apidays LIVE New York 2021 - Simplify Open Policy Agent with Styra DAS by Tim Hinrichs, Styra

Copyright ©2021 Styra, Inc. | All Rights Reserved
Creators of Open Policy Agent
Simplify Open Policy Agent
with Styra DAS
Tim Hinrichs
CTO, co-founder Styra
co-creator OPA
@tlhinrichs

Adoption of the Cloud-native Software Stack is Skyrocketing
Linux
Tekton
Github Actions
CICD
Container Management
Microservices / Apps
Databases
Public Cloud
Servers
Platform
App
CICD Pipeline
1 2 3 4
Gateway
Frontend
Backend
DB
App
2

Authorization Happens Everywhere in the Cloud-native Stack
Linux
Tekton
Github Actions
CICD
Databases
Public Cloud
Servers
Platform
App
CICD Pipeline
1 2 3 4
Gateway
Frontend
Backend
DB
App
3
Can user Alice withdraw money from account 123?
Can service 456 request invoices from service 789 on
behalf of alice?
Can user Alice query the finance database?
Which rows and fields can service 456 request on
behalf of alice?
Does this application configuration meet company
standards?
Can the payments service be deployed to this
cluster?
Can pods in namespace payments run as
privileged?
Can this cluster send outbound requests to IP
13.6.0.1?
Are S3 buckets in account 1234 allowed to be
public?
Can EBS volumes for the payments app be
unencrypted?
Who can SSH to production servers?

Two Classes of Authorization: Application and Platform
Linux
Tekton
Github Actions
CICD
Databases
Public Cloud
Servers
Platform
App
CICD Pipeline
1 2 3 4
Gateway
Frontend
Backend
DB
App
4
Application Authorization
Platform Authorization

Open Policy Agent: Unified Authorization, Proven in Production
Linux
Tekton
Github Actions
Platform
App
CICD Pipeline
1 2 3 4
Gateway
Frontend
Backend
DB
App
OPA OPA
OPA
OPA
OPA
OPA
5

Styra DAS: Operationalize OPA for the Enterprise
Linux
Tekton
Github Actions
OPA OPA
OPA
OPA
OPA
OPA
World’s first management plane
for Open Policy Agent
Vertically-integrated policy
lifecycle management
Enterprise-grade governance
Declarative
Authorization
Service
6

Open Policy Agent Community
Open Policy Agent (OPA)
Cloud-native policy engine
Contributors: 30+
companies, 150+ devs
Founded by Styra (2016) / Sandbox (2018) / Incubating (2019) / Graduated (2021)
GitHub Stars
5000
Downloads
80M
Slack Users
4000
Sessions at KubeCon US 2019
● Yelp - How Yelp moved security from the app to the
mesh
● Google - Enforcing service mesh structure using OPA
● Goldman Sachs - K8s policy enforcement using OPA at
Goldman Sachs
● Snyk - Applying policy throughout the app lifecycle with
OPA
● Reddit - Kubernetes at Reddit: Tales from Production
● Adobe - What Makes A Good Multi Tenant Kubernetes
Solution
● Giant Swarm - Using OPA for complex CRD Validation
and Defaulting
OPA Summit at KubeCon US 2019
● Capital One - Open Policy Agent for Policy-enabled
Kubernetes and CICD
● Chef - Open Policy Agent in Practice: From Angular to
OPA in Chef Automate
● Pinterest - Open Policy Agent at Scale: How Pinterest
Manages Policy Distribution
● Tripadvisor - Building a Testing Framework for
Integrating Open Policy Agent into Kubernetes
● Atlassian - Deploying Open Policy Agent at Atlassian
Sessions at Virtual KubeCon EU 2020
● AquaSecurity: Handling Container Vulnerabilities with
Open Policy Agent
● ABN AMRO: How ABN AMRO Switched Cloud
Providers Without Anyone Noticing
● Medudoc: Securing Your Healthcare Data with OPA
Other events or public confirmation of using OPA: Bank of New
York Mellon, AWS, Synemedia, Pure Storage, VMware, Netflix,
Daimler, T-Mobile, Salesforce
Vendor-neutral open-source Growing Community Active End-users

