OPA: A general-purpose policy engine for cloud-native

As your organization embraces the cloud, you may find that the dynamism and scale of the cloud-native stack requires a far more complicated security and compliance landscape. For instance, with container orchestration platforms like Kubernetes gaining traction, developers and devops teams have new responsibility over policy areas like admission control as well as more traditional areas like compute, storage and networking. Meanwhile, each application, microservice or service mesh requires its own set of authorization policies, for which developers are on the hook.

It’s for these reasons that the hunt is on for a simpler, more time-efficient way to create, enforce and manage policy in the cloud. Enter Open Policy Agent (OPA). Created four years ago as an open-source, domain-agnostic policy engine, OPA is becoming the de facto standard for cloud-native policy. As a matter of fact, OPA is already employed in production by companies like Netflix, Pinterest, and Goldman Sachs, for use cases like Kubernetes admission control and microservices API authorization. OPA also powers many of the cloud-native tools you already know and love, including the Atlassian suite and Chef Automate.

[ Also on InfoWorld: Where site reliability engineering meets devops ]

OPA provides cloud-native organizations a unified policy language — so that authorization decisions can be expressed in a common way, across apps, APIs, infrastructure, and more, without having to hard-code bespoke policy into each of those various languages and tools individually. In addition, because OPA is purpose built for authorization, it offers a growing collection of performance optimizations so that policy authors can spend most of their time writing correct, maintainable policy and leave performance to OPA.

OPA authorization policy has many, many use cases across the stack—from putting guardrails around container orchestration, to controlling SSH access or providing context-based service mesh authorization. However, there are three popular use cases that provide a good launching pad for many OPA users: application authorization, Kubernetes admission control, and microservices. 

OPA for application authorization

Authorization policy is ubiquitous, because virtually every application requires it. However, developers typically “roll their own” code, which is not only time consuming, but results in a patchwork quilt of tools and policies that are difficult to maintain. While authorization is critical for every app, time spent creating policy means less time focusing on user-facing features.

OPA uses a purpose-built declarative policy language that makes authorization policy development simple. For example, you can create and enforce policies as straightforward as, “You cannot read PII if you are a contractor,” or, “Jane can access this account.” But that’s just the start. Because OPA is context-aware, you can also build policy that considers anything on the planet — such as, “Stock trades requested in the last hour of the trading day, which will result in over a million dollar transaction, can only be executed on specific services in a given namespace.”

Copyright © 2020 IDG Communications, Inc.

Source link