SlideShare uma empresa Scribd logo
1 de 52
Baixar para ler offline
Open Policy Agent
Policy-based control for cloud native environments.
● Community
● Overview
○ Features
○ Integrations
○ Roadmap
● Use case deep dive
○ Kubernetes admission control
○ Microservice API authorization
● Q&A
Agenda
OPA: Community
Inception
Project started in 2016 at
Styra.
Goal
Unify policy enforcement
across the stack.
Use Cases
Admission control
Authorization
ACLs
RBAC
IAM
ABAC
Risk management
Data Protection
Data Filtering
Users
Netflix
Chef
Medallia
Cloudflare
State Street
Pinterest
Intuit
Capital One
...and many more.
Today
CNCF project (Sandbox)
36 contributors
400 slack members
1.6K stars
20+ integrations
What Is OPA?
openpolicyagent.org
Service
OPA
Policy
(Rego)
Data
(JSON)
Request
DecisionQuery
OPA: General-purpose policy engine
openpolicyagent.org
Salary Service V1
OPA
Policy
(Rego)
Data
(JSON)
Request
DecisionQuery
GET /salary/bob HTTP/1.1
Authorization: alice
OPA: General-purpose policy engine
openpolicyagent.org
Salary Service V1
OPA
Policy
(Rego)
Data
(JSON)
Request
DecisionQuery
GET /salary/bob HTTP/1.1
Authorization: alice
{
"method": "GET",
"path": ["salary", "bob"],
"user": "alice"
}
true or false
OPA: General-purpose policy engine
openpolicyagent.org
Service
OPA
Policy
(Rego)
Data
(JSON)
Request
DecisionQuery
"Service" refers to any one of:
● Custom service
● API gateway
● Message broker
● Kubernetes API server
● CI/CD pipeline script
OPA: General-purpose policy engine
openpolicyagent.org
Service
OPA
Policy
(Rego)
Data
(JSON)
Request
DecisionQuery
Input can be any JSON value:
"alice"
["v1", "users", "bob"]
{"kind": "Pod", "spec": …}
Output can be any JSON value:
true
"request rejected"
{"servers": ["web1", "web2"]}
OPA: General-purpose policy engine
"Service" refers to any one of:
● Custom service
● API gateway
● Message broker
● Kubernetes API server
● CI/CD pipeline script
openpolicyagent.org
● Declarative Policy Language (Rego)
○ Can user X do operation Y on resource Z?
○ What invariants does workload W violate?
○ Which records should bob be allowed to see?
OPA: Features
Service
OPA
Policy
(Rego)
Data
(JSON)
Request
DecisionQuery
openpolicyagent.org
● Declarative Policy Language (Rego)
○ Can user X do operation Y on resource Z?
○ What invariants does workload W violate?
○ Which records should bob be allowed to see?
● Library, sidecar, host-level daemon
○ Policy and data are kept in-memory
○ Zero decision-time dependencies
OPA: Features
Service
OPA
Policy
(Rego)
Data
(JSON)
Request
DecisionQuery
openpolicyagent.org
● Declarative Policy Language (Rego)
○ Can user X do operation Y on resource Z?
○ What invariants does workload W violate?
○ Which records should bob be allowed to see?
● Library, sidecar, host-level daemon
○ Policy and data are kept in-memory
○ Zero decision-time dependencies
● Management APIs for control & observability
○ Bundle service API for sending policy & data to OPA
○ Status service API for receiving status from OPA
○ Log service API for receiving audit log from OPA
OPA: Features
Service
OPA
Policy
(Rego)
Data
(JSON)
Request
DecisionQuery
openpolicyagent.org
● Declarative Policy Language (Rego)
○ Can user X do operation Y on resource Z?
○ What invariants does workload W violate?
○ Which records should bob be allowed to see?
● Library, sidecar, host-level daemon
○ Policy and data are kept in-memory
○ Zero decision-time dependencies
● Management APIs for control & observability
○ Bundle service API for sending policy & data to OPA
○ Status service API for receiving status from OPA
○ Log service API for receiving audit log from OPA
● Tooling to build, test, and debug policy
○ opa run, opa test, opa fmt, opa deps, opa check, etc.
○ VS Code plugin, Tracing, Profiling, etc.
OPA: Features
Service
OPA
Policy
(Rego)
Data
(JSON)
Request
DecisionQuery
openpolicyagent.org
OPA: Integrations
Data Filtering
Admission Control “Restrict ingress hostnames for payments team.”
“Ensure container images come from corporate repo.”
API Authorization
“Deny test scripts access to production services.”
“Allow analysts to access APIs serving anonymized data.”
Data Protection
Linux PAM SSH & sudo “Only allow on-call engineers to SSH into production
servers.”
"Trades exceeding $10M must be executed between
9AM and 5PM and require MFA."
"Users can access files for past 6 months related to
the region they licensed."
Roadmap
(2018/11 through 2019/02)
openpolicyagent.org
Major Features
● Extend Wasm coverage
● Improve support for hierarchical permissions
● Solve variable scoping problem
● LDAP built-in function(s)
● Rego playground
openpolicyagent.org
Timeline
November December January February
● Fuzzing
● Frontpage refresh
● Wasm negation
● Wasm composites
● Variable scoping
● LDAP built-in(s)
● Wasm built-in functions
● JS SDK
● Playground
● Hierarchy
● Documentation refresh
● Wasm context
● Wasm with keyword
● Wasm rules
● Wasm comprehensions
● Wasm non-boolean
results
openpolicyagent.org
● As of #990, OPA policies can be compiled into
WebAssembly (Wasm). Wasm provides a
safe, efficient, portable runtime for policy
enforcement on platforms like CDNs, AWS
Lambda, and more.
● Over the next few months, Wasm support will
be extended to cover more of the policy
language and enable daemonless OPA
integrations in a variety of languages. See
#1024 for details.
WebAssembly
openpolicyagent.org
Hierarchical Permissions
● Hierarchical permission models are
common (e.g., parent node permissions
are a superset of child node permissions,
recursively.) Today, OPA does not permit
recursion in policies. This prevents policies
from performing traversal operations that
would check these kinds of permissions.
See #947.
● Plan: evaluate options for supporting
hierarchical permission models in OPA
and implement solution.
Possible Solutions:
1. Add support for limited forms of
recursion.
2. Add support for keyword/operator
like transitive closure.
3. Keep existing constraints but
document & optimize pattern for
fixed-depth solution. E.g., (😱):
tc(tree, key) = {key} | x1 | x2 | x3 {
x1 := {x | x := tree[key][_]}
x2 := {x | x := tree[x1[_]][_]}
x3 := {x | x := tree[x2[_]][_]}
}
openpolicyagent.org
Rego Playground
● Users don't have a good way to easily share snippets of
Rego. Mediums like Slack and Gists are fine for trivial
examples but are lacking in terms of discoverability,
readability, etc.
● Providing an online playground (similar to play.golang.org)
would allow users to easily experiment with and share
snippets of Rego.
● The MVP for the playground will provide users with a way
to write, check, evaluate, and publish snippets of policy so
that they can be shared with others.
package foo
allow {
...
}
allow {
...
}
allow {
...
}
Output
{
"allow": true
}
Rego Playground Share
openpolicyagent.org
LDAP Built-in Functions
● LDAP is a common source of context for policy decisions. Today, we
recommend that integrations embed that context into a token during
authentication. In some cases, this approach does not scale well and/or it
may create undesirable coupling between the auth/n server and the policy.
● Goal: Add built-in functions to Rego that allow policies to execute LDAP
queries during evaluation. See #938.
openpolicyagent.org
Variable Scoping
● Earlier this year OPA added dedicated
operators for assignment and
comparison (:= and ==). While less
powerful than the unification operator (=)
their scoping rules are more obvious to
new users and avoid capturing issues in
large policy files.
● OPA does not currently have a similar
solution for variables that appear as
reference operands.
Goal
Introduce syntax so that authors can make
variables in references shadow globals.
Example (current behaviour)
x = 1
p {
q[x] # refers to global x
}
openpolicyagent.org
Fuzz Testing
● In #948 we discovered a panic in the error handling portion in OPA's parser.
To uncover similar issues and reduce the likelihood of panics in the future, we
are going to apply a fuzzer (go-fuzz) seeded with a corpus of valid Rego
extracted from the OPA codebase.
openpolicyagent.org
Frontpage Refresh
● Over the past year, the OPA end-user community
has grown substantially. We have also seen OPA
integrated with a number of new projects.
● While the current frontpage describes the goals of
the project, it lacks concrete examples of the types
of problems OPA is helping solve today.
● The goal of the frontpage refresh is to give
newcomers a clearer idea of how they can
leverage OPA.
openpolicyagent.org
Documentation Refresh
● As OPA has matured, we have learned about what works in the
documentation (and what doesn't). We plan to rework some of the
documentation to help people ramp up on OPA concepts and mechanics
quicker.
