SlideShare a Scribd company logo

OPA APIs and Use Case Survey

Download as PPTX, PDF
T
Torin Sandall

An overview of OPA APIs and different use cases where OPA has been applied in different projects like Kubernetes, Istio, Terraform, AWS, etc.

Technology
1 of 45
Open Policy Agent API and Use Case Survey
openpolicyagent.org Policy Management Fabric (Out of scope for OPA) Goals and Non-goals OPA OPA OPA OPA OPA’s Goal: policy-enable other projects and services, regardless of domain ● Run at the edge to make policy decisions for host-local consumers ● Zero runtime dependencies ● Easy integrations
openpolicyagent.org OPA is an open source, general-purpose policy engine
openpolicyagent.org OPA is an open source, general-purpose policy engine ● Declarative Language (Rego) ○ Is X allowed to call operation Y on resource Z? ○ Which users can SSH into production hosts? ○ What clusters should workload X be deployed to? ○ What annotations must be set on object X?
openpolicyagent.org ● Declarative Language (Rego) ○ Is X allowed to call operation Y on resource Z? ○ Which users can SSH into production hosts? ○ What clusters should workload X be deployed to? ○ What annotations must be set on object X? ● Library/Daemon (Go) ○ In-memory storage of data and policies ○ Zero runtime dependencies ○ Evaluation engine: parser, compiler, interpreter ○ Tooling: REPL, test framework, tracing OPA is an open source, general-purpose policy engine
openpolicyagent.org ● Declarative Language (Rego) ○ Is X allowed to call operation Y on resource Z? ○ Which users can SSH into production hosts? ○ What clusters should workload X be deployed to? ○ What annotations must be set on object X? ● Library/Daemon (Go) ○ In-memory storage of data and policies ○ Zero runtime dependencies ○ Evaluation engine: parser, compiler, interpreter ○ Tooling: REPL, test framework, tracing ● Standard Library & Integrations ○ Authorization, admission control, auditing, etc. ○ Kubernetes, Istio, AWS, Terraform, Docker, and more. OPA is an open source, general-purpose policy engine
openpolicyagent.org OPA is an open source, general-purpose policy engine DataLogic Management API: Management pushes updates Enforcement API: Service requests decision
openpolicyagent.org OPA is an open source, general-purpose policy engine DataLogic Management API: Management pushes updates Enforcement API: Service requests decision Service-specific Management sidecar
openpolicyagent.org Enforcement + Management API (REST) List all policies GET /v2/policies Insert, modify, delete policies GET/PUT/DELETE /v2/policies/<path> List all data GET /v2/data Insert, modify, delete raw data GET/PUT/PATCH/DELETE /v2/data/<path> Get policy decision GET/POST /v2/decisions/<path> ?metrics ?watch ?explain include metrics (ex: latency) stream updates explain why result is true (Tim’s proposal for v2--a small change from v1.) Management API Enforcement API
History 2016: Inception Requirements ● Decisions about JSON ● Decisions are JSON ● Ease of integration ● Host-local agent Execution ● New language: Rego ● HTTP API over localhost ● Go binary 2017: Application Requirements ● Solve real problems ● Build community ● Learn requirements ● Hill-climb implementation Execution ● Domains: Cloud, Server, Container, Microservices ● Customers, KubeCon, CNCF, Meetups, ... 2018: Hardening Requirements ● Ease of use ● Performance ● Solve real problems ● Build community Execution ● v2 of Language/API/Engine ● Leverage Google’s CEL ● Policy Library ● CNCF, Conferences, Users Today
openpolicyagent.org Use Cases OPA Cloud Orchestrator Risk Management Linux Container Execution, SSH, sudo OPA Hashicorp Terraform OPA Microservice APIs Istio Linkerd OPA Container Placement & Admission Control OPA Data protection
openpolicyagent.org Dimensions for Use Case Comparison ● Policy ○ What kind of policy? ○ What kind of expressiveness? Iteration, etc. ● Data/context ○ OPA treats data separate from policy ○ What data does the policy depend on? ○ How does OPA know about that data? ● Decisions ○ Are decisions booleans/strings/numbers/arrays/maps? ● Integration ○ How was the enforcement integration done? ● Policy management ○ How were policies/data pushed into OPA? ● Performance ○ How many queries per second are required? ● Mode ○ Proactive (prevent violations), reactive (fix violations), audit (identify violations)
openpolicyagent.org Use Cases OPA Cloud Orchestrator Risk Management Linux Container Execution, SSH, sudo OPA Hashicorp Terraform OPA Microservice APIs Istio Linkerd OPA Placement & Admission Control OPA Data protection
openpolicyagent.org Use Cases: Kubernetes apiserver authorization admission control scheduler federation control plane OPA OPAOPA OPA Current Use Cases ● Federated Workload Placement ● Pod Scheduling ● Authorization ● Admission Control ● Audit Future Use Cases ● Storage policy (in progress) ● Network policy controllers nodes
openpolicyagent.org Use Cases: Kubernetes: Admission Control apiserver admission controllers quota execwebhook metadata: name: frontend labels: contact: name@example.com spec: replicas: 5 selector: app: frontend template: metadata: name: frontend labels: app: frontend spec: containers: - name: proxy image: nginx kubectl apply -f app.yaml OPA
openpolicyagent.org Use Cases: Kubernetes: Admission Control Policy kind: Pod metadata: labels: app: nginx name: nginx-1493591563-bvl8q namespace: production spec: containers: - image: nginx name: nginx securityContext: privileged: true dnsPolicy: ClusterFirst nodeName: minikube restartPolicy: Always status: containerStatuses: - name: nginx ready: true hostIP: 192.168.99.100 phase: Running podIP: 172.17.0.4 # references spec.containers[0].image # variables and iteration container := spec.containers[index] # expressions container.securityContext.privileged == true # functions is_privileged(container) { container.securityContext.privileged == true } # rules deny { review.user == “bob” review.operation == “CREATE” review.namespace == “production” is_privileged(spec.containers[_]) }
openpolicyagent.org Use Cases: Kubernetes: Admission Control Decision Policy Query POST opa:8181/v1/data/k8s/admission/allow input: kind: Pod metadata: labels: app: nginx name: nginx-1493591563-bvl8q namespace: production spec: containers: - image: nginx name: nginx securityContext: privileged: true dnsPolicy: ClusterFirst nodeName: minikube restartPolicy: Always status: containerStatuses: - name: nginx ready: true hostIP: 192.168.99.100 phase: Running podIP: 172.17.0.4 Policy Decision 200 OK { “result”: true } Policy decision can also be a JSON-patch-like dictionary describing updates to pod.
openpolicyagent.org Use Cases: Kubernetes: Admission Control Example Policies ● Images may only be pulled from internal registry ● Only scanned images may be deployed in namespaces A, B, and C ● QA team must sign-off on image before deployed to production ● Stateful deployments must use ‘recreate’ update strategy ● Developers must not modify selectors or labels referred to by selectors after creation ● Containers must have CPU and memory resource requests and limits set ● Containers cannot run with privileged security context ● Services in namespace X should have AWS SSL annotation added apiserver admission control kubectl apply -f app.yaml OPA
openpolicyagent.org Use Cases: Kubernetes ● Cluster placement ○ Policy: choose clusters a workload should be deployed to. JSON pointer for analyzing request ○ Data: Depends on cluster metadata (mirrored from k8s) ○ Decision: set of clusters ○ Integration: webhook hardcoded to ask GET / ○ Policy management: K8s ConfigMaps ○ Mode: proactive, reactive, audit ○ Performance: 1s ● Admission control ○ Policy: authorization + modification of incoming request. JSON pointer for analyzing request ○ Data: Depends on pod metadata (mirrored from k8s) ○ Decision: JSON patch describing changes ○ Integration: webhook hardcoded to ask GET / ○ Policy management: k8s ConfigMaps ○ Mode: proactive, reactive, audit ○ Performance: 1s
openpolicyagent.org Use Cases OPA Cloud OPA Orchestrator Risk Management Placement & Admission Control Linux Container Execution, SSH, sudo OPA Hashicorp Terraform OPA Microservice APIs Istio Linkerd OPA Data protection
openpolicyagent.org Use Cases: Microservice APIs ratingsreviews details landing_page GET /reviews/{id} GET /details/{id} GET /ratings/{id} OPA OPA OPA OPA
openpolicyagent.org Use Cases: Microservice APIs details ratings Policy Query POST opa:8181/v1/data/example/allow { “input”: { “path”: [“details”, “bob”], “method”: “GET”, “source”: “landing_page”, “target”: “details”, “query_params”: {}, “user”: “alice”, “body”: null } } Policy Decision 200 OK { “result”: true } detailsdetails reviews landing_page OPA OPA OPA OPA
openpolicyagent.org Use Cases: Microservice APIs ● API Authorization ○ Performance: 1000+ rps ○ Policy: Authorize HTTP/GRPC APIs. Written by devs in YAML/GUI. Translated into Rego. ○ Decision: allow/deny ○ Integration: Go library, daemon GET /<path> ○ Policy management: Custom or k8s CRDs. Requests for postgres/S3 backends. ○ Mode: proactive Istio Linkerd
openpolicyagent.org Use Cases OPA Cloud OPA Orchestrator Risk Management Placement & Admission Control Linux Container Execution, SSH, sudo OPA Hashicorp Terraform OPA Microservice APIs Istio Linkerd OPA Data protection
openpolicyagent.org Use Cases: Terraform Architecture Terraform State CICD Pipeline OPA OPA Risk Management ● Compute risk of infra change ● Limit blast radius based on seniority of author ● Automatic approvals and manual approvals Terraform change Public Cloud Public Cloud Resource Audit ● Find public cloud resources not under control of Terraform ● Report violations of policy
openpolicyagent.org Use Cases: Terraform: Risk Management Decision Policy Query POST opa:8181/v1/data/terraform/risk_score {“input”: { "aws_autoscaling_group.my_asg": { "arn": "", "availability_zones.#": "1", "availability_zones.3205754986": "us-west-1a", "default_cooldown": "", "desired_capacity": "4", "destroy": false, "destroy_tainted": false, "force_delete": "true", "health_check_grace_period": "300", "health_check_type": "ELB", "metrics_granularity": "1Minute", "min_size": "1", "name": "my_asg", }, "aws_instance.web": { "ami": "ami-09b4b74c", "associate_public_ip_address": "", "availability_zone": "", "destroy": false, ... Policy Decision 200 OK { “result”: 15 }
