OPA, which entered the CNCF Sandbox in March 2018, is an open source, general-purpose policy engine that enables unified, context-aware policy enforcement across the entire stack. It provides greater flexibility and expressiveness than hard-coded service logic or ad-hoc domain-specific languages and comes with powerful tooling to help anyone get started.
“Policy-based control is necessary as enterprise adoption of cloud native technology expands,” said Torin Sandall, Software Engineer at Styra and Technical Lead for OPA. “OPA has found an ideal home within CNCF. Other CNCF projects can optionally integrate with a consistent policy expression and enforcement mechanism, and common toolset around it. We are looking forward to continuing this work as we move into the Incubator.”
Every organization has unique policies that affect the entire stack. These policies are vital to long term success because they codify important requirements around cost, performance, security, legal regulation, and more. At the same time, organizations often rely on tribal knowledge and documentation to ensure that policies are enforced correctly. While these approaches are known to be error prone, they exist because systems frequently lack the flexibility and expressiveness required to automate policy enforcement.
With OPA, services offload policy decisions by executing queries, and OPA evaluates policies and data to produce query results (which are sent back to the client). Policies are written in a high-level declarative language, Rego, and can be loaded into OPA via the filesystem or well-defined APIs.
“The cloud-native ecosystem must provide flexible solutions to control who can do what across modern, microservice deployments because legacy approaches to policy management do not satisfy the requirements of modern environments,” said Chris Aniszczyk, CTO/COO of the Cloud Native Computing Foundation. “OPA has made strides integrating with Kubernetes through the Gatekeeper project that integrates policy management. Moving OPA to the CNCF Incubator will raise awareness and encourage the development of OPA extensions in and outside the cloud native ecosystem.”
OPA has been used to policy-enable software across several different domains across several layers of the stack: container management (Kubernetes), servers (Linux), public cloud infrastructure (Terraform), and microservice APIs (Istio, Linkerd, CloudFoundry).
Starting in January 2019, Styra, Google, Microsoft, and others began jointly developing and contributing the OPA Gatekeeper sub-project. Gatekeeper integrates OPA with Kubernetes to help admins enforce admission control policies and audit clusters for existing policy violations. Gatekeeper also includes a standard library of policies for common use cases (e.g., registry whitelisting, ingress conflicts, label management, etc.).
Netflix uses OPA as a method of enforcing access control in microservices across a variety of languages and frameworks for thousands of instances in their cloud infrastructure. At KubeCon Austin 2017, Netflix described how they architected access control around OPA. OPA is also used in production by companies like Intuit, Medallia, Chef, and others.
“Applying access control in a diverse ecosystem is a challenge at scale. Ensuring that all of our applications spread across many applications and frameworks are applying authorization correctly and consistently would be impossible without the right tools. OPA gives us the power to define policies in a consistent manner, leverage complex data sources in those definitions, apply them everywhere in our environment, and easily test them for correctness.” said Ian Haken, Senior Security Engineer at Netflix.
Main OPA Features:
- Decoupled – administrators can manage policies dynamically without requiring changes to services.
- Compatible – RESTful APIs use JSON over HTTP so you can integrate OPA with your service no matter which programming language you use.
- Responsive – designed from scratch with latency-sensitive applications in mind, enforcing policies with minimal performance impact.
- Interactive – anyone can use OPA’s interactive shell to quickly experiment with queries and data sets.
- Easy to Deploy – has zero deployment dependencies. It runs as a daemon side-by-side with your service and shares its fate for the purposes of high availability.
- Embeddable – services written with Go can use OPA as a library and do not need to run a separate daemon.
- 45 contributors
- 1,847 GitHub stars
- 52 releases
- 1,545 commits
- 151 forks
As a CNCF hosted project, joining incubating technologies like OpenTracing, Fluentd, gRPC, rkt, CNI, Jaeger, Notary, TUF, Vitess, NATS, Linkerd, Helm, Rook, Harbor and etcd, OPA is part of a neutral foundation aligned with its technical interests, as well as the larger Linux Foundation, which provides governance, marketing support, and community outreach.
Every CNCF project has an associated maturity level: sandbox, incubating, or graduated project. For more information on what qualifies a technology for each level, please visit the CNCF Graduation Criteria v.1.1.
Video: An introductory session from KubeCon + CloudNativeCon North America 2018 where executives from Capital One and Intuit share how their companies are using OPA to enforce fine-grained admission control policies across their Kubernetes clusters.
For more on OPA, please visit https://github.com/open-policy-agent.