OPA’s flexibility and DAS for Management
Sidecar /
Daemon
Service
OP
A
Server
Library
(Go or
WASM)
Service
OP
A
Server
Centralized
Service
CLI
Server
Service
$ opa eval
Service
Server
OP
A
OP
A
OP
A
Architectural
Flexibility
Team A’s policies Team B’s policies Common library
Policy
Composition
Flexibility
Management
Flexibility
Declarative
Authorization
Service

DAS: Policy Management for Individual Users and Teams
9
Enterprise
governance
Policy changes: roll out new policies
slowly and help teams prepare
Multi-team dependencies: policies are
stored in each team’s home repo but are
deployed as a unit
Author
Rego
Schemas
Modularize
Test
Assemble
Test
Impact
Deploy
Policy
Data
Dependency
Monitor
Health
Decisions
OPA
Integrate
Configure
Harden
Policy
lifecycle
management
Policy overrides: enforce global policies but
empower teams to add their own
Visibility: let security, compliance, operations know
which policies are enforced in which systems at a
glance so they can review & troubleshoot
Audit: Prove to auditors that the
policies you have are making the
decisions they should.
Sustainability: Ensure your OPA
deployment adapts to new teams &
software and outlives its creators’
tenure
CICD team
K8s team
LOB Team
Cloud team
Security
Compliance
Declarative
Authorization
Service

Native DAS Support for Leading OPA Use Cases
DESIRED
STATE
k8s API
Server
Pod
Network
Policy
Volumes
OPA
Protect k8s compute,
network, storage, app
configuration
OPA
Protect public cloud
configuration
Service A Service B
OPA OPA
Protect inbound and
outbound
microservice APIs
Custom
Service
OPA
Protect your custom
resources and API
calls

Open Policy Agent
openpolicyagent.org
@openpolicyagent
Styra
styra.com
@styrainc
Tim Hinrichs
CTO, co-founder Styra
co-creator OPA
@tlhinrichs

Popular OPA/DAS Use Cases

Kubernetes Challenges
OPERATIONS SECURITY COMPLIANCE
CICD well implemented, policy
defined, protected against
mistakes
Prove what has been
blocked/allowed over time. Easy
reporting, extremely detailed
historical checks
Wrong app accepting web
traffic, improper egress,
improper permissions….
Not including liveness probes on
pods
Failing to specify encrypted
storage
Duplicating paths/names so traffic
goes to the wrong service
Running containers
as privileged
Setting up network connections to
non-approved IPs / Internet
Runaway resource usage because no
limits were specified
Failing to include proper labels
required for traffic control
Running Images from
Unauthorized Registries

Styra DAS: Push-button Authorization Controls for K8s
15
DESIRED
STATE
API
Server
RUNTIME STATE
DESIRED
STATE
API
Server
RUNTIME STATE
...
Open Policy Agent
● makes decisions locally and logs centrally
● flexible policy language
● vendor-neutral open-source (CNCF)
Declarative
Authorization
Service
OPA
OPA
Styra DAS
● OPA control plane
● 100+ Pre-built policies
● PCI, MITRE, PSP, CIS packs
● install in under 5 minutes
● multi-cluster policy authoring
● impact analysis
Support
all k8s
flavors

Terraform Challenges
OPERATIONS SECURITY COMPLIANCE
CICD well implemented, policy
defined, protected against
mistakes
Prove what has been
blocked/allowed over time. Easy
reporting, extremely detailed
historical checks
Wrong app accepting web
traffic, improper egress,
improper permissions….
Failing to specify encrypted
storage
Duplicating paths/names so traffic
goes to the wrong service
Setting up network connections to
non-approved IPs / Internet
Runaway resource usage because no
limits were specified
Failing to include proper labels for
chargeback
Running unauthorized VM
images

Styra DAS: Authorization Controls for Terraform
17
Open Policy Agent
● provides flexible policy language
Declarative
Authorization
Service
OPA
Styra DAS
● policy assembly from multiple
sources of truth
● distribution of policy to OPA
● audit log of decisions
● dry-runs policy changes
Desired
State
Planned
Changes
terraform plan terraform apply