openpolicyagent.org Use Cases: Terraform ● Risk Management ○ Performance: 1 rps ○ Policy: compute risk score for proposed Terraform change. JSON-pointer + iteration ○ Decision: number ○ Integration: ? ○ Policy management: ? ○ Mode: proactive ● Public Cloud Audit ○ Performance: run periodically ○ Policy: compare cloud resources to those managed by Terraform. JSON-pointer + iteration ○ Decision: set of resources ○ Integration: ? ○ Policy management: 1 ○ Mode: audit Hashicorp Terraform
openpolicyagent.org Use Cases OPA Cloud OPA Orchestrator Risk Management Placement & Admission Control Linux Container Execution, SSH, sudo OPA Hashicorp Terraform OPA Microservice APIs Istio Linkerd OPA Data protection
openpolicyagent.org New Use Cases ● Ratelimiting ○ Early days of this use case ○ Performance: 1000+ rps ○ Policy: choose ratelimit. Written using GUI/YAML. YAML treated as data in policy. ○ Decision: number ○ Integration: ? ○ Policy management: Custom ○ Mode: proactive ● Data protection: Minio, Kafka, OpenSDSS ○ Performance: 1000 rps ○ Policy: AWS IAM policies translated to Rego ○ Decision: allow/deny ○ Integration: GET /path ○ Policy management: Custom minio federation service ○ Mode: proactive
openpolicyagent.org Lessons Learned ● Iteration/JSON-pointer/modules common expressiveness requirements ○ Policy about images in a k8s pod or about a Terraform plan needs iteration and JSON-pointer ● Data as a first-class citizen helps with writing policy ○ YAML/GUI data becomes the user-facing policy language; admin encodes semantics in Logic ● Policy decisions can be more complex than allow/deny ○ Assuming the technology supports it ● Always at the mercy of the system you are integrating with ○ Users willing to modify their application are great! So are systems that support plugins. ● Valuable to operate without a hard dependency on storage ○ Every system already has some storage system; they rarely want another etcd to manage ○ But everyone asks about storage options ● The higher the performance requirement, the simpler the policy ○ The tradeoff is unavoidable, but it’s possible to lessen the impact.
openpolicyagent.org Thank You! github.com/open-policy-agent/opa slack.openpolicyagent.org
Appendix
openpolicyagent.org Use Cases: Kubernetes: Admission Control kind: Pod metadata: labels: app: nginx name: nginx-1493591563-bvl8q namespace: production spec: containers: - image: nginx name: nginx securityContext: privileged: true dnsPolicy: ClusterFirst nodeName: minikube restartPolicy: Always status: containerStatuses: - name: nginx ready: true hostIP: 192.168.99.100 phase: Running podIP: 172.17.0.4
openpolicyagent.org Use Cases: Kubernetes: Admission Control kind: Pod metadata: labels: app: nginx name: nginx-1493591563-bvl8q namespace: production spec: containers: - image: nginx name: nginx securityContext: privileged: true dnsPolicy: ClusterFirst nodeName: minikube restartPolicy: Always status: containerStatuses: - name: nginx ready: true hostIP: 192.168.99.100 phase: Running podIP: 172.17.0.4 # references spec.containers[0].image
openpolicyagent.org Use Cases: Kubernetes: Admission Control kind: Pod metadata: labels: app: nginx name: nginx-1493591563-bvl8q namespace: production spec: containers: - image: nginx name: nginx securityContext: privileged: true dnsPolicy: ClusterFirst nodeName: minikube restartPolicy: Always status: containerStatuses: - name: nginx ready: true hostIP: 192.168.99.100 phase: Running podIP: 172.17.0.4 # references spec.containers[0].image # variables and iteration container = spec.containers[index]
openpolicyagent.org Use Cases: Kubernetes: Admission Control kind: Pod metadata: labels: app: nginx name: nginx-1493591563-bvl8q namespace: production spec: containers: - image: nginx name: nginx securityContext: privileged: true dnsPolicy: ClusterFirst nodeName: minikube restartPolicy: Always status: containerStatuses: - name: nginx ready: true hostIP: 192.168.99.100 phase: Running podIP: 172.17.0.4 # references spec.containers[0].image # variables and iteration container = spec.containers[index] # expressions container.securityContext.privileged = true
openpolicyagent.org Use Cases: Kubernetes: Admission Control kind: Pod metadata: labels: app: nginx name: nginx-1493591563-bvl8q namespace: production spec: containers: - image: nginx name: nginx securityContext: privileged: true dnsPolicy: ClusterFirst nodeName: minikube restartPolicy: Always status: containerStatuses: - name: nginx ready: true hostIP: 192.168.99.100 phase: Running podIP: 172.17.0.4 # references spec.containers[0].image # variables and iteration container = spec.containers[index] # expressions container.securityContext.privileged = true # functions is_privileged(container) { container.securityContext.privileged = true }
openpolicyagent.org Use Cases: Kubernetes: Admission Control kind: Pod metadata: labels: app: nginx name: nginx-1493591563-bvl8q namespace: production spec: containers: - image: nginx name: nginx securityContext: privileged: true dnsPolicy: ClusterFirst nodeName: minikube restartPolicy: Always status: containerStatuses: - name: nginx ready: true hostIP: 192.168.99.100 phase: Running podIP: 172.17.0.4 # references spec.containers[0].image # variables and iteration container = spec.containers[index] # expressions container.securityContext.privileged = true # functions is_privileged(container) { container.securityContext.privileged = true } # rules deny { review.user = “bob” review.operation = “CREATE” review.namespace = “production” is_privileged(spec.containers[_]) }
openpolicyagent.org Integration OR HTTP API Service (Go) OPA Service OPA HTTP List all policies GET v1/policies Insert, modify, and delete policies GET/PUT/DELETE v1/policies/<path> Insert and modify raw data PUT/PATCH v1/data/<path> Get policy decision GET/POST v1/data/<path> Evaluate ad-hoc policy queries GET v1/query?q=<query> ?metrics ?watch ?explain include metrics (ex: latency) stream updates explain why result is true
openpolicyagent.org Use Cases: Kubernetes: Admission Control Example Policies ● Images may only be pulled from internal registry ● Only scanned images may be deployed in namespaces A, B, and C ● QA team must sign-off on image before deployed to production ● Stateful deployments must use ‘recreate’ update strategy ● Developers must not modify selectors or labels referred to by selectors after creation ● Containers must have CPU and memory resource requests and limits set ● Containers cannot run with privileged security context ● Services in namespace X should have AWS SSL annotation added ● Product teams may only expose services with hostname from whitelist... apiserver admission control kubectl apply -f app.yaml OPA
openpolicyagent.org Use Cases: Kubernetes: Admission Control apiserver admission controllers quota execwebhook metadata: name: frontend labels: contact: name@example.com spec: replicas: 5 selector: app: frontend template: metadata: name: frontend labels: app: frontend spec: containers: - name: proxy image: nginx kubectl apply -f app.yaml OPA
openpolicyagent.org Performance: Microservice APIs Benchmarks run on every release, e.g. https://gist.github.com/tsandall/97729bef8ee804a75b9e20e81508782d#file-_results_ +----------------+--------------------+--------------+------------+--------------+-----------+-----------------+ | Percentile (%) | Serialization (µs) | Request (µs) | Parse (µs) | Compile (µs) | Eval (µs) | Processing (µs) | +----------------+--------------------+--------------+------------+--------------+-----------+-----------------+ | 50 | 2 | 358 | 11 | 43 | 180 | 14 | | 75 | 3 | 389 | 12 | 45 | 186 | 16 | | 90 | 3 | 437 | 13 | 49 | 200 | 19 | | 95 | 4 | 495 | 15 | 56 | 234 | 23 | | 99 | 8 | 1886 | 29 | 87 | 736 | 35 | | 99.9 | 23 | 2583 | 221 | 205 | 2215 | 69 | | 99.99 | 72 | 3357 | 1920 | 264 | 2617 | 161 | +----------------+--------------------+--------------+------------+--------------+-----------+-----------------+ HTTP Latency allow { input.method = "GET" input.path = ["finance", "salary", account_id] input.user_id = account_id } 1000 rules with 10 hits Note: v0.6 will reduce eval latency by 2-orders of magnitude
openpolicyagent.org Integration: Python def check_request(request): body = { # prepare body for OPA query by... "input": { # supplying input data containing... "auth_user": request.token.username, # authenticated username/identity (e.g., bob) "path": request.path.split("/"), # HTTP URL path (e.g., /widgets/12345) "method": request.method, # HTTP method (e.g., POST, GET, DELETE, etc.) } } # query authorization policy in OPA for ‘allow’ decision response = requests.post(“http://opa:8181/v1/data/acmecorp/api/authz/allow”, data=body) # check OPA response for ‘allow’ decision if not response.json()[“result”][“allow”]: raise Exception(“request rejected by administrative policy”)
openpolicyagent.org Related Projects Project Open Source Decentralized Non-boolean Decisions Context-aware OPA Apache 2 Yes Yes Yes Firebase Rules No Yes No Yes HashiCorp Sentinel No Yes No Yes (*) OpenStack Congress Apache 2 No Yes Yes (**) Ladon (XACML) Apache 2 Yes No Yes (*)
openpolicyagent.org Project Status Features as of v0.6.0 ● Language ● Query evaluation ● Partial evaluation ● Tracing & Explanations ● REPL ● HTTP APIs ● Pluggable storage ● Triggers ● Transactions ● Test Framework ● HTTPS ● Authentication (Bearer Tokens) ● Authorization Roadmap ● Features ○ Partial Eval ○ CEL compatibility ○ Performance profiles ○ Local disk storage ○ Etcd storage ○ Query profiling ○ Query benchmarking ○ Failure explanations ○ Golang plugin built-ins ○ JavaScript built-ins ○ Remediation engine ○ Remote REPL ● Integrations ○ OpenShift ○ DCOS ○ Docker ecosystem ○ Standard library Community ● slack.openpolicyagent.org ● blog.openpolicyagent.org ● github.com/open-policy-agent/opa ● github.com/open-policy-agent/library

