Organizations have relied on wikis and tribal knowledge to document and enforce important rules that govern how their systems behave, but today, many organizations pursue "policy as code" for greater control and visibility over their systems. Instead of writing policies in documents or relying on manual checks, organizations leverage policy engines to codify and enforce rules across all of their systems.
The Open Policy Agent (OPA) is an open-source general-purpose policy engine hosted by the Cloud Native Computing Foundation (CNCF). At OPA’s core is a domain-agnostic declarative language that embodies policy as code. OPA helps you implement policy as code so that you can apply best practices like unit testing, dry runs, and code review to your policies.
- OPA's responsibility is to make a policy decision on its own and return that decision as a JSON object back to the caller. It's up to the caller to decide what to do with the OPA decision. Semantically, OPA only operates on the data passed to it (typically as JSON). So OPA doesn't require a deep knowledge about the environment itself. This makes OPA flexible and portable to many different use cases.
- Rego is a high-level declarative language that's based on decades of research into policy systems. It embodies specific ideas that make it useful for these kinds of more modern cloud-native systems and is designed like an onion. There are core parts of the language that are extremely fast. As you need more expressiveness, you move up the performance curve.
- OPA is most often used as an admission controller in Kubernetes. An admission controller is where all the semantic validation of Kubernetes resources occur before resources are persisted to etcd and controllers go off and start doing work.
Join Anders for a deep dive session that shows how to apply policy as code across microservices and Kubernetes, covering core language features like search, composition, and querying of complex document-oriented data. See how powerful declarative languages become with the right tooling.
Speaker: Anders Eknert
Listen to CloudNativeFM Podcast
IAAC and K8S Policy Enforcement with OPA | #CloudNativeFM Ep # 22
A curated list of OPA-related tools, frameworks, and articles.
🚀 https://github.com/anderseknert/awesome-opa 🚀
⚒️ About the OPA.
Policy-based control for cloud native environments
🌍 : https://www.openpolicyagent.org/
🌟 : https://github.com/open-policy-agent/opa
👩💻 : https://play.openpolicyagent.org/
🐦 : https://twitter.com/openpolicyagent
Makers of OPA
🌍 : https://www.styra.com/
🐦 : https://twitter.com/StyraInc
🤝 : https://www.linkedin.com/company/styra/
🧑🤝🧑 About the Community 🧑🤝🧑
Keep Track of Cloud Native with Cloud Native Islamabad.
Here's we host our Cloud Native Webinar's Thanks to CNCF: