition with Keycloak an...Lightweight Zero-trust Network Implementation and Transition with Keycloak an...
Lightweight Zero-trust Network Implementation and Transition with Keycloak an...
 
Argo Workflows 3.0, a detailed look at what’s new from the Argo Team
Argo Workflows 3.0, a detailed look at what’s new from the Argo TeamArgo Workflows 3.0, a detailed look at what’s new from the Argo Team
Argo Workflows 3.0, a detailed look at what’s new from the Argo Team
 
AWS Secrets Manager
AWS Secrets ManagerAWS Secrets Manager
AWS Secrets Manager
 
Dok Talks #111 - Scheduled Scaling with Dask and Argo Workflows
Dok Talks #111 - Scheduled Scaling with Dask and Argo WorkflowsDok Talks #111 - Scheduled Scaling with Dask and Argo Workflows
Dok Talks #111 - Scheduled Scaling with Dask and Argo Workflows
 
Vault
VaultVault
Vault
 
Using Vault to decouple MySQL Secrets
Using Vault to decouple MySQL SecretsUsing Vault to decouple MySQL Secrets
Using Vault to decouple MySQL Secrets
 
Kubernetes Security with Calico and Open Policy Agent
Kubernetes Security with Calico and Open Policy AgentKubernetes Security with Calico and Open Policy Agent
Kubernetes Security with Calico and Open Policy Agent
 

Similar a Open Policy Agent

Protecting the Data Lake
Protecting the Data LakeProtecting the Data Lake
Protecting the Data LakeAshutosh Narkar
 
Cloud native policy enforcement with Open Policy Agent
Cloud native policy enforcement with Open Policy AgentCloud native policy enforcement with Open Policy Agent
Cloud native policy enforcement with Open Policy AgentLibbySchulze
 
Dynamic Policy Enforcement for Microservice Environments
Dynamic Policy Enforcement for Microservice EnvironmentsDynamic Policy Enforcement for Microservice Environments
Dynamic Policy Enforcement for Microservice EnvironmentsNebulaworks
 
LF Energy Webinar: Introduction to TROLIE
LF Energy Webinar: Introduction to TROLIELF Energy Webinar: Introduction to TROLIE
LF Energy Webinar: Introduction to TROLIEDanBrown980551
 
Oracle EBS Journey to the Cloud - What is New in 2022 (UKOUG Breakthrough 22 ...
Oracle EBS Journey to the Cloud - What is New in 2022 (UKOUG Breakthrough 22 ...Oracle EBS Journey to the Cloud - What is New in 2022 (UKOUG Breakthrough 22 ...
Oracle EBS Journey to the Cloud - What is New in 2022 (UKOUG Breakthrough 22 ...Andrejs Prokopjevs
 
Database automation guide - Oracle Community Tour LATAM 2023
Database automation guide - Oracle Community Tour LATAM 2023Database automation guide - Oracle Community Tour LATAM 2023
Database automation guide - Oracle Community Tour LATAM 2023Nelson Calero
 
Fine-grained Authorization in a Containerized World
Fine-grained Authorization in a Containerized WorldFine-grained Authorization in a Containerized World
Fine-grained Authorization in a Containerized WorldAshutosh Narkar
 
OSMC 2023 | What’s new with Grafana Labs’s Open Source Observability stack by...
OSMC 2023 | What’s new with Grafana Labs’s Open Source Observability stack by...OSMC 2023 | What’s new with Grafana Labs’s Open Source Observability stack by...
OSMC 2023 | What’s new with Grafana Labs’s Open Source Observability stack by...NETWAYS
 
Dynamic Authorization & Policy Control for Docker Environments
Dynamic Authorization & Policy Control for Docker EnvironmentsDynamic Authorization & Policy Control for Docker Environments
Dynamic Authorization & Policy Control for Docker EnvironmentsTorin Sandall
 