Recommended

Rego Deep Dive
Rego Deep DiveRego Deep Dive
Rego Deep Dive
Torin Sandall
 
Securing APIs with Open Policy Agent
Securing APIs with Open Policy AgentSecuring APIs with Open Policy Agent
Securing APIs with Open Policy Agent
Nordic APIs
 
Introduction to OPA
Introduction to OPAIntroduction to OPA
Introduction to OPA
Knoldus Inc.
 
OPA: The Cloud Native Policy Engine
OPA: The Cloud Native Policy EngineOPA: The Cloud Native Policy Engine
OPA: The Cloud Native Policy Engine
Torin Sandall
 
Open Policy Agent
Open Policy AgentOpen Policy Agent
Open Policy Agent
Torin Sandall
 
Open Policy Agent Deep Dive Seattle 2018
Open Policy Agent Deep Dive Seattle 2018Open Policy Agent Deep Dive Seattle 2018
Open Policy Agent Deep Dive Seattle 2018
Torin Sandall
 
Enforcing Bespoke Policies in Kubernetes
Enforcing Bespoke Policies in KubernetesEnforcing Bespoke Policies in Kubernetes
Enforcing Bespoke Policies in Kubernetes
Torin Sandall
 
DSO-LG 2021 Reboot: Policy As Code (Anders Eknert)
DSO-LG 2021 Reboot: Policy As Code (Anders Eknert)DSO-LG 2021 Reboot: Policy As Code (Anders Eknert)
DSO-LG 2021 Reboot: Policy As Code (Anders Eknert)
Michael Man
 

Recommended

Rego Deep Dive
Rego Deep DiveRego Deep Dive
Rego Deep Dive
Torin Sandall
 
Securing APIs with Open Policy Agent
Securing APIs with Open Policy AgentSecuring APIs with Open Policy Agent
Securing APIs with Open Policy Agent
Nordic APIs
 
Introduction to OPA
Introduction to OPAIntroduction to OPA
Introduction to OPA
Knoldus Inc.
 
OPA: The Cloud Native Policy Engine
OPA: The Cloud Native Policy EngineOPA: The Cloud Native Policy Engine
OPA: The Cloud Native Policy Engine
Torin Sandall
 
Open Policy Agent
Open Policy AgentOpen Policy Agent
Open Policy Agent
Torin Sandall
 
Open Policy Agent Deep Dive Seattle 2018
Open Policy Agent Deep Dive Seattle 2018Open Policy Agent Deep Dive Seattle 2018
Open Policy Agent Deep Dive Seattle 2018
Torin Sandall
 
Enforcing Bespoke Policies in Kubernetes
Enforcing Bespoke Policies in KubernetesEnforcing Bespoke Policies in Kubernetes
Enforcing Bespoke Policies in Kubernetes
Torin Sandall
 
DSO-LG 2021 Reboot: Policy As Code (Anders Eknert)
DSO-LG 2021 Reboot: Policy As Code (Anders Eknert)DSO-LG 2021 Reboot: Policy As Code (Anders Eknert)
DSO-LG 2021 Reboot: Policy As Code (Anders Eknert)
Michael Man
 
How Netflix Is Solving Authorization Across Their Cloud
How Netflix Is Solving Authorization Across Their CloudHow Netflix Is Solving Authorization Across Their Cloud
How Netflix Is Solving Authorization Across Their Cloud
Torin Sandall
 
OPA open policy agent
OPA open policy agentOPA open policy agent
OPA open policy agent
Knoldus Inc.
 