● New Docs:
○ "Examples" section that serves as a policy catalogue for popular projects.
○ "Cheat Sheet" section that captures common policy language idioms. See #268.
○ "Integration" section that explains OPA integration options. See #372.
● Improved Docs:
○ Refactor docs to prefer := and == over =. See #952.
○ Extend Best Practices & FAQ with more information. See #633.
openpolicyagent.org
Help Wanted
● Add authentication based on mutual TLS (#1040)
● Add stack trace support to topdown (#555)
● Integrations:
○ Prometheus integration to monitor for policy violations
■ OPA policies can audit the state of systems (e.g., Kubernetes) to detect problems
■ Query results could be pushed into Prometheus and surfaced with graphs (e.g., # of
security context violations/time.)
○ Spinnaker integration to enforce invariants
■ Similar use case to Kubernetes admission control, Terraform risk management.
■ Integrate with Spinnaker to enforce OPA policies in CD pipelines.
Issues labelled low-hanging-fruit or help-wanted are good candidates for first contribution.
How does OPA work?
openpolicyagent.org
How does OPA work?
Salary Service V1
OPA
Policy
(Rego)
Data
(JSON)
Request
DecisionQuery
Example policy
"Employees can read their own salary
and the salary of anyone they manage."
openpolicyagent.org
OPA: Declarative Language (Rego)
Example policy
Employees can read their own salary and the
salary of anyone they manage.
openpolicyagent.org
OPA: Declarative Language (Rego)
Example policy
Employees can read their own salary and the
salary of anyone they manage.
Input Data
method: "GET"
path: ["salary", "bob"]
user: "bob"
openpolicyagent.org
OPA: Declarative Language (Rego)
allow = true {
input.method = "GET"
input.path = ["salary", employee_id]
input.user = employee_id
}
Example policy
Employees can read their own salary and the
salary of anyone they manage.
Input Data
method: "GET"
path: ["salary", "bob"]
user: "bob"
openpolicyagent.org
OPA: Declarative Language (Rego)
allow = true {
input.method = "GET"
input.path = ["salary", "bob"]
input.user = "bob"
}
Example policy
Employees can read their own salary and the
salary of anyone they manage.
Input Data
method: "GET"
path: ["salary", "bob"]
user: "bob"
openpolicyagent.org
OPA: Declarative Language (Rego)
allow = true {
input.method = "GET"
input.path = ["salary", employee_id]
input.user = employee_id
}
Example policy
Employees can read their own salary and the
salary of anyone they manage.
Input Data
method: "GET"
path: ["salary", "bob"]
user: "alice"
Different user now!
openpolicyagent.org
OPA: Declarative Language (Rego)
allow = true {
input.method = "GET"
input.path = ["salary", "bob"]
input.user = "bob"
}
Example policy
Employees can read their own salary and the
salary of anyone they manage.
Input Data
method: "GET"
path: ["salary", "bob"]
user: "alice"
This statement will "FAIL"
Different user now!
openpolicyagent.org
OPA: Declarative Language (Rego)
allow = true {
input.method = "GET"
input.path = ["salary", employee_id]
input.user = employee_id
}
Example policy
Employees can read their own salary and the
salary of anyone they manage.
Input Data
method: "GET"
path: ["salary", "bob"]
user: "alice"
Context Data
{
"managers": {
"bob": ["alice", "fred"]
"alice": ["fred"]
}
}
openpolicyagent.org
OPA: Declarative Language (Rego)
import data.managers
allow = true {
input.method = "GET"
input.path = ["salary", employee_id]
input.user = employee_id
}
allow = true {
input.method = "GET"
input.path = ["salary", employee_id]
input.user = managers[employee_id][_]
}
Example policy
Employees can read their own salary and the
salary of anyone they manage.
Input Data
method: "GET"
path: ["salary", "bob"]
user: "alice"
Context Data
{
"managers": {
"bob": ["alice", "fred"]
"alice": ["fred"]
}
}
openpolicyagent.org
OPA: Declarative Language (Rego)
import data.managers
allow = true {
input.method = "GET"
input.path = ["salary", employee_id]
input.user = employee_id
}
allow = true {
input.method = "GET"
input.path = ["salary", "bob"]
input.user = managers["bob"][_]
}
Example policy
Employees can read their own salary and the
salary of anyone they manage.
Input Data
method: "GET"
path: ["salary", "bob"]
user: "alice"
Context Data
{
"managers": {
"bob": ["alice", "fred"]
"alice": ["fred"]
}
}
openpolicyagent.org
OPA: Declarative Language (Rego)
import data.managers
allow = true {
input.method = "GET"
input.path = ["salary", employee_id]
input.user = employee_id
}
allow = true {
input.method = "GET"
input.path = ["salary", "bob"]
input.user = "alice"
}
Example policy
Employees can read their own salary and the
salary of anyone they manage.
Input Data
method: "GET"
path: ["salary", "bob"]
user: "alice"
Context Data
{
"managers": {
"bob": ["alice", "fred"]
"alice": ["fred"]
}
}
openpolicyagent.org
OPA: Declarative Language (Rego)
import data.managers
allow = true {
input.method = "GET"
input.path = ["salary", employee_id]
input.user = employee_id
}
allow = true {
input.method = "GET"
input.path = ["salary", "bob"]
input.user = "alice"
}
More information at openpolicyagent.org
See How Do I Write Policies?
- Explains language constructs
See Language Reference
- Documents built-in functions: glob,
regex, JWTs, x509, etc.
See Tutorials section
- HTTP APIs, Kubernetes, Docker,
Terraform, Kafka, SSH, etc.
OPA: Use Cases
openpolicyagent.org
Use Cases
OPA
Cloud
Orchestrator
Risk Management
Linux
Container Execution, SSH, sudo
OPA
OPA
OPA
Admission Control
Linux
Microservice APIs
Data Protection &
Data Filtering
OPA
openpolicyagent.org
Use Cases: Kubernetes
apiserver
authorization admission control
scheduler
federation control plane
OPA
OPAOPA
OPA
Current Use Cases
● Federated Workload Placement
● Pod Scheduling
● Authorization
● Admission Control
● Audit
Future Use Cases
● Storage policy (in progress)
● Network policy
controllers
nodes
openpolicyagent.org
Use Cases: Kubernetes: Admission Control
apiserver
admission controllers
quota execwebhook
kubectl apply -f app.yaml
OPA
Example Policies
● Images may only be pulled from internal
registry
● Only scanned images may be deployed in
namespaces A, B, and C
● QA team must sign-off on image before
deployed to production
● Stateful deployments must use ‘recreate’
update strategy
● Developers must not modify selectors or
labels referred to by selectors after
creation
● Containers must have CPU and memory
resource requests and limits set
● Containers cannot run with privileged
security context
● Services in namespace X should have
AWS SSL annotation added
openpolicyagent.org
Use Cases: Kubernetes: Admission Control
kind: Pod
metadata:
labels:
app: nginx
name: nginx-1493591563-bvl8q
namespace: production
spec:
containers:
- image: nginx
name: nginx
securityContext:
privileged: true
dnsPolicy: ClusterFirst
nodeName: minikube
restartPolicy: Always
status:
containerStatuses:
- name: nginx
ready: true
hostIP: 192.168.99.100
phase: Running
podIP: 172.17.0.4
# references
spec.containers[0].image
# variables and iteration
container := spec.containers[index]
# expressions
container.securityContext.privileged == true
# functions
is_privileged(container) {
container.securityContext.privileged == true
}
# rules
deny {
review.user == “bob”
review.operation == “CREATE”
review.namespace == “production”
is_privileged(spec.containers[_])
}
openpolicyagent.org
Thank You!
github.com/open-policy-agent/opa
slack.openpolicyagent.org
openpolicyagent.org
Use Cases
OPA
Cloud
Orchestrator
Risk Management
Linux
Container Execution, SSH, sudo
OPA
OPA
OPA
Admission Control
Linux
Microservice APIs
Data Protection &
Data Filtering
OPA
openpolicyagent.org
Use Cases: Microservice APIs
Details Service
Reviews Service
Ratings Service
Landing Page
openpolicyagent.org
Use Cases: Microservice APIs
ratingsreviews
details
landing_page
GET /reviews/{id}
GET /details/{id}
GET /ratings/{id}
openpolicyagent.org
Use Cases: Microservice APIs
ratingsreviews
details
landing_page OPA
GET /reviews/{id}
GET /details/{id}
GET /ratings/{id}
OPA OPA
OPA
openpolicyagent.org
Use Cases: Microservice APIs
details
ratings
Policy Query
POST opa:8181/v1/data/example/allow
{
“input”: {
“path”: [“details”, “bob”],
“method”: “GET”,
“source”: “landing_page”,
“target”: “details”,
“query_params”: {},
“user”: “alice”,
“body”: null
}
}
Policy Decision
200 OK
{
“result”: true
}
OPA
OPA
OPAdetailsdetails
reviews
landing_page OPA
openpolicyagent.org
Use Cases: Microservice APIs
Example Policies
● Service Graph: “Reviews service can
talk to ratings but details cannot.”
● Org Chart: “Managers can view
reviews of team members but peers
cannot.”
● PII: “Only HR can see SSN in
employee details.”
openpolicyagent.org
Thank You!
github.com/open-policy-agent/opa
slack.openpolicyagent.org