ISC Cloud13 Sill - Crossing organizational boundaries in cloud computing
ISC Cloud13 Sill - Crossing organizational boundaries in cloud computingISC Cloud13 Sill - Crossing organizational boundaries in cloud computing
ISC Cloud13 Sill - Crossing organizational boundaries in cloud computingAlan Sill
 
Xtending nintex workflow cloud w azure functions - xchange conference
Xtending nintex workflow cloud w azure functions - xchange conferenceXtending nintex workflow cloud w azure functions - xchange conference
Xtending nintex workflow cloud w azure functions - xchange conferenceMichael Oryszak
 
Ladies Be Architects - Integration - Multi-Org, Security, JSON, Backup & Restore
Ladies Be Architects - Integration - Multi-Org, Security, JSON, Backup & RestoreLadies Be Architects - Integration - Multi-Org, Security, JSON, Backup & Restore
Ladies Be Architects - Integration - Multi-Org, Security, JSON, Backup & Restoregemziebeth
 
Netflix OSS Meetup Season 5 Episode 1
Netflix OSS Meetup Season 5 Episode 1Netflix OSS Meetup Season 5 Episode 1
Netflix OSS Meetup Season 5 Episode 1aspyker
 
Accelerate integration with SAP using MuleSoft
Accelerate integration with SAP using MuleSoftAccelerate integration with SAP using MuleSoft
Accelerate integration with SAP using MuleSoftNeerajKumar1965
 
OpenAPI 3.0, And What It Means for the Future of Swagger
OpenAPI 3.0, And What It Means for the Future of SwaggerOpenAPI 3.0, And What It Means for the Future of Swagger
OpenAPI 3.0, And What It Means for the Future of SwaggerSmartBear
 
Enterprise guide to building a Data Mesh
Enterprise guide to building a Data MeshEnterprise guide to building a Data Mesh
Enterprise guide to building a Data MeshSion Smith
 
Data Con LA 2022-Open Source or Open Core in Your Data Layer? What Needs to B...
Data Con LA 2022-Open Source or Open Core in Your Data Layer? What Needs to B...Data Con LA 2022-Open Source or Open Core in Your Data Layer? What Needs to B...
Data Con LA 2022-Open Source or Open Core in Your Data Layer? What Needs to B...Data Con LA
 
OpenID Foundation AuthZEN WG Update
OpenID Foundation AuthZEN WG UpdateOpenID Foundation AuthZEN WG Update
OpenID Foundation AuthZEN WG UpdateDavid Brossard
 
Benchmarking sahara based big data as a service solutions
Benchmarking sahara based big data as a service solutionsBenchmarking sahara based big data as a service solutions
Benchmarking sahara based big data as a service solutionsZhidong Yu
 

Similar a Open Policy Agent (20)

Protecting the Data Lake
Protecting the Data LakeProtecting the Data Lake
Protecting the Data Lake
 
Cloud native policy enforcement with Open Policy Agent
Cloud native policy enforcement with Open Policy AgentCloud native policy enforcement with Open Policy Agent
Cloud native policy enforcement with Open Policy Agent
 
Dynamic Policy Enforcement for Microservice Environments
Dynamic Policy Enforcement for Microservice EnvironmentsDynamic Policy Enforcement for Microservice Environments
Dynamic Policy Enforcement for Microservice Environments
 
LF Energy Webinar: Introduction to TROLIE
LF Energy Webinar: Introduction to TROLIELF Energy Webinar: Introduction to TROLIE
LF Energy Webinar: Introduction to TROLIE
 
Oracle EBS Journey to the Cloud - What is New in 2022 (UKOUG Breakthrough 22 ...
Oracle EBS Journey to the Cloud - What is New in 2022 (UKOUG Breakthrough 22 ...Oracle EBS Journey to the Cloud - What is New in 2022 (UKOUG Breakthrough 22 ...
Oracle EBS Journey to the Cloud - What is New in 2022 (UKOUG Breakthrough 22 ...
 