Introduction to Kong API Gateway
Introduction to Kong API GatewayIntroduction to Kong API Gateway
Introduction to Kong API Gateway
Yohann Ciurlik
 
Kubernetes Security with Calico and Open Policy Agent
Kubernetes Security with Calico and Open Policy AgentKubernetes Security with Calico and Open Policy Agent
Kubernetes Security with Calico and Open Policy Agent
CloudOps2005
 
Implementing Authorization
Implementing AuthorizationImplementing Authorization
Implementing Authorization
Torin Sandall
 
OAuth 2.0 Integration Patterns with XACML
OAuth 2.0 Integration Patterns with XACMLOAuth 2.0 Integration Patterns with XACML
OAuth 2.0 Integration Patterns with XACML
Prabath Siriwardena
 
Secure your app with keycloak
Secure your app with keycloakSecure your app with keycloak
Secure your app with keycloak
Guy Marom
 
Opa gatekeeper
Opa gatekeeperOpa gatekeeper
Opa gatekeeper
Rita Zhang
 
Service-mesh options with Linkerd, Consul, Istio and AWS AppMesh
Service-mesh options with Linkerd, Consul, Istio and AWS AppMeshService-mesh options with Linkerd, Consul, Istio and AWS AppMesh
Service-mesh options with Linkerd, Consul, Istio and AWS AppMesh
Christian Posta
 
Policy Enforcement on Kubernetes with Open Policy Agent
Policy Enforcement on Kubernetes with Open Policy AgentPolicy Enforcement on Kubernetes with Open Policy Agent
Policy Enforcement on Kubernetes with Open Policy Agent
VMware Tanzu
 
CNCF opa
CNCF opaCNCF opa
CNCF opa
Juraj Hantak
 
Designing APIs with OpenAPI Spec
Designing APIs with OpenAPI SpecDesigning APIs with OpenAPI Spec
Designing APIs with OpenAPI Spec
Adam Paxton
 
Kong API Gateway
Kong API Gateway Kong API Gateway
Kong API Gateway
Chris Mague
 
APIConnect Security Best Practice
APIConnect Security Best PracticeAPIConnect Security Best Practice
APIConnect Security Best Practice
Shiu-Fun Poon
 
Mastering kubernetes ingress nginx
Mastering kubernetes ingress nginxMastering kubernetes ingress nginx
Mastering kubernetes ingress nginx
Sidhartha Mani
 
Apigee Products Overview
Apigee Products OverviewApigee Products Overview
Apigee Products Overview
Apigee | Google Cloud
 
API Security Best Practices & Guidelines
API Security Best Practices & GuidelinesAPI Security Best Practices & Guidelines
API Security Best Practices & Guidelines
Prabath Siriwardena
 
Lightweight Zero-trust Network Implementation and Transition with Keycloak an...
Lightweight Zero-trust Network Implementation and Transition with Keycloak an...Lightweight Zero-trust Network Implementation and Transition with Keycloak an...
Lightweight Zero-trust Network Implementation and Transition with Keycloak an...
Hitachi, Ltd. OSS Solution Center.
 
Terraform features(kr)
Terraform features(kr)Terraform features(kr)
Terraform features(kr)
규석 이
 
Building secure applications with keycloak
Building secure applications with keycloak Building secure applications with keycloak
Building secure applications with keycloak
Abhishek Koserwal
 
Cloud native policy enforcement with Open Policy Agent
Cloud native policy enforcement with Open Policy AgentCloud native policy enforcement with Open Policy Agent
Cloud native policy enforcement with Open Policy Agent
LibbySchulze
 
Protecting the Data Lake
Protecting the Data LakeProtecting the Data Lake
Protecting the Data Lake
Ashutosh Narkar
 

More Related Content

What's hot

How Netflix Is Solving Authorization Across Their Cloud
How Netflix Is Solving Authorization Across Their CloudHow Netflix Is Solving Authorization Across Their Cloud
How Netflix Is Solving Authorization Across Their Cloud
Torin Sandall
 
Implementing Authorization
Implementing AuthorizationImplementing Authorization
Implementing Authorization
Torin Sandall
 
Service-mesh options with Linkerd, Consul, Istio and AWS AppMesh
Service-mesh options with Linkerd, Consul, Istio and AWS AppMeshService-mesh options with Linkerd, Consul, Istio and AWS AppMesh
Service-mesh options with Linkerd, Consul, Istio and AWS AppMesh
Christian Posta
 

What's hot (20)

How Netflix Is Solving Authorization Across Their Cloud
How Netflix Is Solving Authorization Across Their CloudHow Netflix Is Solving Authorization Across Their Cloud
How Netflix Is Solving Authorization Across Their Cloud
 
OPA open policy agent
OPA open policy agentOPA open policy agent
OPA open policy agent
 
Introduction to Kong API Gateway
Introduction to Kong API GatewayIntroduction to Kong API Gateway
Introduction to Kong API Gateway
 
Kubernetes Security with Calico and Open Policy Agent
Kubernetes Security with Calico and Open Policy AgentKubernetes Security with Calico and Open Policy Agent
Kubernetes Security with Calico and Open Policy Agent
 
Implementing Authorization
Implementing AuthorizationImplementing Authorization
Implementing Authorization
 
OAuth 2.0 Integration Patterns with XACML
OAuth 2.0 Integration Patterns with XACMLOAuth 2.0 Integration Patterns with XACML
OAuth 2.0 Integration Patterns with XACML
 
Secure your app with keycloak
Secure your app with keycloakSecure your app with keycloak
Secure your app with keycloak
 
Opa gatekeeper
Opa gatekeeperOpa gatekeeper
Opa gatekeeper
 
Service-mesh options with Linkerd, Consul, Istio and AWS AppMesh
Service-mesh options with Linkerd, Consul, Istio and AWS AppMeshService-mesh options with Linkerd, Consul, Istio and AWS AppMesh
Service-mesh options with Linkerd, Consul, Istio and AWS AppMesh
 
Policy Enforcement on Kubernetes with Open Policy Agent
Policy Enforcement on Kubernetes with Open Policy AgentPolicy Enforcement on Kubernetes with Open Policy Agent
Policy Enforcement on Kubernetes with Open Policy Agent
 
CNCF opa
CNCF opaCNCF opa
CNCF opa
 
Designing APIs with OpenAPI Spec
Designing APIs with OpenAPI SpecDesigning APIs with OpenAPI Spec
Designing APIs with OpenAPI Spec
 
Kong API Gateway
Kong API Gateway Kong API Gateway
Kong API Gateway
 
APIConnect Security Best Practice
APIConnect Security Best PracticeAPIConnect Security Best Practice
APIConnect Security Best Practice
 
Mastering kubernetes ingress nginx
Mastering kubernetes ingress nginxMastering kubernetes ingress nginx
Mastering kubernetes ingress nginx
 
Apigee Products Overview
Apigee Products OverviewApigee Products Overview
Apigee Products Overview
 
API Security Best Practices & Guidelines
API Security Best Practices & GuidelinesAPI Security Best Practices & Guidelines
API Security Best Practices & Guidelines
 
Lightweight Zero-trust Network Implementation and Transition with Keycloak an...
Lightweight Zero-trust Network Implementation and Transition with Keycloak an...Lightweight Zero-trust Network Implementation and Transition with Keycloak an...
Lightweight Zero-trust Network Implementation and Transition with Keycloak an...
 