Mais conteúdo relacionado

Mais procurados

Introduction to OPA
Introduction to OPAIntroduction to OPA
Introduction to OPAKnoldus Inc.
 
Building secure applications with keycloak
Building secure applications with keycloak Building secure applications with keycloak
Building secure applications with keycloak Abhishek Koserwal
 
How Netflix Is Solving Authorization Across Their Cloud
How Netflix Is Solving Authorization Across Their CloudHow Netflix Is Solving Authorization Across Their Cloud
How Netflix Is Solving Authorization Across Their CloudTorin Sandall
 
Zabbix Performance Tuning
Zabbix Performance TuningZabbix Performance Tuning
Zabbix Performance TuningRicardo Santos
 
Introduction to Kong API Gateway
Introduction to Kong API GatewayIntroduction to Kong API Gateway
Introduction to Kong API GatewayYohann Ciurlik
 
OSMC 2022 | OpenTelemetry 101 by Dotan Horovit s.pdf
OSMC 2022 | OpenTelemetry 101 by Dotan Horovit s.pdfOSMC 2022 | OpenTelemetry 101 by Dotan Horovit s.pdf
OSMC 2022 | OpenTelemetry 101 by Dotan Horovit s.pdfNETWAYS
 
Introduction to Kubernetes RBAC
Introduction to Kubernetes RBACIntroduction to Kubernetes RBAC
Introduction to Kubernetes RBACKublr
 