Database automation guide - Oracle Community Tour LATAM 2023
Database automation guide - Oracle Community Tour LATAM 2023Database automation guide - Oracle Community Tour LATAM 2023
Database automation guide - Oracle Community Tour LATAM 2023
 
Fine-grained Authorization in a Containerized World
Fine-grained Authorization in a Containerized WorldFine-grained Authorization in a Containerized World
Fine-grained Authorization in a Containerized World
 
OSMC 2023 | What’s new with Grafana Labs’s Open Source Observability stack by...
OSMC 2023 | What’s new with Grafana Labs’s Open Source Observability stack by...OSMC 2023 | What’s new with Grafana Labs’s Open Source Observability stack by...
OSMC 2023 | What’s new with Grafana Labs’s Open Source Observability stack by...
 
Dynamic Authorization & Policy Control for Docker Environments
Dynamic Authorization & Policy Control for Docker EnvironmentsDynamic Authorization & Policy Control for Docker Environments
Dynamic Authorization & Policy Control for Docker Environments
 
ISC Cloud13 Sill - Crossing organizational boundaries in cloud computing
ISC Cloud13 Sill - Crossing organizational boundaries in cloud computingISC Cloud13 Sill - Crossing organizational boundaries in cloud computing
ISC Cloud13 Sill - Crossing organizational boundaries in cloud computing
 
Xtending nintex workflow cloud w azure functions - xchange conference
Xtending nintex workflow cloud w azure functions - xchange conferenceXtending nintex workflow cloud w azure functions - xchange conference
Xtending nintex workflow cloud w azure functions - xchange conference
 
Ladies Be Architects - Integration - Multi-Org, Security, JSON, Backup & Restore
Ladies Be Architects - Integration - Multi-Org, Security, JSON, Backup & RestoreLadies Be Architects - Integration - Multi-Org, Security, JSON, Backup & Restore
Ladies Be Architects - Integration - Multi-Org, Security, JSON, Backup & Restore
 
Netflix OSS Meetup Season 5 Episode 1
Netflix OSS Meetup Season 5 Episode 1Netflix OSS Meetup Season 5 Episode 1
Netflix OSS Meetup Season 5 Episode 1
 
Orchestration, Automation and Virtualisation (OAV) in GÉANT
Orchestration, Automation and Virtualisation (OAV) in GÉANTOrchestration, Automation and Virtualisation (OAV) in GÉANT
Orchestration, Automation and Virtualisation (OAV) in GÉANT
 
Accelerate integration with SAP using MuleSoft
Accelerate integration with SAP using MuleSoftAccelerate integration with SAP using MuleSoft
Accelerate integration with SAP using MuleSoft
 
OpenAPI 3.0, And What It Means for the Future of Swagger
OpenAPI 3.0, And What It Means for the Future of SwaggerOpenAPI 3.0, And What It Means for the Future of Swagger
OpenAPI 3.0, And What It Means for the Future of Swagger
 
Enterprise guide to building a Data Mesh
Enterprise guide to building a Data MeshEnterprise guide to building a Data Mesh
Enterprise guide to building a Data Mesh
 
Data Con LA 2022-Open Source or Open Core in Your Data Layer? What Needs to B...
Data Con LA 2022-Open Source or Open Core in Your Data Layer? What Needs to B...Data Con LA 2022-Open Source or Open Core in Your Data Layer? What Needs to B...
Data Con LA 2022-Open Source or Open Core in Your Data Layer? What Needs to B...
 