Microservice Authorization Challenges
Can Alice see the list of
outgoing payments?
18
Service A
Service B
Service C
Can service A ask for Alice’s
profile on behalf of Alice?
Can service A ask for Hooli’s outgoing
payments on behalf of Alice?
On every API call, every microservice makes an authorization decision
Authz Implementation Challenges
● Different languages across
services.
● Centralized service is too slow
for microservices
● New services/teams should
snap into framework
● Security/compliance should be
able to audit policies
● Journey from coarse-grained
permissions to fine-grained and
from gateway enforcement to
microservice enforcement

Styra DAS: Authorization Sidecar Plus Control Plane
19
Service A
Service B
Service C
Open Policy Agent
● flexible policy language
Declarative
Authorization
Service
OPA
OPA
OPA
Styra DAS
● OPA control plane
● distributes policies
● monitors OPAs
● team-based policy authoring
● impact analysis

FAQ

What does Policy-as-code mean and what does OPA provide?
21
Communicate
Policies written in file
format that people AND a
policy engine understand.
● Precise
● Dry-runnable
● Portable
Enforce
Policy engine integrated
into software and uses
policies to make
authorization decisions
● Fast
● Comprehensive
● Correct
Audit
Policy engine records all
decisions and can be
analyzed like any data
● Always-on
● Comprehensive
● Deep
Govern
Policy files have a lifecycle
(approval, test, build,
deploy) for governance.
● Manual &
Automated
● Granular
Policy-as-Code Approach to Authorization
21
OPA
Provides
.rego
Policy file
+
Policy engine
OPA
Policy tools
+

How does OPA work?
Service
OP
A
Policy
(Rego)
Data
(JSON)
Request
Policy
Decision
Policy
Query
Input can be ANY JSON value Output can be ANY JSON value
OPA makes decisions.
Service enforces decisions.
Linux
22

What does an OPA policy for Kubernetes look like?
package kubernetes.admission
deny[msg] {
input.request.kind.kind == "Pod"
some i
image := input.request.object.spec.containers[i].image
not startswith(image, "hooli.com/")
msg := sprintf("image comes from bad registry: %v", [image])
}
apiVersion: admission.k8s.io/v1beta1
kind: AdmissionReview
request:
kind:
group: ''
kind: Pod
version: v1
namespace: opa
object:
metadata:
labels:
app: nginx
name: nginx
namespace: opa
spec:
containers:
- image: nginx
imagePullPolicy: Always
name: nginx
operation: CREATE
JSON/YAML from Kubernetes
OPA Policy: All images come from a trusted registry
OPA Playground

What does an OPA policy for Envoy look like?
package envoy.authz
# everyone can GET /
allow {
input.attributes.request.http.method == "GET"
input.parsed_path = ["/"]
}
# updates to /v1/admin/{id} dependent on source IP
allow {
input.attributes.request.http.method == "PUT"
input.parsed_path = ["v1", "admin", id]
user_is_admin
src := input.attributes.source.address.Address.SocketAddress.address
net.cidr_contains("172.28.0.0/16", src)
}
user_is_admin { ... }
parsed_path: [“api”, “v1”, “products”]
attributes:
source:
address:
Address:
SocketAddress:
address: "172.17.0.10"
PortSpecifier:
PortValue: 36472
destination:
address:
Address:
SocketAddress:
address: "172.17.0.17"
PortSpecifier:
PortValue: 9080
request:
http:
id: 13359530607844510314
method: GET
headers: ...
path: "/api/v1/products"
host: "192.168.99.100:31380"
protocol: "HTTP/1.1"
JSON/YAML from Envoy
OPA Policy: Allow all GET and some PUT
OPA Playground

Thanks!

apidays LIVE New York 2021 - Simplify Open Policy Agent with Styra DAS by Tim Hinrichs, Styra

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to apidays LIVE New York 2021 - Simplify Open Policy Agent with Styra DAS by Tim Hinrichs, Styra

Similar to apidays LIVE New York 2021 - Simplify Open Policy Agent with Styra DAS by Tim Hinrichs, Styra (20)

More from apidays

More from apidays (20)

Recently uploaded

Recently uploaded (20)

apidays LIVE New York 2021 - Simplify Open Policy Agent with Styra DAS by Tim Hinrichs, Styra

Editor's Notes