[OpenStack Days Korea 2016] Track1 - Monasca를 이용한 Cloud 모니터링
[OpenStack Days Korea 2016] Track1 - Monasca를 이용한 Cloud 모니터링[OpenStack Days Korea 2016] Track1 - Monasca를 이용한 Cloud 모니터링
[OpenStack Days Korea 2016] Track1 - Monasca를 이용한 Cloud 모니터링OpenStack Korea Community
 
Grafana Loki: like Prometheus, but for Logs
Grafana Loki: like Prometheus, but for LogsGrafana Loki: like Prometheus, but for Logs
Grafana Loki: like Prometheus, but for LogsMarco Pracucci
 
SIngle Sign On with Keycloak
SIngle Sign On with KeycloakSIngle Sign On with Keycloak
SIngle Sign On with KeycloakJulien Pivotto
 
Opa gatekeeper
Opa gatekeeperOpa gatekeeper
Opa gatekeeperRita Zhang
 
Microservices, Kubernetes and Istio - A Great Fit!
Microservices, Kubernetes and Istio - A Great Fit!Microservices, Kubernetes and Istio - A Great Fit!
Microservices, Kubernetes and Istio - A Great Fit!Animesh Singh
 
THE STATE OF OPENTELEMETRY, DOTAN HOROVITS, Logz.io
THE STATE OF OPENTELEMETRY, DOTAN HOROVITS, Logz.ioTHE STATE OF OPENTELEMETRY, DOTAN HOROVITS, Logz.io
THE STATE OF OPENTELEMETRY, DOTAN HOROVITS, Logz.ioDevOpsDays Tel Aviv
 
OpenShift-Technical-Overview.pdf
OpenShift-Technical-Overview.pdfOpenShift-Technical-Overview.pdf
OpenShift-Technical-Overview.pdfJuanSalinas593459
 
Terraform introduction
Terraform introductionTerraform introduction
Terraform introductionJason Vance
 
Kubernetes: A Short Introduction (2019)
Kubernetes: A Short Introduction (2019)Kubernetes: A Short Introduction (2019)
Kubernetes: A Short Introduction (2019)Megan O'Keefe
 

Mais procurados (20)

Introduction to OPA
Introduction to OPAIntroduction to OPA
Introduction to OPA
 
Building secure applications with keycloak
Building secure applications with keycloak Building secure applications with keycloak
Building secure applications with keycloak
 
How Netflix Is Solving Authorization Across Their Cloud
How Netflix Is Solving Authorization Across Their CloudHow Netflix Is Solving Authorization Across Their Cloud
How Netflix Is Solving Authorization Across Their Cloud
 
Zabbix Performance Tuning
Zabbix Performance TuningZabbix Performance Tuning
Zabbix Performance Tuning
 
Introduction to Kong API Gateway
Introduction to Kong API GatewayIntroduction to Kong API Gateway
Introduction to Kong API Gateway
 
OSMC 2022 | OpenTelemetry 101 by Dotan Horovit s.pdf
OSMC 2022 | OpenTelemetry 101 by Dotan Horovit s.pdfOSMC 2022 | OpenTelemetry 101 by Dotan Horovit s.pdf
OSMC 2022 | OpenTelemetry 101 by Dotan Horovit s.pdf
 
infrastructure as code
infrastructure as codeinfrastructure as code
infrastructure as code
 
Introduction to Kubernetes RBAC
Introduction to Kubernetes RBACIntroduction to Kubernetes RBAC
Introduction to Kubernetes RBAC
 
[OpenStack Days Korea 2016] Track1 - Monasca를 이용한 Cloud 모니터링
[OpenStack Days Korea 2016] Track1 - Monasca를 이용한 Cloud 모니터링[OpenStack Days Korea 2016] Track1 - Monasca를 이용한 Cloud 모니터링
[OpenStack Days Korea 2016] Track1 - Monasca를 이용한 Cloud 모니터링
 
Final terraform
Final terraformFinal terraform
Final terraform
 
Grafana Loki: like Prometheus, but for Logs
Grafana Loki: like Prometheus, but for LogsGrafana Loki: like Prometheus, but for Logs
Grafana Loki: like Prometheus, but for Logs
 
SIngle Sign On with Keycloak
SIngle Sign On with KeycloakSIngle Sign On with Keycloak
SIngle Sign On with Keycloak
 
Opa gatekeeper
Opa gatekeeperOpa gatekeeper
Opa gatekeeper
 
Microservices, Kubernetes and Istio - A Great Fit!
Microservices, Kubernetes and Istio - A Great Fit!Microservices, Kubernetes and Istio - A Great Fit!
Microservices, Kubernetes and Istio - A Great Fit!
 
Architecture: Microservices
Architecture: MicroservicesArchitecture: Microservices
Architecture: Microservices
 
THE STATE OF OPENTELEMETRY, DOTAN HOROVITS, Logz.io
THE STATE OF OPENTELEMETRY, DOTAN HOROVITS, Logz.ioTHE STATE OF OPENTELEMETRY, DOTAN HOROVITS, Logz.io
THE STATE OF OPENTELEMETRY, DOTAN HOROVITS, Logz.io
 
OpenShift-Technical-Overview.pdf
OpenShift-Technical-Overview.pdfOpenShift-Technical-Overview.pdf
OpenShift-Technical-Overview.pdf
 
Terraform
TerraformTerraform
Terraform
 
Terraform introduction
Terraform introductionTerraform introduction
Terraform introduction
 
Kubernetes: A Short Introduction (2019)
Kubernetes: A Short Introduction (2019)Kubernetes: A Short Introduction (2019)
Kubernetes: A Short Introduction (2019)
 

Semelhante a Open Policy Agent

Protecting the Data Lake
Protecting the Data LakeProtecting the Data Lake
Protecting the Data LakeAshutosh Narkar
 
Cloud native policy enforcement with Open Policy Agent
Cloud native policy enforcement with Open Policy AgentCloud native policy enforcement with Open Policy Agent
Cloud native policy enforcement with Open Policy AgentLibbySchulze
 
Dynamic Policy Enforcement for Microservice Environments
Dynamic Policy Enforcement for Microservice EnvironmentsDynamic Policy Enforcement for Microservice Environments
Dynamic Policy Enforcement for Microservice EnvironmentsNebulaworks
 
LF Energy Webinar: Introduction to TROLIE
LF Energy Webinar: Introduction to TROLIELF Energy Webinar: Introduction to TROLIE
LF Energy Webinar: Introduction to TROLIEDanBrown980551
 