OpenID Foundation AuthZEN WG Update
OpenID Foundation AuthZEN WG UpdateOpenID Foundation AuthZEN WG Update
OpenID Foundation AuthZEN WG Update
 
Benchmarking sahara based big data as a service solutions
Benchmarking sahara based big data as a service solutionsBenchmarking sahara based big data as a service solutions
Benchmarking sahara based big data as a service solutions
 

Último

Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024SkyPlanner
 
UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7DianaGray10
 
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...UbiTrack UK
 
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...Aggregage
 
Videogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdfVideogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdfinfogdgmi
 
Introduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptxIntroduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptxMatsuo Lab
 
OpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability AdventureOpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability AdventureEric D. Schabell
 
Bird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystemBird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystemAsko Soukka
 
Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024D Cloud Solutions
 
Cloud Revolution: Exploring the New Wave of Serverless Spatial Data
Cloud Revolution: Exploring the New Wave of Serverless Spatial DataCloud Revolution: Exploring the New Wave of Serverless Spatial Data
Cloud Revolution: Exploring the New Wave of Serverless Spatial DataSafe Software
 
Comparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioComparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioChristian Posta
 
PicPay - GenAI Finance Assistant - ChatGPT for Customer Service
PicPay - GenAI Finance Assistant - ChatGPT for Customer ServicePicPay - GenAI Finance Assistant - ChatGPT for Customer Service
PicPay - GenAI Finance Assistant - ChatGPT for Customer ServiceRenan Moreira de Oliveira
 
UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6DianaGray10
 
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAAnypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAshyamraj55
 
COMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online CollaborationCOMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online Collaborationbruanjhuli
 
UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1DianaGray10
 
AI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just MinutesAI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just MinutesMd Hossain Ali
 
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...DianaGray10
 
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesHow to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesThousandEyes
 
Linked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond OntologiesLinked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond OntologiesDavid Newbury
 

Último (20)

Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024
 
UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7
 
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
 
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
 
Videogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdfVideogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdf
 
Introduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptxIntroduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptx
 
OpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability AdventureOpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability Adventure
 
Bird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystemBird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystem
 
Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024
 
Cloud Revolution: Exploring the New Wave of Serverless Spatial Data
Cloud Revolution: Exploring the New Wave of Serverless Spatial DataCloud Revolution: Exploring the New Wave of Serverless Spatial Data
Cloud Revolution: Exploring the New Wave of Serverless Spatial Data
 
Comparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioComparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and Istio
 
PicPay - GenAI Finance Assistant - ChatGPT for Customer Service
PicPay - GenAI Finance Assistant - ChatGPT for Customer ServicePicPay - GenAI Finance Assistant - ChatGPT for Customer Service
PicPay - GenAI Finance Assistant - ChatGPT for Customer Service
 
UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6
 
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAAnypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
 
COMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online CollaborationCOMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online Collaboration
 
UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1
 
AI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just MinutesAI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just Minutes
 
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
 
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesHow to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
 
Linked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond OntologiesLinked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond Ontologies
 