Terraform features(kr)
Terraform features(kr)Terraform features(kr)
Terraform features(kr)
 
Building secure applications with keycloak
Building secure applications with keycloak Building secure applications with keycloak
Building secure applications with keycloak
 

Similar to OPA APIs and Use Case Survey

Dynamic Authorization & Policy Control for Docker Environments
Dynamic Authorization & Policy Control for Docker EnvironmentsDynamic Authorization & Policy Control for Docker Environments
Dynamic Authorization & Policy Control for Docker Environments
Torin Sandall
 
HKG15-110: ODP Project Update
HKG15-110: ODP Project UpdateHKG15-110: ODP Project Update
HKG15-110: ODP Project Update
Linaro
 
stackconf 2021 | Embracing change: Policy-as-code for Kubernetes with OPA and...
stackconf 2021 | Embracing change: Policy-as-code for Kubernetes with OPA and...stackconf 2021 | Embracing change: Policy-as-code for Kubernetes with OPA and...
stackconf 2021 | Embracing change: Policy-as-code for Kubernetes with OPA and...
NETWAYS
 
Implementing Observability for Kubernetes.pdf
Implementing Observability for Kubernetes.pdfImplementing Observability for Kubernetes.pdf
Implementing Observability for Kubernetes.pdf
Jose Manuel Ortega Candel
 
DevNation Tech Talk: Getting GitOps
DevNation Tech Talk: Getting GitOpsDevNation Tech Talk: Getting GitOps
DevNation Tech Talk: Getting GitOps
Red Hat Developers
 
Roundtable_-_API_Research__Testing_Tools.pdf
Roundtable_-_API_Research__Testing_Tools.pdfRoundtable_-_API_Research__Testing_Tools.pdf
Roundtable_-_API_Research__Testing_Tools.pdf
Mostafa Higazy
 
Presto query optimizer: pursuit of performance
Presto query optimizer: pursuit of performancePresto query optimizer: pursuit of performance
Presto query optimizer: pursuit of performance
DataWorks Summit
 

Similar to OPA APIs and Use Case Survey (20)

Cloud native policy enforcement with Open Policy Agent
Cloud native policy enforcement with Open Policy AgentCloud native policy enforcement with Open Policy Agent
Cloud native policy enforcement with Open Policy Agent
 
Protecting the Data Lake
Protecting the Data LakeProtecting the Data Lake
Protecting the Data Lake
 
Dynamic Authorization & Policy Control for Docker Environments
Dynamic Authorization & Policy Control for Docker EnvironmentsDynamic Authorization & Policy Control for Docker Environments
Dynamic Authorization & Policy Control for Docker Environments
 
Fine-grained Authorization in a Containerized World
Fine-grained Authorization in a Containerized WorldFine-grained Authorization in a Containerized World
Fine-grained Authorization in a Containerized World
 
Sprint 44 review
Sprint 44 reviewSprint 44 review
Sprint 44 review
 
Dynamic Policy Enforcement for Microservice Environments
Dynamic Policy Enforcement for Microservice EnvironmentsDynamic Policy Enforcement for Microservice Environments
Dynamic Policy Enforcement for Microservice Environments
 
Monitoring federation open stack infrastructure
Monitoring federation open stack infrastructureMonitoring federation open stack infrastructure
Monitoring federation open stack infrastructure
 
OSMC 2023 | What’s new with Grafana Labs’s Open Source Observability stack by...
OSMC 2023 | What’s new with Grafana Labs’s Open Source Observability stack by...OSMC 2023 | What’s new with Grafana Labs’s Open Source Observability stack by...
OSMC 2023 | What’s new with Grafana Labs’s Open Source Observability stack by...
 
HKG15-110: ODP Project Update
HKG15-110: ODP Project UpdateHKG15-110: ODP Project Update
HKG15-110: ODP Project Update
 
Charles sonigo - Demuxed 2018 - How to be data-driven when you aren't Netflix...
Charles sonigo - Demuxed 2018 - How to be data-driven when you aren't Netflix...Charles sonigo - Demuxed 2018 - How to be data-driven when you aren't Netflix...
Charles sonigo - Demuxed 2018 - How to be data-driven when you aren't Netflix...
 
apidays LIVE New York 2021 - Microservice Authorization with Open Policy Agen...
apidays LIVE New York 2021 - Microservice Authorization with Open Policy Agen...apidays LIVE New York 2021 - Microservice Authorization with Open Policy Agen...
apidays LIVE New York 2021 - Microservice Authorization with Open Policy Agen...
 
stackconf 2021 | Embracing change: Policy-as-code for Kubernetes with OPA and...
stackconf 2021 | Embracing change: Policy-as-code for Kubernetes with OPA and...stackconf 2021 | Embracing change: Policy-as-code for Kubernetes with OPA and...
stackconf 2021 | Embracing change: Policy-as-code for Kubernetes with OPA and...
 
Implementing Observability for Kubernetes.pdf
Implementing Observability for Kubernetes.pdfImplementing Observability for Kubernetes.pdf
Implementing Observability for Kubernetes.pdf
 
DevNation Tech Talk: Getting GitOps
DevNation Tech Talk: Getting GitOpsDevNation Tech Talk: Getting GitOps
DevNation Tech Talk: Getting GitOps
 
High Availability by Design
High Availability by DesignHigh Availability by Design
High Availability by Design
 
OpenTelemetry For Architects
OpenTelemetry For ArchitectsOpenTelemetry For Architects
OpenTelemetry For Architects
 
Enterprise guide to building a Data Mesh
Enterprise guide to building a Data MeshEnterprise guide to building a Data Mesh
Enterprise guide to building a Data Mesh
 
Roundtable_-_API_Research__Testing_Tools.pdf
Roundtable_-_API_Research__Testing_Tools.pdfRoundtable_-_API_Research__Testing_Tools.pdf
Roundtable_-_API_Research__Testing_Tools.pdf
 
PyCon Poland 2016: Maintaining a high load Python project: typical mistakes
PyCon Poland 2016: Maintaining a high load Python project: typical mistakesPyCon Poland 2016: Maintaining a high load Python project: typical mistakes
PyCon Poland 2016: Maintaining a high load Python project: typical mistakes
 
Presto query optimizer: pursuit of performance
Presto query optimizer: pursuit of performancePresto query optimizer: pursuit of performance
Presto query optimizer: pursuit of performance
 

Recently uploaded

Search and Society: Reimagining Information Access for Radical Futures
Search and Society: Reimagining Information Access for Radical FuturesSearch and Society: Reimagining Information Access for Radical Futures
Search and Society: Reimagining Information Access for Radical Futures
Bhaskar Mitra
 
JMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and GrafanaJMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and Grafana
RTTS
 
In-Depth Performance Testing Guide for IT Professionals
In-Depth Performance Testing Guide for IT ProfessionalsIn-Depth Performance Testing Guide for IT Professionals
In-Depth Performance Testing Guide for IT Professionals
Expeed Software
 
Integrating Telephony Systems with Salesforce: Insights and Considerations, B...
Integrating Telephony Systems with Salesforce: Insights and Considerations, B...Integrating Telephony Systems with Salesforce: Insights and Considerations, B...
Integrating Telephony Systems with Salesforce: Insights and Considerations, B...
CzechDreamin
 
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Tobias Schneck
 

Recently uploaded (20)

Speed Wins: From Kafka to APIs in Minutes
Speed Wins: From Kafka to APIs in MinutesSpeed Wins: From Kafka to APIs in Minutes
Speed Wins: From Kafka to APIs in Minutes
 
UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3
 
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
 
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptxIOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx
 
Search and Society: Reimagining Information Access for Radical Futures
Search and Society: Reimagining Information Access for Radical FuturesSearch and Society: Reimagining Information Access for Radical Futures
Search and Society: Reimagining Information Access for Radical Futures
 