Oracle EBS Journey to the Cloud - What is New in 2022 (UKOUG Breakthrough 22 ...
Oracle EBS Journey to the Cloud - What is New in 2022 (UKOUG Breakthrough 22 ...Oracle EBS Journey to the Cloud - What is New in 2022 (UKOUG Breakthrough 22 ...
Oracle EBS Journey to the Cloud - What is New in 2022 (UKOUG Breakthrough 22 ...Andrejs Prokopjevs
 
Database automation guide - Oracle Community Tour LATAM 2023
Database automation guide - Oracle Community Tour LATAM 2023Database automation guide - Oracle Community Tour LATAM 2023
Database automation guide - Oracle Community Tour LATAM 2023Nelson Calero
 
Fine-grained Authorization in a Containerized World
Fine-grained Authorization in a Containerized WorldFine-grained Authorization in a Containerized World
Fine-grained Authorization in a Containerized WorldAshutosh Narkar
 
OSMC 2023 | What’s new with Grafana Labs’s Open Source Observability stack by...
OSMC 2023 | What’s new with Grafana Labs’s Open Source Observability stack by...OSMC 2023 | What’s new with Grafana Labs’s Open Source Observability stack by...
OSMC 2023 | What’s new with Grafana Labs’s Open Source Observability stack by...NETWAYS
 
Dynamic Authorization & Policy Control for Docker Environments
Dynamic Authorization & Policy Control for Docker EnvironmentsDynamic Authorization & Policy Control for Docker Environments
Dynamic Authorization & Policy Control for Docker EnvironmentsTorin Sandall
 
ISC Cloud13 Sill - Crossing organizational boundaries in cloud computing
ISC Cloud13 Sill - Crossing organizational boundaries in cloud computingISC Cloud13 Sill - Crossing organizational boundaries in cloud computing
ISC Cloud13 Sill - Crossing organizational boundaries in cloud computingAlan Sill
 
Xtending nintex workflow cloud w azure functions - xchange conference
Xtending nintex workflow cloud w azure functions - xchange conferenceXtending nintex workflow cloud w azure functions - xchange conference
Xtending nintex workflow cloud w azure functions - xchange conferenceMichael Oryszak
 
Ladies Be Architects - Integration - Multi-Org, Security, JSON, Backup & Restore
Ladies Be Architects - Integration - Multi-Org, Security, JSON, Backup & RestoreLadies Be Architects - Integration - Multi-Org, Security, JSON, Backup & Restore
Ladies Be Architects - Integration - Multi-Org, Security, JSON, Backup & Restoregemziebeth
 
Netflix OSS Meetup Season 5 Episode 1
Netflix OSS Meetup Season 5 Episode 1Netflix OSS Meetup Season 5 Episode 1
Netflix OSS Meetup Season 5 Episode 1aspyker
 
Accelerate integration with SAP using MuleSoft
Accelerate integration with SAP using MuleSoftAccelerate integration with SAP using MuleSoft
Accelerate integration with SAP using MuleSoftNeerajKumar1965
 
OpenAPI 3.0, And What It Means for the Future of Swagger
OpenAPI 3.0, And What It Means for the Future of SwaggerOpenAPI 3.0, And What It Means for the Future of Swagger
OpenAPI 3.0, And What It Means for the Future of SwaggerSmartBear
 
Enterprise guide to building a Data Mesh
Enterprise guide to building a Data MeshEnterprise guide to building a Data Mesh
Enterprise guide to building a Data MeshSion Smith
 
Data Con LA 2022-Open Source or Open Core in Your Data Layer? What Needs to B...
Data Con LA 2022-Open Source or Open Core in Your Data Layer? What Needs to B...Data Con LA 2022-Open Source or Open Core in Your Data Layer? What Needs to B...
Data Con LA 2022-Open Source or Open Core in Your Data Layer? What Needs to B...Data Con LA
 
OpenID Foundation AuthZEN WG Update
OpenID Foundation AuthZEN WG UpdateOpenID Foundation AuthZEN WG Update
OpenID Foundation AuthZEN WG UpdateDavid Brossard
 

Semelhante a Open Policy Agent (20)

Protecting the Data Lake
Protecting the Data LakeProtecting the Data Lake
Protecting the Data Lake
 
Cloud native policy enforcement with Open Policy Agent
Cloud native policy enforcement with Open Policy AgentCloud native policy enforcement with Open Policy Agent
Cloud native policy enforcement with Open Policy Agent
 
Dynamic Policy Enforcement for Microservice Environments
Dynamic Policy Enforcement for Microservice EnvironmentsDynamic Policy Enforcement for Microservice Environments
Dynamic Policy Enforcement for Microservice Environments
 
CNCF opa
CNCF opaCNCF opa
CNCF opa
 
LF Energy Webinar: Introduction to TROLIE
LF Energy Webinar: Introduction to TROLIELF Energy Webinar: Introduction to TROLIE
LF Energy Webinar: Introduction to TROLIE
 
Oracle EBS Journey to the Cloud - What is New in 2022 (UKOUG Breakthrough 22 ...
Oracle EBS Journey to the Cloud - What is New in 2022 (UKOUG Breakthrough 22 ...Oracle EBS Journey to the Cloud - What is New in 2022 (UKOUG Breakthrough 22 ...
Oracle EBS Journey to the Cloud - What is New in 2022 (UKOUG Breakthrough 22 ...
 
Database automation guide - Oracle Community Tour LATAM 2023
Database automation guide - Oracle Community Tour LATAM 2023Database automation guide - Oracle Community Tour LATAM 2023
Database automation guide - Oracle Community Tour LATAM 2023
 
Fine-grained Authorization in a Containerized World
Fine-grained Authorization in a Containerized WorldFine-grained Authorization in a Containerized World
Fine-grained Authorization in a Containerized World
 
OSMC 2023 | What’s new with Grafana Labs’s Open Source Observability stack by...
OSMC 2023 | What’s new with Grafana Labs’s Open Source Observability stack by...OSMC 2023 | What’s new with Grafana Labs’s Open Source Observability stack by...
OSMC 2023 | What’s new with Grafana Labs’s Open Source Observability stack by...
 