Open Policy Agent

  • 1. Open Policy Agent Policy-based control for cloud native environments.
  • 2. ● Community ● Overview ○ Features ○ Integrations ○ Roadmap ● Use case deep dive ○ Kubernetes admission control ○ Microservice API authorization ● Q&A Agenda
  • 3. OPA: Community Inception Project started in 2016 at Styra. Goal Unify policy enforcement across the stack. Use Cases Admission control Authorization ACLs RBAC IAM ABAC Risk management Data Protection Data Filtering Users Netflix Chef Medallia Cloudflare State Street Pinterest Intuit Capital One ...and many more. Today CNCF project (Sandbox) 36 contributors 400 slack members 1.6K stars 20+ integrations
  • 6. openpolicyagent.org Salary Service V1 OPA Policy (Rego) Data (JSON) Request DecisionQuery GET /salary/bob HTTP/1.1 Authorization: alice OPA: General-purpose policy engine
  • 7. openpolicyagent.org Salary Service V1 OPA Policy (Rego) Data (JSON) Request DecisionQuery GET /salary/bob HTTP/1.1 Authorization: alice { "method": "GET", "path": ["salary", "bob"], "user": "alice" } true or false OPA: General-purpose policy engine
  • 8. openpolicyagent.org Service OPA Policy (Rego) Data (JSON) Request DecisionQuery "Service" refers to any one of: ● Custom service ● API gateway ● Message broker ● Kubernetes API server ● CI/CD pipeline script OPA: General-purpose policy engine
  • 9. openpolicyagent.org Service OPA Policy (Rego) Data (JSON) Request DecisionQuery Input can be any JSON value: "alice" ["v1", "users", "bob"] {"kind": "Pod", "spec": …} Output can be any JSON value: true "request rejected" {"servers": ["web1", "web2"]} OPA: General-purpose policy engine "Service" refers to any one of: ● Custom service ● API gateway ● Message broker ● Kubernetes API server ● CI/CD pipeline script
  • 10. openpolicyagent.org ● Declarative Policy Language (Rego) ○ Can user X do operation Y on resource Z? ○ What invariants does workload W violate? ○ Which records should bob be allowed to see? OPA: Features Service OPA Policy (Rego) Data (JSON) Request DecisionQuery
  • 11. openpolicyagent.org ● Declarative Policy Language (Rego) ○ Can user X do operation Y on resource Z? ○ What invariants does workload W violate? ○ Which records should bob be allowed to see? ● Library, sidecar, host-level daemon ○ Policy and data are kept in-memory ○ Zero decision-time dependencies OPA: Features Service OPA Policy (Rego) Data (JSON) Request DecisionQuery
  • 12. openpolicyagent.org ● Declarative Policy Language (Rego) ○ Can user X do operation Y on resource Z? ○ What invariants does workload W violate? ○ Which records should bob be allowed to see? ● Library, sidecar, host-level daemon ○ Policy and data are kept in-memory ○ Zero decision-time dependencies ● Management APIs for control & observability ○ Bundle service API for sending policy & data to OPA ○ Status service API for receiving status from OPA ○ Log service API for receiving audit log from OPA OPA: Features Service OPA Policy (Rego) Data (JSON) Request DecisionQuery
  • 13. openpolicyagent.org ● Declarative Policy Language (Rego) ○ Can user X do operation Y on resource Z? ○ What invariants does workload W violate? ○ Which records should bob be allowed to see? ● Library, sidecar, host-level daemon ○ Policy and data are kept in-memory ○ Zero decision-time dependencies ● Management APIs for control & observability ○ Bundle service API for sending policy & data to OPA ○ Status service API for receiving status from OPA ○ Log service API for receiving audit log from OPA ● Tooling to build, test, and debug policy ○ opa run, opa test, opa fmt, opa deps, opa check, etc. ○ VS Code plugin, Tracing, Profiling, etc. OPA: Features Service OPA Policy (Rego) Data (JSON) Request DecisionQuery
  • 14. openpolicyagent.org OPA: Integrations Data Filtering Admission Control “Restrict ingress hostnames for payments team.” “Ensure container images come from corporate repo.” API Authorization “Deny test scripts access to production services.” “Allow analysts to access APIs serving anonymized data.” Data Protection Linux PAM SSH & sudo “Only allow on-call engineers to SSH into production servers.” "Trades exceeding $10M must be executed between 9AM and 5PM and require MFA." "Users can access files for past 6 months related to the region they licensed."