Exploring UiPath Orchestrator API: updates and limits in 2024 🚀
Exploring UiPath Orchestrator API: updates and limits in 2024 🚀Exploring UiPath Orchestrator API: updates and limits in 2024 🚀
Exploring UiPath Orchestrator API: updates and limits in 2024 🚀
 
JMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and GrafanaJMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and Grafana
 
UiPath Test Automation using UiPath Test Suite series, part 1
UiPath Test Automation using UiPath Test Suite series, part 1UiPath Test Automation using UiPath Test Suite series, part 1
UiPath Test Automation using UiPath Test Suite series, part 1
 
Key Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdfKey Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdf
 
UiPath Test Automation using UiPath Test Suite series, part 2
UiPath Test Automation using UiPath Test Suite series, part 2UiPath Test Automation using UiPath Test Suite series, part 2
UiPath Test Automation using UiPath Test Suite series, part 2
 
Powerful Start- the Key to Project Success, Barbara Laskowska
Powerful Start- the Key to Project Success, Barbara LaskowskaPowerful Start- the Key to Project Success, Barbara Laskowska
Powerful Start- the Key to Project Success, Barbara Laskowska
 
In-Depth Performance Testing Guide for IT Professionals
In-Depth Performance Testing Guide for IT ProfessionalsIn-Depth Performance Testing Guide for IT Professionals
In-Depth Performance Testing Guide for IT Professionals
 
Knowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and backKnowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and back
 
ODC, Data Fabric and Architecture User Group
ODC, Data Fabric and Architecture User GroupODC, Data Fabric and Architecture User Group
ODC, Data Fabric and Architecture User Group
 
Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........
 
Integrating Telephony Systems with Salesforce: Insights and Considerations, B...
Integrating Telephony Systems with Salesforce: Insights and Considerations, B...Integrating Telephony Systems with Salesforce: Insights and Considerations, B...
Integrating Telephony Systems with Salesforce: Insights and Considerations, B...
 
"Impact of front-end architecture on development cost", Viktor Turskyi
"Impact of front-end architecture on development cost", Viktor Turskyi"Impact of front-end architecture on development cost", Viktor Turskyi
"Impact of front-end architecture on development cost", Viktor Turskyi
 
IESVE for Early Stage Design and Planning
IESVE for Early Stage Design and PlanningIESVE for Early Stage Design and Planning
IESVE for Early Stage Design and Planning
 
10 Differences between Sales Cloud and CPQ, Blanka Doktorová
10 Differences between Sales Cloud and CPQ, Blanka Doktorová10 Differences between Sales Cloud and CPQ, Blanka Doktorová
10 Differences between Sales Cloud and CPQ, Blanka Doktorová
 