Dynamic Authorization & Policy Control for Docker Environments
Dynamic Authorization & Policy Control for Docker EnvironmentsDynamic Authorization & Policy Control for Docker Environments
Dynamic Authorization & Policy Control for Docker Environments
 
ISC Cloud13 Sill - Crossing organizational boundaries in cloud computing
ISC Cloud13 Sill - Crossing organizational boundaries in cloud computingISC Cloud13 Sill - Crossing organizational boundaries in cloud computing
ISC Cloud13 Sill - Crossing organizational boundaries in cloud computing
 
Xtending nintex workflow cloud w azure functions - xchange conference
Xtending nintex workflow cloud w azure functions - xchange conferenceXtending nintex workflow cloud w azure functions - xchange conference
Xtending nintex workflow cloud w azure functions - xchange conference
 
Ladies Be Architects - Integration - Multi-Org, Security, JSON, Backup & Restore
Ladies Be Architects - Integration - Multi-Org, Security, JSON, Backup & RestoreLadies Be Architects - Integration - Multi-Org, Security, JSON, Backup & Restore
Ladies Be Architects - Integration - Multi-Org, Security, JSON, Backup & Restore
 
Netflix OSS Meetup Season 5 Episode 1
Netflix OSS Meetup Season 5 Episode 1Netflix OSS Meetup Season 5 Episode 1
Netflix OSS Meetup Season 5 Episode 1
 
Orchestration, Automation and Virtualisation (OAV) in GÉANT
Orchestration, Automation and Virtualisation (OAV) in GÉANTOrchestration, Automation and Virtualisation (OAV) in GÉANT
Orchestration, Automation and Virtualisation (OAV) in GÉANT
 
Accelerate integration with SAP using MuleSoft
Accelerate integration with SAP using MuleSoftAccelerate integration with SAP using MuleSoft
Accelerate integration with SAP using MuleSoft
 
OpenAPI 3.0, And What It Means for the Future of Swagger
OpenAPI 3.0, And What It Means for the Future of SwaggerOpenAPI 3.0, And What It Means for the Future of Swagger
OpenAPI 3.0, And What It Means for the Future of Swagger
 
Enterprise guide to building a Data Mesh
Enterprise guide to building a Data MeshEnterprise guide to building a Data Mesh
Enterprise guide to building a Data Mesh
 
Data Con LA 2022-Open Source or Open Core in Your Data Layer? What Needs to B...
Data Con LA 2022-Open Source or Open Core in Your Data Layer? What Needs to B...Data Con LA 2022-Open Source or Open Core in Your Data Layer? What Needs to B...
Data Con LA 2022-Open Source or Open Core in Your Data Layer? What Needs to B...
 
OpenID Foundation AuthZEN WG Update
OpenID Foundation AuthZEN WG UpdateOpenID Foundation AuthZEN WG Update
OpenID Foundation AuthZEN WG Update
 

Último

Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEarley Information Science
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
🐬 The future of MySQL is Postgres 🐘
🐬  The future of MySQL is Postgres   🐘🐬  The future of MySQL is Postgres   🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilV3cube
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024Results
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsRoshan Dwivedi
 

Último (20)

Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
🐬 The future of MySQL is Postgres 🐘
🐬  The future of MySQL is Postgres   🐘🐬  The future of MySQL is Postgres   🐘
🐬 The future of MySQL is Postgres 🐘
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of Brazil
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
 