  • 16. openpolicyagent.org Major Features ● Extend Wasm coverage ● Improve support for hierarchical permissions ● Solve variable scoping problem ● LDAP built-in function(s) ● Rego playground
  • 17. openpolicyagent.org Timeline November December January February ● Fuzzing ● Frontpage refresh ● Wasm negation ● Wasm composites ● Variable scoping ● LDAP built-in(s) ● Wasm built-in functions ● JS SDK ● Playground ● Hierarchy ● Documentation refresh ● Wasm context ● Wasm with keyword ● Wasm rules ● Wasm comprehensions ● Wasm non-boolean results
  • 18. openpolicyagent.org ● As of #990, OPA policies can be compiled into WebAssembly (Wasm). Wasm provides a safe, efficient, portable runtime for policy enforcement on platforms like CDNs, AWS Lambda, and more. ● Over the next few months, Wasm support will be extended to cover more of the policy language and enable daemonless OPA integrations in a variety of languages. See #1024 for details. WebAssembly
  • 19. openpolicyagent.org Hierarchical Permissions ● Hierarchical permission models are common (e.g., parent node permissions are a superset of child node permissions, recursively.) Today, OPA does not permit recursion in policies. This prevents policies from performing traversal operations that would check these kinds of permissions. See #947. ● Plan: evaluate options for supporting hierarchical permission models in OPA and implement solution. Possible Solutions: 1. Add support for limited forms of recursion. 2. Add support for keyword/operator like transitive closure. 3. Keep existing constraints but document & optimize pattern for fixed-depth solution. E.g., (😱): tc(tree, key) = {key} | x1 | x2 | x3 { x1 := {x | x := tree[key][_]} x2 := {x | x := tree[x1[_]][_]} x3 := {x | x := tree[x2[_]][_]} }
  • 20. openpolicyagent.org Rego Playground ● Users don't have a good way to easily share snippets of Rego. Mediums like Slack and Gists are fine for trivial examples but are lacking in terms of discoverability, readability, etc. ● Providing an online playground (similar to play.golang.org) would allow users to easily experiment with and share snippets of Rego. ● The MVP for the playground will provide users with a way to write, check, evaluate, and publish snippets of policy so that they can be shared with others. package foo allow { ... } allow { ... } allow { ... } Output { "allow": true } Rego Playground Share
  • 21. openpolicyagent.org LDAP Built-in Functions ● LDAP is a common source of context for policy decisions. Today, we recommend that integrations embed that context into a token during authentication. In some cases, this approach does not scale well and/or it may create undesirable coupling between the auth/n server and the policy. ● Goal: Add built-in functions to Rego that allow policies to execute LDAP queries during evaluation. See #938.
  • 22. openpolicyagent.org Variable Scoping ● Earlier this year OPA added dedicated operators for assignment and comparison (:= and ==). While less powerful than the unification operator (=) their scoping rules are more obvious to new users and avoid capturing issues in large policy files. ● OPA does not currently have a similar solution for variables that appear as reference operands. Goal Introduce syntax so that authors can make variables in references shadow globals. Example (current behaviour) x = 1 p { q[x] # refers to global x }
  • 23. openpolicyagent.org Fuzz Testing ● In #948 we discovered a panic in the error handling portion in OPA's parser. To uncover similar issues and reduce the likelihood of panics in the future, we are going to apply a fuzzer (go-fuzz) seeded with a corpus of valid Rego extracted from the OPA codebase.
  • 24. openpolicyagent.org Frontpage Refresh ● Over the past year, the OPA end-user community has grown substantially. We have also seen OPA integrated with a number of new projects. ● While the current frontpage describes the goals of the project, it lacks concrete examples of the types of problems OPA is helping solve today. ● The goal of the frontpage refresh is to give newcomers a clearer idea of how they can leverage OPA.
