The CNCF announced the graduation of the Open Policy Agent (OPA) project. OPA is an open source policy management and enforcement engine that has declarative policies and integrates with various systems including Kubernetes.
Originally created at Styra, OPA joined the CNCF as a sandbox project in march 2018, and was accepted as an incubation project in April 2020. Current contributors include Google, Microsoft, VMware, and Styra. OPA went through the standard CNCF graduating process - it was certified for the CII Best Practices Badge, completed multiple security audits, addressed discovered vulnerabilities, defined its governance process and adopted the CNCF Code of Conduct. It also completed a SIG-Security assessment during its incubation period.
OPA's goals are to decouple policy from the code, unify policy enforcement, and enable policy-as-code. OPA uses a DSL called Rego to describe its policies. An OPA engine can run as a library, sidecar or daemon with the application. OPA policies can be updated dynamically by polling a Bundle service API to download "bundles" - a collection of policies and data.
OPA integrates with various systems including Kubernetes, Envoy, CoreDNS, Kafka and Helm. There is also first-class integration between OPA and Kubernetes now with the OPA Gatekeeper which provides Kubernetes-native CRDs for working with the policy library. This supports "Constraints" - a set of declarations "that wants a system to meet a given set of requirements".
Chris Aniszczyk, CTO of the Cloud Native Computing Foundation, noted:
Since joining CNCF, OPA has expanded to integrate closer with Kubernetes via the Gatekeeper project but also supports a wide variety of use cases outside of Kubernetes.
In the Kubernetes ecosystem, OPA can register as a custom admission controller. It can be used to deny certain configurations like restrict the service type, whitelist or blacklist containers registries, and perform domain validation in ingress declarations.
OPA is used in production at many organizations including Goldman-Sachs, Netflix, Pinterest, and T-Mobile. The most common use cases according to a survey conducted in 2020 across 150 organizations are configuration authorization and API authorization. The survey also found that 56% use it in production for Kubernetes Admission Control and 47% use OPA in production for API authorization in microservices. CNCF hosts another policy engine called Kyverno - which uses JSON/YAML instead of a custom DSL. Although the SIG-security assessment cited earlier noted that Rego has a "non-trivial" learning curve, there are tools that use Rego to perform compliance checks like Regula and Preflight. There is an interactive playground for trying out Rego code.
The source code for OPA is available on GitHub.