Open Policy Agent

  • 1. Open Policy Agent Policy-based control for cloud native environments.
  • 2. ● Community ● Overview ○ Features ○ Integrations ○ Roadmap ● Use case deep dive ○ Kubernetes admission control ○ Microservice API authorization ● Q&A Agenda
  • 3. OPA: Community Inception Project started in 2016 at Styra. Goal Unify policy enforcement across the stack. Use Cases Admission control Authorization ACLs RBAC IAM ABAC Risk management Data Protection Data Filtering Users Netflix Chef Medallia Cloudflare State Street Pinterest Intuit Capital One ...and many more. Today CNCF project (Sandbox) 36 contributors 400 slack members 1.6K stars 20+ integrations
  • 6. openpolicyagent.org Salary Service V1 OPA Policy (Rego) Data (JSON) Request DecisionQuery GET /salary/bob HTTP/1.1 Authorization: alice OPA: General-purpose policy engine
  • 7. openpolicyagent.org Salary Service V1 OPA Policy (Rego) Data (JSON) Request DecisionQuery GET /salary/bob HTTP/1.1 Authorization: alice { "method": "GET", "path": ["salary", "bob"], "user": "alice" } true or false OPA: General-purpose policy engine
  • 8. openpolicyagent.org Service OPA Policy (Rego) Data (JSON) Request DecisionQuery "Service" refers to any one of: ● Custom service ● API gateway ● Message broker ● Kubernetes API server ● CI/CD pipeline script OPA: General-purpose policy engine
  • 9. openpolicyagent.org Service OPA Policy (Rego) Data (JSON) Request DecisionQuery Input can be any JSON value: "alice" ["v1", "users", "bob"] {"kind": "Pod", "spec": …} Output can be any JSON value: true "request rejected" {"servers": ["web1", "web2"]} OPA: General-purpose policy engine "Service" refers to any one of: ● Custom service ● API gateway ● Message broker ● Kubernetes API server ● CI/CD pipeline script
  • 10. openpolicyagent.org ● Declarative Policy Language (Rego) ○ Can user X do operation Y on resource Z? ○ What invariants does workload W violate? ○ Which records should bob be allowed to see? OPA: Features Service OPA Policy (Rego) Data (JSON) Request DecisionQuery
  • 11. openpolicyagent.org ● Declarative Policy Language (Rego) ○ Can user X do operation Y on resource Z? ○ What invariants does workload W violate? ○ Which records should bob be allowed to see? ● Library, sidecar, host-level daemon ○ Policy and data are kept in-memory ○ Zero decision-time dependencies OPA: Features Service OPA Policy (Rego) Data (JSON) Request DecisionQuery
  • 12. openpolicyagent.org ● Declarative Policy Language (Rego) ○ Can user X do operation Y on resource Z? ○ What invariants does workload W violate? ○ Which records should bob be allowed to see? ● Library, sidecar, host-level daemon ○ Policy and data are kept in-memory ○ Zero decision-time dependencies ● Management APIs for control & observability ○ Bundle service API for sending policy & data to OPA ○ Status service API for receiving status from OPA ○ Log service API for receiving audit log from OPA OPA: Features Service OPA Policy (Rego) Data (JSON) Request DecisionQuery
  • 13. openpolicyagent.org ● Declarative Policy Language (Rego) ○ Can user X do operation Y on resource Z? ○ What invariants does workload W violate? ○ Which records should bob be allowed to see? ● Library, sidecar, host-level daemon ○ Policy and data are kept in-memory ○ Zero decision-time dependencies ● Management APIs for control & observability ○ Bundle service API for sending policy & data to OPA ○ Status service API for receiving status from OPA ○ Log service API for receiving audit log from OPA ● Tooling to build, test, and debug policy ○ opa run, opa test, opa fmt, opa deps, opa check, etc. ○ VS Code plugin, Tracing, Profiling, etc. OPA: Features Service OPA Policy (Rego) Data (JSON) Request DecisionQuery
  • 14. openpolicyagent.org OPA: Integrations Data Filtering Admission Control “Restrict ingress hostnames for payments team.” “Ensure container images come from corporate repo.” API Authorization “Deny test scripts access to production services.” “Allow analysts to access APIs serving anonymized data.” Data Protection Linux PAM SSH & sudo “Only allow on-call engineers to SSH into production servers.” "Trades exceeding $10M must be executed between 9AM and 5PM and require MFA." "Users can access files for past 6 months related to the region they licensed."
  • 16. openpolicyagent.org Major Features ● Extend Wasm coverage ● Improve support for hierarchical permissions ● Solve variable scoping problem ● LDAP built-in function(s) ● Rego playground
  • 17. openpolicyagent.org Timeline November December January February ● Fuzzing ● Frontpage refresh ● Wasm negation ● Wasm composites ● Variable scoping ● LDAP built-in(s) ● Wasm built-in functions ● JS SDK ● Playground ● Hierarchy ● Documentation refresh ● Wasm context ● Wasm with keyword ● Wasm rules ● Wasm comprehensions ● Wasm non-boolean results
  • 18. openpolicyagent.org ● As of #990, OPA policies can be compiled into WebAssembly (Wasm). Wasm provides a safe, efficient, portable runtime for policy enforcement on platforms like CDNs, AWS Lambda, and more. ● Over the next few months, Wasm support will be extended to cover more of the policy language and enable daemonless OPA integrations in a variety of languages. See #1024 for details. WebAssembly
  • 19. openpolicyagent.org Hierarchical Permissions ● Hierarchical permission models are common (e.g., parent node permissions are a superset of child node permissions, recursively.) Today, OPA does not permit recursion in policies. This prevents policies from performing traversal operations that would check these kinds of permissions. See #947. ● Plan: evaluate options for supporting hierarchical permission models in OPA and implement solution. Possible Solutions: 1. Add support for limited forms of recursion. 2. Add support for keyword/operator like transitive closure. 3. Keep existing constraints but document & optimize pattern for fixed-depth solution. E.g., (😱): tc(tree, key) = {key} | x1 | x2 | x3 { x1 := {x | x := tree[key][_]} x2 := {x | x := tree[x1[_]][_]} x3 := {x | x := tree[x2[_]][_]} }
  • 20. openpolicyagent.org Rego Playground ● Users don't have a good way to easily share snippets of Rego. Mediums like Slack and Gists are fine for trivial examples but are lacking in terms of discoverability, readability, etc. ● Providing an online playground (similar to play.golang.org) would allow users to easily experiment with and share snippets of Rego. ● The MVP for the playground will provide users with a way to write, check, evaluate, and publish snippets of policy so that they can be shared with others. package foo allow { ... } allow { ... } allow { ... } Output { "allow": true } Rego Playground Share
  • 21. openpolicyagent.org LDAP Built-in Functions ● LDAP is a common source of context for policy decisions. Today, we recommend that integrations embed that context into a token during authentication. In some cases, this approach does not scale well and/or it may create undesirable coupling between the auth/n server and the policy. ● Goal: Add built-in functions to Rego that allow policies to execute LDAP queries during evaluation. See #938.
  • 22. openpolicyagent.org Variable Scoping ● Earlier this year OPA added dedicated operators for assignment and comparison (:= and ==). While less powerful than the unification operator (=) their scoping rules are more obvious to new users and avoid capturing issues in large policy files. ● OPA does not currently have a similar solution for variables that appear as reference operands. Goal Introduce syntax so that authors can make variables in references shadow globals. Example (current behaviour) x = 1 p { q[x] # refers to global x }
  • 23. openpolicyagent.org Fuzz Testing ● In #948 we discovered a panic in the error handling portion in OPA's parser. To uncover similar issues and reduce the likelihood of panics in the future, we are going to apply a fuzzer (go-fuzz) seeded with a corpus of valid Rego extracted from the OPA codebase.
  • 24. openpolicyagent.org Frontpage Refresh ● Over the past year, the OPA end-user community has grown substantially. We have also seen OPA integrated with a number of new projects. ● While the current frontpage describes the goals of the project, it lacks concrete examples of the types of problems OPA is helping solve today. ● The goal of the frontpage refresh is to give newcomers a clearer idea of how they can leverage OPA.