  • 25. openpolicyagent.org Documentation Refresh ● As OPA has matured, we have learned about what works in the documentation (and what doesn't). We plan to rework some of the documentation to help people ramp up on OPA concepts and mechanics quicker. ● New Docs: ○ "Examples" section that serves as a policy catalogue for popular projects. ○ "Cheat Sheet" section that captures common policy language idioms. See #268. ○ "Integration" section that explains OPA integration options. See #372. ● Improved Docs: ○ Refactor docs to prefer := and == over =. See #952. ○ Extend Best Practices & FAQ with more information. See #633.
  • 26. openpolicyagent.org Help Wanted ● Add authentication based on mutual TLS (#1040) ● Add stack trace support to topdown (#555) ● Integrations: ○ Prometheus integration to monitor for policy violations ■ OPA policies can audit the state of systems (e.g., Kubernetes) to detect problems ■ Query results could be pushed into Prometheus and surfaced with graphs (e.g., # of security context violations/time.) ○ Spinnaker integration to enforce invariants ■ Similar use case to Kubernetes admission control, Terraform risk management. ■ Integrate with Spinnaker to enforce OPA policies in CD pipelines. Issues labelled low-hanging-fruit or help-wanted are good candidates for first contribution.
  • 27. How does OPA work?
  • 28. openpolicyagent.org How does OPA work? Salary Service V1 OPA Policy (Rego) Data (JSON) Request DecisionQuery Example policy "Employees can read their own salary and the salary of anyone they manage."
  • 29. openpolicyagent.org OPA: Declarative Language (Rego) Example policy Employees can read their own salary and the salary of anyone they manage.
  • 30. openpolicyagent.org OPA: Declarative Language (Rego) Example policy Employees can read their own salary and the salary of anyone they manage. Input Data method: "GET" path: ["salary", "bob"] user: "bob"
  • 31. openpolicyagent.org OPA: Declarative Language (Rego) allow = true { input.method = "GET" input.path = ["salary", employee_id] input.user = employee_id } Example policy Employees can read their own salary and the salary of anyone they manage. Input Data method: "GET" path: ["salary", "bob"] user: "bob"
  • 32. openpolicyagent.org OPA: Declarative Language (Rego) allow = true { input.method = "GET" input.path = ["salary", "bob"] input.user = "bob" } Example policy Employees can read their own salary and the salary of anyone they manage. Input Data method: "GET" path: ["salary", "bob"] user: "bob"
  • 33. openpolicyagent.org OPA: Declarative Language (Rego) allow = true { input.method = "GET" input.path = ["salary", employee_id] input.user = employee_id } Example policy Employees can read their own salary and the salary of anyone they manage. Input Data method: "GET" path: ["salary", "bob"] user: "alice" Different user now!
  • 34. openpolicyagent.org OPA: Declarative Language (Rego) allow = true { input.method = "GET" input.path = ["salary", "bob"] input.user = "bob" } Example policy Employees can read their own salary and the salary of anyone they manage. Input Data method: "GET" path: ["salary", "bob"] user: "alice" This statement will "FAIL" Different user now!
  • 35. openpolicyagent.org OPA: Declarative Language (Rego) allow = true { input.method = "GET" input.path = ["salary", employee_id] input.user = employee_id } Example policy Employees can read their own salary and the salary of anyone they manage. Input Data method: "GET" path: ["salary", "bob"] user: "alice" Context Data { "managers": { "bob": ["alice", "fred"] "alice": ["fred"] } }
  • 36. openpolicyagent.org OPA: Declarative Language (Rego) import data.managers allow = true { input.method = "GET" input.path = ["salary", employee_id] input.user = employee_id } allow = true { input.method = "GET" input.path = ["salary", employee_id] input.user = managers[employee_id][_] } Example policy Employees can read their own salary and the salary of anyone they manage. Input Data method: "GET" path: ["salary", "bob"] user: "alice" Context Data { "managers": { "bob": ["alice", "fred"] "alice": ["fred"] } }
  • 37. openpolicyagent.org OPA: Declarative Language (Rego) import data.managers allow = true { input.method = "GET" input.path = ["salary", employee_id] input.user = employee_id } allow = true { input.method = "GET" input.path = ["salary", "bob"] input.user = managers["bob"][_] } Example policy Employees can read their own salary and the salary of anyone they manage. Input Data method: "GET" path: ["salary", "bob"] user: "alice" Context Data { "managers": { "bob": ["alice", "fred"] "alice": ["fred"] } }
