Facilitating the Spread of Knowledge and Innovation in Professional Software Development

Write for InfoQ


Choose your language

InfoQ Homepage News Programming Your Policies: Justin Cormack at QCon San Francisco 2022

Programming Your Policies: Justin Cormack at QCon San Francisco 2022

At QCon San Francisco 2022, Justin Cormack, CTO at Docker, presented on Programming your policies. The talk is part of one of the editorial tracks called "Languages of Infra: Beyond YAML."

Cormack started his talk by explaining what a policy is. For example, who can run this program or perform this API call? Or a more complex case, who can perform this database query and view the result? Who can be a person or another computer program? It is about access control in the end.

After finishing a history story on access control and security, Cormack concluded that access control issues are still relevant, looking at the top 10 web application security risks

He continued with policies written in imperative code that were difficult to maintain from his experience. Policies have gravitated more toward declarative code frameworks. With logical programming from a set of facts, conclusions can be drawn. An example is Datalog, a declarative logic programming language derived from formalizing database logic, roughly SQL plus recursion. It helps create policy queries.

Next, Cormack discussed Open Policy Agent based on Datalog extended with json support, a CNCF graduated project. It is one of the most commonly used projects for policy management in the cloud-native world. He demonstrated how it works using the Rego Playground. And after the demo, he explained why Open Policy Agent is so favored by sharing a tweet from Kelsey Hightower:

Because of how straightforward it is to integrate into existing applications.

It can be integrated across an ecosystem. Json and YAML use the same data model for making policy decisions. It also comes with a range of integrations ranging from Kubernetes and SSH.

Another thing it also enables you to share is policies that have been created. And it helps if the data model is standardized. Cormack thinks this will take off first in the Kubernetes world, where there is a standard configuration model (easy-to-write rules on that). 

Cormack continued with the big vision going forward:

Software is going to eat compliance. One day every organizational policy will be expressed as declarative code and verified against commits on an ongoing basis.

To get there, Cormack points out that we must work on observability, as making policies work without knowing the context is challenging. Furthermore, works need to be done on standardization and reusability. And tests:

One way to look at security controls is to view them as tests, which is a fruitful way of thing about them.

Once policies are available as code in a reusable and portable form, they can be tested and run everywhere. In addition, the policies are easy to revise and update individually. And Cormack explained, you could also reverse the direction of testing where you promote code (meeting policies), for instance, to the next stage in a pipeline instead of blocking things.

Cormack ended up pointing out other frameworks that Open Policy Agent, such as the Google Zanzibar project, which inspired several recent systems, including OpenFGA, from Auth0 that recently joined CNCF, and Ory Keto. Furthermore, there is another CNCF project Kyverno for Kubernetes policies.

He ended the talk by pointing out that:

We are taking YAML and going beyond just considering YAML as a thing we have in turn of what we can do with all this YAML. So how to generate all this YAML having configuration documents and still process them through these pretty powerful declarative policies systems is an exciting move.

About the Author

Rate this Article