  • 25. openpolicyagent.org Documentation Refresh ● As OPA has matured, we have learned about what works in the documentation (and what doesn't). We plan to rework some of the documentation to help people ramp up on OPA concepts and mechanics quicker. ● New Docs: ○ "Examples" section that serves as a policy catalogue for popular projects. ○ "Cheat Sheet" section that captures common policy language idioms. See #268. ○ "Integration" section that explains OPA integration options. See #372. ● Improved Docs: ○ Refactor docs to prefer := and == over =. See #952. ○ Extend Best Practices & FAQ with more information. See #633.
  • 26. openpolicyagent.org Help Wanted ● Add authentication based on mutual TLS (#1040) ● Add stack trace support to topdown (#555) ● Integrations: ○ Prometheus integration to monitor for policy violations ■ OPA policies can audit the state of systems (e.g., Kubernetes) to detect problems ■ Query results could be pushed into Prometheus and surfaced with graphs (e.g., # of security context violations/time.) ○ Spinnaker integration to enforce invariants ■ Similar use case to Kubernetes admission control, Terraform risk management. ■ Integrate with Spinnaker to enforce OPA policies in CD pipelines. Issues labelled low-hanging-fruit or help-wanted are good candidates for first contribution.
  • 27. How does OPA work?
  • 28. openpolicyagent.org How does OPA work? Salary Service V1 OPA Policy (Rego) Data (JSON) Request DecisionQuery Example policy "Employees can read their own salary and the salary of anyone they manage."
  • 29. openpolicyagent.org OPA: Declarative Language (Rego) Example policy Employees can read their own salary and the salary of anyone they manage.
  • 30. openpolicyagent.org OPA: Declarative Language (Rego) Example policy Employees can read their own salary and the salary of anyone they manage. Input Data method: "GET" path: ["salary", "bob"] user: "bob"
  • 31. openpolicyagent.org OPA: Declarative Language (Rego) allow = true { input.method = "GET" input.path = ["salary", employee_id] input.user = employee_id } Example policy Employees can read their own salary and the salary of anyone they manage. Input Data method: "GET" path: ["salary", "bob"] user: "bob"
  • 32. openpolicyagent.org OPA: Declarative Language (Rego) allow = true { input.method = "GET" input.path = ["salary", "bob"] input.user = "bob" } Example policy Employees can read their own salary and the salary of anyone they manage. Input Data method: "GET" path: ["salary", "bob"] user: "bob"
  • 33. openpolicyagent.org OPA: Declarative Language (Rego) allow = true { input.method = "GET" input.path = ["salary", employee_id] input.user = employee_id } Example policy Employees can read their own salary and the salary of anyone they manage. Input Data method: "GET" path: ["salary", "bob"] user: "alice" Different user now!
  • 34. openpolicyagent.org OPA: Declarative Language (Rego) allow = true { input.method = "GET" input.path = ["salary", "bob"] input.user = "bob" } Example policy Employees can read their own salary and the salary of anyone they manage. Input Data method: "GET" path: ["salary", "bob"] user: "alice" This statement will "FAIL" Different user now!
  • 35. openpolicyagent.org OPA: Declarative Language (Rego) allow = true { input.method = "GET" input.path = ["salary", employee_id] input.user = employee_id } Example policy Employees can read their own salary and the salary of anyone they manage. Input Data method: "GET" path: ["salary", "bob"] user: "alice" Context Data { "managers": { "bob": ["alice", "fred"] "alice": ["fred"] } }
  • 36. openpolicyagent.org OPA: Declarative Language (Rego) import data.managers allow = true { input.method = "GET" input.path = ["salary", employee_id] input.user = employee_id } allow = true { input.method = "GET" input.path = ["salary", employee_id] input.user = managers[employee_id][_] } Example policy Employees can read their own salary and the salary of anyone they manage. Input Data method: "GET" path: ["salary", "bob"] user: "alice" Context Data { "managers": { "bob": ["alice", "fred"] "alice": ["fred"] } }
  • 37. openpolicyagent.org OPA: Declarative Language (Rego) import data.managers allow = true { input.method = "GET" input.path = ["salary", employee_id] input.user = employee_id } allow = true { input.method = "GET" input.path = ["salary", "bob"] input.user = managers["bob"][_] } Example policy Employees can read their own salary and the salary of anyone they manage. Input Data method: "GET" path: ["salary", "bob"] user: "alice" Context Data { "managers": { "bob": ["alice", "fred"] "alice": ["fred"] } }
  • 38. openpolicyagent.org OPA: Declarative Language (Rego) import data.managers allow = true { input.method = "GET" input.path = ["salary", employee_id] input.user = employee_id } allow = true { input.method = "GET" input.path = ["salary", "bob"] input.user = "alice" } Example policy Employees can read their own salary and the salary of anyone they manage. Input Data method: "GET" path: ["salary", "bob"] user: "alice" Context Data { "managers": { "bob": ["alice", "fred"] "alice": ["fred"] } }
  • 39. openpolicyagent.org OPA: Declarative Language (Rego) import data.managers allow = true { input.method = "GET" input.path = ["salary", employee_id] input.user = employee_id } allow = true { input.method = "GET" input.path = ["salary", "bob"] input.user = "alice" } More information at openpolicyagent.org See How Do I Write Policies? - Explains language constructs See Language Reference - Documents built-in functions: glob, regex, JWTs, x509, etc. See Tutorials section - HTTP APIs, Kubernetes, Docker, Terraform, Kafka, SSH, etc.
  • 41. openpolicyagent.org Use Cases OPA Cloud Orchestrator Risk Management Linux Container Execution, SSH, sudo OPA OPA OPA Admission Control Linux Microservice APIs Data Protection & Data Filtering OPA
  • 42. openpolicyagent.org Use Cases: Kubernetes apiserver authorization admission control scheduler federation control plane OPA OPAOPA OPA Current Use Cases ● Federated Workload Placement ● Pod Scheduling ● Authorization ● Admission Control ● Audit Future Use Cases ● Storage policy (in progress) ● Network policy controllers nodes
  • 43. openpolicyagent.org Use Cases: Kubernetes: Admission Control apiserver admission controllers quota execwebhook kubectl apply -f app.yaml OPA Example Policies ● Images may only be pulled from internal registry ● Only scanned images may be deployed in namespaces A, B, and C ● QA team must sign-off on image before deployed to production ● Stateful deployments must use ‘recreate’ update strategy ● Developers must not modify selectors or labels referred to by selectors after creation ● Containers must have CPU and memory resource requests and limits set ● Containers cannot run with privileged security context ● Services in namespace X should have AWS SSL annotation added
  • 44. openpolicyagent.org Use Cases: Kubernetes: Admission Control kind: Pod metadata: labels: app: nginx name: nginx-1493591563-bvl8q namespace: production spec: containers: - image: nginx name: nginx securityContext: privileged: true dnsPolicy: ClusterFirst nodeName: minikube restartPolicy: Always status: containerStatuses: - name: nginx ready: true hostIP: 192.168.99.100 phase: Running podIP: 172.17.0.4 # references spec.containers[0].image # variables and iteration container := spec.containers[index] # expressions container.securityContext.privileged == true # functions is_privileged(container) { container.securityContext.privileged == true } # rules deny { review.user == “bob” review.operation == “CREATE” review.namespace == “production” is_privileged(spec.containers[_]) }
  • 46. openpolicyagent.org Use Cases OPA Cloud Orchestrator Risk Management Linux Container Execution, SSH, sudo OPA OPA OPA Admission Control Linux Microservice APIs Data Protection & Data Filtering OPA
  • 47. openpolicyagent.org Use Cases: Microservice APIs Details Service Reviews Service Ratings Service Landing Page
  • 48. openpolicyagent.org Use Cases: Microservice APIs ratingsreviews details landing_page GET /reviews/{id} GET /details/{id} GET /ratings/{id}
  • 49. openpolicyagent.org Use Cases: Microservice APIs ratingsreviews details landing_page OPA GET /reviews/{id} GET /details/{id} GET /ratings/{id} OPA OPA OPA
  • 50. openpolicyagent.org Use Cases: Microservice APIs details ratings Policy Query POST opa:8181/v1/data/example/allow { “input”: { “path”: [“details”, “bob”], “method”: “GET”, “source”: “landing_page”, “target”: “details”, “query_params”: {}, “user”: “alice”, “body”: null } } Policy Decision 200 OK { “result”: true } OPA OPA OPAdetailsdetails reviews landing_page OPA
  • 51. openpolicyagent.org Use Cases: Microservice APIs Example Policies ● Service Graph: “Reviews service can talk to ratings but details cannot.” ● Org Chart: “Managers can view reviews of team members but peers cannot.” ● PII: “Only HR can see SSN in employee details.”