  • 38. openpolicyagent.org OPA: Declarative Language (Rego) import data.managers allow = true { input.method = "GET" input.path = ["salary", employee_id] input.user = employee_id } allow = true { input.method = "GET" input.path = ["salary", "bob"] input.user = "alice" } Example policy Employees can read their own salary and the salary of anyone they manage. Input Data method: "GET" path: ["salary", "bob"] user: "alice" Context Data { "managers": { "bob": ["alice", "fred"] "alice": ["fred"] } }
  • 39. openpolicyagent.org OPA: Declarative Language (Rego) import data.managers allow = true { input.method = "GET" input.path = ["salary", employee_id] input.user = employee_id } allow = true { input.method = "GET" input.path = ["salary", "bob"] input.user = "alice" } More information at openpolicyagent.org See How Do I Write Policies? - Explains language constructs See Language Reference - Documents built-in functions: glob, regex, JWTs, x509, etc. See Tutorials section - HTTP APIs, Kubernetes, Docker, Terraform, Kafka, SSH, etc.
  • 41. openpolicyagent.org Use Cases OPA Cloud Orchestrator Risk Management Linux Container Execution, SSH, sudo OPA OPA OPA Admission Control Linux Microservice APIs Data Protection & Data Filtering OPA
  • 42. openpolicyagent.org Use Cases: Kubernetes apiserver authorization admission control scheduler federation control plane OPA OPAOPA OPA Current Use Cases ● Federated Workload Placement ● Pod Scheduling ● Authorization ● Admission Control ● Audit Future Use Cases ● Storage policy (in progress) ● Network policy controllers nodes
  • 43. openpolicyagent.org Use Cases: Kubernetes: Admission Control apiserver admission controllers quota execwebhook kubectl apply -f app.yaml OPA Example Policies ● Images may only be pulled from internal registry ● Only scanned images may be deployed in namespaces A, B, and C ● QA team must sign-off on image before deployed to production ● Stateful deployments must use ‘recreate’ update strategy ● Developers must not modify selectors or labels referred to by selectors after creation ● Containers must have CPU and memory resource requests and limits set ● Containers cannot run with privileged security context ● Services in namespace X should have AWS SSL annotation added
  • 44. openpolicyagent.org Use Cases: Kubernetes: Admission Control kind: Pod metadata: labels: app: nginx name: nginx-1493591563-bvl8q namespace: production spec: containers: - image: nginx name: nginx securityContext: privileged: true dnsPolicy: ClusterFirst nodeName: minikube restartPolicy: Always status: containerStatuses: - name: nginx ready: true hostIP: 192.168.99.100 phase: Running podIP: 172.17.0.4 # references spec.containers[0].image # variables and iteration container := spec.containers[index] # expressions container.securityContext.privileged == true # functions is_privileged(container) { container.securityContext.privileged == true } # rules deny { review.user == “bob” review.operation == “CREATE” review.namespace == “production” is_privileged(spec.containers[_]) }
  • 46. openpolicyagent.org Use Cases OPA Cloud Orchestrator Risk Management Linux Container Execution, SSH, sudo OPA OPA OPA Admission Control Linux Microservice APIs Data Protection & Data Filtering OPA
  • 47. openpolicyagent.org Use Cases: Microservice APIs Details Service Reviews Service Ratings Service Landing Page
  • 48. openpolicyagent.org Use Cases: Microservice APIs ratingsreviews details landing_page GET /reviews/{id} GET /details/{id} GET /ratings/{id}
  • 49. openpolicyagent.org Use Cases: Microservice APIs ratingsreviews details landing_page OPA GET /reviews/{id} GET /details/{id} GET /ratings/{id} OPA OPA OPA
  • 50. openpolicyagent.org Use Cases: Microservice APIs details ratings Policy Query POST opa:8181/v1/data/example/allow { “input”: { “path”: [“details”, “bob”], “method”: “GET”, “source”: “landing_page”, “target”: “details”, “query_params”: {}, “user”: “alice”, “body”: null } } Policy Decision 200 OK { “result”: true } OPA OPA OPAdetailsdetails reviews landing_page OPA
  • 51. openpolicyagent.org Use Cases: Microservice APIs Example Policies ● Service Graph: “Reviews service can talk to ratings but details cannot.” ● Org Chart: “Managers can view reviews of team members but peers cannot.” ● PII: “Only HR can see SSN in employee details.”