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
 

OPA APIs and Use Case Survey

  • 1. Open Policy Agent API and Use Case Survey
  • 2. openpolicyagent.org Policy Management Fabric (Out of scope for OPA) Goals and Non-goals OPA OPA OPA OPA OPA’s Goal: policy-enable other projects and services, regardless of domain ● Run at the edge to make policy decisions for host-local consumers ● Zero runtime dependencies ● Easy integrations
  • 3. openpolicyagent.org OPA is an open source, general-purpose policy engine
  • 4. openpolicyagent.org OPA is an open source, general-purpose policy engine ● Declarative Language (Rego) ○ Is X allowed to call operation Y on resource Z? ○ Which users can SSH into production hosts? ○ What clusters should workload X be deployed to? ○ What annotations must be set on object X?
  • 5. openpolicyagent.org ● Declarative Language (Rego) ○ Is X allowed to call operation Y on resource Z? ○ Which users can SSH into production hosts? ○ What clusters should workload X be deployed to? ○ What annotations must be set on object X? ● Library/Daemon (Go) ○ In-memory storage of data and policies ○ Zero runtime dependencies ○ Evaluation engine: parser, compiler, interpreter ○ Tooling: REPL, test framework, tracing OPA is an open source, general-purpose policy engine
  • 6. openpolicyagent.org ● Declarative Language (Rego) ○ Is X allowed to call operation Y on resource Z? ○ Which users can SSH into production hosts? ○ What clusters should workload X be deployed to? ○ What annotations must be set on object X? ● Library/Daemon (Go) ○ In-memory storage of data and policies ○ Zero runtime dependencies ○ Evaluation engine: parser, compiler, interpreter ○ Tooling: REPL, test framework, tracing ● Standard Library & Integrations ○ Authorization, admission control, auditing, etc. ○ Kubernetes, Istio, AWS, Terraform, Docker, and more. OPA is an open source, general-purpose policy engine
  • 7. openpolicyagent.org OPA is an open source, general-purpose policy engine DataLogic Management API: Management pushes updates Enforcement API: Service requests decision
  • 8. openpolicyagent.org OPA is an open source, general-purpose policy engine DataLogic Management API: Management pushes updates Enforcement API: Service requests decision Service-specific Management sidecar
  • 9. openpolicyagent.org Enforcement + Management API (REST) List all policies GET /v2/policies Insert, modify, delete policies GET/PUT/DELETE /v2/policies/<path> List all data GET /v2/data Insert, modify, delete raw data GET/PUT/PATCH/DELETE /v2/data/<path> Get policy decision GET/POST /v2/decisions/<path> ?metrics ?watch ?explain include metrics (ex: latency) stream updates explain why result is true (Tim’s proposal for v2--a small change from v1.) Management API Enforcement API
  • 10. History 2016: Inception Requirements ● Decisions about JSON ● Decisions are JSON ● Ease of integration ● Host-local agent Execution ● New language: Rego ● HTTP API over localhost ● Go binary 2017: Application Requirements ● Solve real problems ● Build community ● Learn requirements ● Hill-climb implementation Execution ● Domains: Cloud, Server, Container, Microservices ● Customers, KubeCon, CNCF, Meetups, ... 2018: Hardening Requirements ● Ease of use ● Performance ● Solve real problems ● Build community Execution ● v2 of Language/API/Engine ● Leverage Google’s CEL ● Policy Library ● CNCF, Conferences, Users Today
  • 11. openpolicyagent.org Use Cases OPA Cloud Orchestrator Risk Management Linux Container Execution, SSH, sudo OPA Hashicorp Terraform OPA Microservice APIs Istio Linkerd OPA Container Placement & Admission Control OPA Data protection
  • 12. openpolicyagent.org Dimensions for Use Case Comparison ● Policy ○ What kind of policy? ○ What kind of expressiveness? Iteration, etc. ● Data/context ○ OPA treats data separate from policy ○ What data does the policy depend on? ○ How does OPA know about that data? ● Decisions ○ Are decisions booleans/strings/numbers/arrays/maps? ● Integration ○ How was the enforcement integration done? ● Policy management ○ How were policies/data pushed into OPA? ● Performance ○ How many queries per second are required? ● Mode ○ Proactive (prevent violations), reactive (fix violations), audit (identify violations)
  • 13. openpolicyagent.org Use Cases OPA Cloud Orchestrator Risk Management Linux Container Execution, SSH, sudo OPA Hashicorp Terraform OPA Microservice APIs Istio Linkerd OPA Placement & Admission Control OPA Data protection
  • 14. openpolicyagent.org Use Cases: Kubernetes apiserver authorization admission control scheduler federation control plane OPA OPAOPA OPA Current Use Cases ● Federated Workload Placement ● Pod Scheduling ● Authorization ● Admission Control ● Audit Future Use Cases ● Storage policy (in progress) ● Network policy controllers nodes
  • 15. openpolicyagent.org Use Cases: Kubernetes: Admission Control apiserver admission controllers quota execwebhook metadata: name: frontend labels: contact: name@example.com spec: replicas: 5 selector: app: frontend template: metadata: name: frontend labels: app: frontend spec: containers: - name: proxy image: nginx kubectl apply -f app.yaml OPA
  • 16. openpolicyagent.org Use Cases: Kubernetes: Admission Control Policy kind: Pod metadata: labels: app: nginx name: nginx-1493591563-bvl8q namespace: production spec: containers: - image: nginx name: nginx securityContext: privileged: true dnsPolicy: ClusterFirst nodeName: minikube restartPolicy: Always status: containerStatuses: - name: nginx ready: true hostIP: 192.168.99.100 phase: Running podIP: 172.17.0.4 # references spec.containers[0].image # variables and iteration container := spec.containers[index] # expressions container.securityContext.privileged == true # functions is_privileged(container) { container.securityContext.privileged == true } # rules deny { review.user == “bob” review.operation == “CREATE” review.namespace == “production” is_privileged(spec.containers[_]) }
  • 17. openpolicyagent.org Use Cases: Kubernetes: Admission Control Decision Policy Query POST opa:8181/v1/data/k8s/admission/allow input: kind: Pod metadata: labels: app: nginx name: nginx-1493591563-bvl8q namespace: production spec: containers: - image: nginx name: nginx securityContext: privileged: true dnsPolicy: ClusterFirst nodeName: minikube restartPolicy: Always status: containerStatuses: - name: nginx ready: true hostIP: 192.168.99.100 phase: Running podIP: 172.17.0.4 Policy Decision 200 OK { “result”: true } Policy decision can also be a JSON-patch-like dictionary describing updates to pod.
  • 18. openpolicyagent.org Use Cases: Kubernetes: Admission Control Example Policies ● Images may only be pulled from internal registry ● Only scanned images may be deployed in namespaces A, B, and C ● QA team must sign-off on image before deployed to production ● Stateful deployments must use ‘recreate’ update strategy ● Developers must not modify selectors or labels referred to by selectors after creation ● Containers must have CPU and memory resource requests and limits set ● Containers cannot run with privileged security context ● Services in namespace X should have AWS SSL annotation added apiserver admission control kubectl apply -f app.yaml OPA
  • 19. openpolicyagent.org Use Cases: Kubernetes ● Cluster placement ○ Policy: choose clusters a workload should be deployed to. JSON pointer for analyzing request ○ Data: Depends on cluster metadata (mirrored from k8s) ○ Decision: set of clusters ○ Integration: webhook hardcoded to ask GET / ○ Policy management: K8s ConfigMaps ○ Mode: proactive, reactive, audit ○ Performance: 1s ● Admission control ○ Policy: authorization + modification of incoming request. JSON pointer for analyzing request ○ Data: Depends on pod metadata (mirrored from k8s) ○ Decision: JSON patch describing changes ○ Integration: webhook hardcoded to ask GET / ○ Policy management: k8s ConfigMaps ○ Mode: proactive, reactive, audit ○ Performance: 1s
  • 20. openpolicyagent.org Use Cases OPA Cloud OPA Orchestrator Risk Management Placement & Admission Control Linux Container Execution, SSH, sudo OPA Hashicorp Terraform OPA Microservice APIs Istio Linkerd OPA Data protection
  • 21. openpolicyagent.org Use Cases: Microservice APIs ratingsreviews details landing_page GET /reviews/{id} GET /details/{id} GET /ratings/{id} OPA OPA OPA OPA
  • 22. openpolicyagent.org Use Cases: Microservice APIs details ratings Policy Query POST opa:8181/v1/data/example/allow { “input”: { “path”: [“details”, “bob”], “method”: “GET”, “source”: “landing_page”, “target”: “details”, “query_params”: {}, “user”: “alice”, “body”: null } } Policy Decision 200 OK { “result”: true } detailsdetails reviews landing_page OPA OPA OPA OPA
  • 23. openpolicyagent.org Use Cases: Microservice APIs ● API Authorization ○ Performance: 1000+ rps ○ Policy: Authorize HTTP/GRPC APIs. Written by devs in YAML/GUI. Translated into Rego. ○ Decision: allow/deny ○ Integration: Go library, daemon GET /<path> ○ Policy management: Custom or k8s CRDs. Requests for postgres/S3 backends. ○ Mode: proactive Istio Linkerd
  • 24. openpolicyagent.org Use Cases OPA Cloud OPA Orchestrator Risk Management Placement & Admission Control Linux Container Execution, SSH, sudo OPA Hashicorp Terraform OPA Microservice APIs Istio Linkerd OPA Data protection
  • 25. openpolicyagent.org Use Cases: Terraform Architecture Terraform State CICD Pipeline OPA OPA Risk Management ● Compute risk of infra change ● Limit blast radius based on seniority of author ● Automatic approvals and manual approvals Terraform change Public Cloud Public Cloud Resource Audit ● Find public cloud resources not under control of Terraform ● Report violations of policy
  • 26. openpolicyagent.org Use Cases: Terraform: Risk Management Decision Policy Query POST opa:8181/v1/data/terraform/risk_score {“input”: { "aws_autoscaling_group.my_asg": { "arn": "", "availability_zones.#": "1", "availability_zones.3205754986": "us-west-1a", "default_cooldown": "", "desired_capacity": "4", "destroy": false, "destroy_tainted": false, "force_delete": "true", "health_check_grace_period": "300", "health_check_type": "ELB", "metrics_granularity": "1Minute", "min_size": "1", "name": "my_asg", }, "aws_instance.web": { "ami": "ami-09b4b74c", "associate_public_ip_address": "", "availability_zone": "", "destroy": false, ... Policy Decision 200 OK { “result”: 15 }
  • 27. openpolicyagent.org Use Cases: Terraform ● Risk Management ○ Performance: 1 rps ○ Policy: compute risk score for proposed Terraform change. JSON-pointer + iteration ○ Decision: number ○ Integration: ? ○ Policy management: ? ○ Mode: proactive ● Public Cloud Audit ○ Performance: run periodically ○ Policy: compare cloud resources to those managed by Terraform. JSON-pointer + iteration ○ Decision: set of resources ○ Integration: ? ○ Policy management: 1 ○ Mode: audit Hashicorp Terraform
  • 28. openpolicyagent.org Use Cases OPA Cloud OPA Orchestrator Risk Management Placement & Admission Control Linux Container Execution, SSH, sudo OPA Hashicorp Terraform OPA Microservice APIs Istio Linkerd OPA Data protection
  • 29. openpolicyagent.org New Use Cases ● Ratelimiting ○ Early days of this use case ○ Performance: 1000+ rps ○ Policy: choose ratelimit. Written using GUI/YAML. YAML treated as data in policy. ○ Decision: number ○ Integration: ? ○ Policy management: Custom ○ Mode: proactive ● Data protection: Minio, Kafka, OpenSDSS ○ Performance: 1000 rps ○ Policy: AWS IAM policies translated to Rego ○ Decision: allow/deny ○ Integration: GET /path ○ Policy management: Custom minio federation service ○ Mode: proactive
  • 30. openpolicyagent.org Lessons Learned ● Iteration/JSON-pointer/modules common expressiveness requirements ○ Policy about images in a k8s pod or about a Terraform plan needs iteration and JSON-pointer ● Data as a first-class citizen helps with writing policy ○ YAML/GUI data becomes the user-facing policy language; admin encodes semantics in Logic ● Policy decisions can be more complex than allow/deny ○ Assuming the technology supports it ● Always at the mercy of the system you are integrating with ○ Users willing to modify their application are great! So are systems that support plugins. ● Valuable to operate without a hard dependency on storage ○ Every system already has some storage system; they rarely want another etcd to manage ○ But everyone asks about storage options ● The higher the performance requirement, the simpler the policy ○ The tradeoff is unavoidable, but it’s possible to lessen the impact.
  • 33. openpolicyagent.org Use Cases: Kubernetes: Admission Control kind: Pod metadata: labels: app: nginx name: nginx-1493591563-bvl8q namespace: production spec: containers: - image: nginx name: nginx securityContext: privileged: true dnsPolicy: ClusterFirst nodeName: minikube restartPolicy: Always status: containerStatuses: - name: nginx ready: true hostIP: 192.168.99.100 phase: Running podIP: 172.17.0.4
  • 34. openpolicyagent.org Use Cases: Kubernetes: Admission Control kind: Pod metadata: labels: app: nginx name: nginx-1493591563-bvl8q namespace: production spec: containers: - image: nginx name: nginx securityContext: privileged: true dnsPolicy: ClusterFirst nodeName: minikube restartPolicy: Always status: containerStatuses: - name: nginx ready: true hostIP: 192.168.99.100 phase: Running podIP: 172.17.0.4 # references spec.containers[0].image
  • 35. openpolicyagent.org Use Cases: Kubernetes: Admission Control kind: Pod metadata: labels: app: nginx name: nginx-1493591563-bvl8q namespace: production spec: containers: - image: nginx name: nginx securityContext: privileged: true dnsPolicy: ClusterFirst nodeName: minikube restartPolicy: Always status: containerStatuses: - name: nginx ready: true hostIP: 192.168.99.100 phase: Running podIP: 172.17.0.4 # references spec.containers[0].image # variables and iteration container = spec.containers[index]
  • 36. openpolicyagent.org Use Cases: Kubernetes: Admission Control kind: Pod metadata: labels: app: nginx name: nginx-1493591563-bvl8q namespace: production spec: containers: - image: nginx name: nginx securityContext: privileged: true dnsPolicy: ClusterFirst nodeName: minikube restartPolicy: Always status: containerStatuses: - name: nginx ready: true hostIP: 192.168.99.100 phase: Running podIP: 172.17.0.4 # references spec.containers[0].image # variables and iteration container = spec.containers[index] # expressions container.securityContext.privileged = true
  • 37. openpolicyagent.org Use Cases: Kubernetes: Admission Control kind: Pod metadata: labels: app: nginx name: nginx-1493591563-bvl8q namespace: production spec: containers: - image: nginx name: nginx securityContext: privileged: true dnsPolicy: ClusterFirst nodeName: minikube restartPolicy: Always status: containerStatuses: - name: nginx ready: true hostIP: 192.168.99.100 phase: Running podIP: 172.17.0.4 # references spec.containers[0].image # variables and iteration container = spec.containers[index] # expressions container.securityContext.privileged = true # functions is_privileged(container) { container.securityContext.privileged = true }
  • 38. openpolicyagent.org Use Cases: Kubernetes: Admission Control kind: Pod metadata: labels: app: nginx name: nginx-1493591563-bvl8q namespace: production spec: containers: - image: nginx name: nginx securityContext: privileged: true dnsPolicy: ClusterFirst nodeName: minikube restartPolicy: Always status: containerStatuses: - name: nginx ready: true hostIP: 192.168.99.100 phase: Running podIP: 172.17.0.4 # references spec.containers[0].image # variables and iteration container = spec.containers[index] # expressions container.securityContext.privileged = true # functions is_privileged(container) { container.securityContext.privileged = true } # rules deny { review.user = “bob” review.operation = “CREATE” review.namespace = “production” is_privileged(spec.containers[_]) }
  • 39. openpolicyagent.org Integration OR HTTP API Service (Go) OPA Service OPA HTTP List all policies GET v1/policies Insert, modify, and delete policies GET/PUT/DELETE v1/policies/<path> Insert and modify raw data PUT/PATCH v1/data/<path> Get policy decision GET/POST v1/data/<path> Evaluate ad-hoc policy queries GET v1/query?q=<query> ?metrics ?watch ?explain include metrics (ex: latency) stream updates explain why result is true
  • 40. openpolicyagent.org Use Cases: Kubernetes: Admission Control Example Policies ● Images may only be pulled from internal registry ● Only scanned images may be deployed in namespaces A, B, and C ● QA team must sign-off on image before deployed to production ● Stateful deployments must use ‘recreate’ update strategy ● Developers must not modify selectors or labels referred to by selectors after creation ● Containers must have CPU and memory resource requests and limits set ● Containers cannot run with privileged security context ● Services in namespace X should have AWS SSL annotation added ● Product teams may only expose services with hostname from whitelist... apiserver admission control kubectl apply -f app.yaml OPA
  • 41. openpolicyagent.org Use Cases: Kubernetes: Admission Control apiserver admission controllers quota execwebhook metadata: name: frontend labels: contact: name@example.com spec: replicas: 5 selector: app: frontend template: metadata: name: frontend labels: app: frontend spec: containers: - name: proxy image: nginx kubectl apply -f app.yaml OPA
  • 42. openpolicyagent.org Performance: Microservice APIs Benchmarks run on every release, e.g. https://gist.github.com/tsandall/97729bef8ee804a75b9e20e81508782d#file-_results_ +----------------+--------------------+--------------+------------+--------------+-----------+-----------------+ | Percentile (%) | Serialization (µs) | Request (µs) | Parse (µs) | Compile (µs) | Eval (µs) | Processing (µs) | +----------------+--------------------+--------------+------------+--------------+-----------+-----------------+ | 50 | 2 | 358 | 11 | 43 | 180 | 14 | | 75 | 3 | 389 | 12 | 45 | 186 | 16 | | 90 | 3 | 437 | 13 | 49 | 200 | 19 | | 95 | 4 | 495 | 15 | 56 | 234 | 23 | | 99 | 8 | 1886 | 29 | 87 | 736 | 35 | | 99.9 | 23 | 2583 | 221 | 205 | 2215 | 69 | | 99.99 | 72 | 3357 | 1920 | 264 | 2617 | 161 | +----------------+--------------------+--------------+------------+--------------+-----------+-----------------+ HTTP Latency allow { input.method = "GET" input.path = ["finance", "salary", account_id] input.user_id = account_id } 1000 rules with 10 hits Note: v0.6 will reduce eval latency by 2-orders of magnitude
  • 43. openpolicyagent.org Integration: Python def check_request(request): body = { # prepare body for OPA query by... "input": { # supplying input data containing... "auth_user": request.token.username, # authenticated username/identity (e.g., bob) "path": request.path.split("/"), # HTTP URL path (e.g., /widgets/12345) "method": request.method, # HTTP method (e.g., POST, GET, DELETE, etc.) } } # query authorization policy in OPA for ‘allow’ decision response = requests.post(“http://opa:8181/v1/data/acmecorp/api/authz/allow”, data=body) # check OPA response for ‘allow’ decision if not response.json()[“result”][“allow”]: raise Exception(“request rejected by administrative policy”)
  • 44. openpolicyagent.org Related Projects Project Open Source Decentralized Non-boolean Decisions Context-aware OPA Apache 2 Yes Yes Yes Firebase Rules No Yes No Yes HashiCorp Sentinel No Yes No Yes (*) OpenStack Congress Apache 2 No Yes Yes (**) Ladon (XACML) Apache 2 Yes No Yes (*)
  • 45. openpolicyagent.org Project Status Features as of v0.6.0 ● Language ● Query evaluation ● Partial evaluation ● Tracing & Explanations ● REPL ● HTTP APIs ● Pluggable storage ● Triggers ● Transactions ● Test Framework ● HTTPS ● Authentication (Bearer Tokens) ● Authorization Roadmap ● Features ○ Partial Eval ○ CEL compatibility ○ Performance profiles ○ Local disk storage ○ Etcd storage ○ Query profiling ○ Query benchmarking ○ Failure explanations ○ Golang plugin built-ins ○ JavaScript built-ins ○ Remediation engine ○ Remote REPL ● Integrations ○ OpenShift ○ DCOS ○ Docker ecosystem ○ Standard library Community ● slack.openpolicyagent.org ● blog.openpolicyagent.org ● github.com/open-policy-agent/opa ● github.com/open-policy-agent/library