►
Description
Don’t miss out! Join us at our upcoming events: EnvoyCon Virtual on October 15 and KubeCon + CloudNativeCon North America 2020 Virtual from November 17-20. Learn more at https://kubecon.io. The conferences feature presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects.
Open Policy Agent Deep Dive - Tim Hinrichs & Ash Narkar, Styra
Come to this session for a deep dive on some exciting new features in the OPA project presented by the project maintainers. This session will have plenty of time for Q&A!
https://sched.co/Zexz
A
A
In
today's
talk,
we
will
discuss
oppa.
We
will
talk
about
an
api
authorization
use
case
in
detail,
talk
about
the
new
and
the
upcoming
features
being
added
to
oppa
and
get
updates
from
sub
projects.
So,
let's
get
started
last
year
we
added
the
opa
integration
index,
which
showcases
all
the
open
source
projects.
Oppa
is
integrated
with.
A
The
purpose
of
this
page
is
to
make
it
easy
to
find
a
specific
integration
with
opa
or
to
browse
oppa
integrations
within
a
specific
category
like
service
mesh,
the
oppa
integration
index
pulls
information
about
an
integration,
its
blogs,
tutorials
videos
code
in
this
one
single
place,
which
provides
a
good
resource
for
integration.
Authors
to
model
their
oppa
integrations.
A
A
If
tomorrow
you
wanted
to
change,
say
the
service
mesh
provider,
you
would
have
to
spend
time
and
effort
in
rewriting
those
same
policies
to
conform
to
your
new
platform,
and,
you
might
say,
we'll
just
write
up
policies
in
docs
and
wikis
and
we'll
enforce
them.
That
way,
until
you
realize
you
have
tens,
hundreds
or
even
thousands
of
microservices,
and
that
wiki
approach
is
no
longer
sustainable.
A
A
A
A
A
So
what
this
means
is
that,
as
long
as
you
give
some
structured
data
to
oppa,
it's
going
to
give
you
a
decision
back
and
you
write
policies
which
makes
sense
for
that
data.
Of
course,
even
the
policy
decision
itself
can
be
any
json
value
and
then
it's
up
to
your
service
to
interpret
that
decision
and
finally
enforce
it.
A
So,
let's
look
at
some
of
oppa's
features
at
the
core
of
oppa.
Is
a
high
level
declarative
language
called
as
rego
and
with
rego
you
can
write
policy
decisions
which
are
more
than
allowed
denied
through
false.
Yes,
no,
so
you
can
write
policy
decisions
which
are
sets
which
are
objects
basically
again
any
json
value
or
any
composite
value.
Can
be
a
decision
you
can
deploy
oppa
as
a
sidecar,
a
host
level
daemon
or
you
can
embed
it
as
a
library
as
well.
A
Oppa
does
not
have
any
decision
time
dependencies,
so
it
doesn't
have
to
talk
to
an
external
service
for
making
a
policy
decision.
However,
you
can
extend
oper
to
do
that,
but
it's
optional
oppa
does
provide
some
management
apis
that
allow
you
to
pull
policy
and
data
from
a
remote
service,
upload
status,
information
to
a
remote
service
and
also
upload
decision
logs
to
a
remote
service,
along
with
the
core
policy
engine
oppa
also
provides
a
rich
set
of
tooling.
That
allows
you
to
profile
your
policies
need
to
test
your
policies.
A
A
So,
like
I've
said
before,
oppa
is
a
general
purpose
policy
engine
you
can
use
it
with
all
of
these
different
projects
without
having
to
write
a
single
line
of
code.
You
can
integrate
oppa
with
each
of
these
projects,
but
for
this
talk
we
will
focus
on
the
api
authorization
use
case,
so
microservices
improve
the
productivity
of
individual
development
teams
by
breaking
down
applications
into
smaller
standalone
paths,
and
hence
many
organizations
today
adopt
microservice
oriented
architectures.
A
A
A
You
can
now
inject
opa
in
this
flow
using
envoy's
external
authorization
filter
which
calls
out
to
an
external
authorization
service
to
check
if
an
incoming
request
is
allowed
or
not.
In
this
case,
the
external
authorization
service
is
going
to
be
open
and
onward
is
going
to
provided
the
entire
request
context.
So
oppa
can
make
an
informed
decision
about
the
fate
of
the
incoming
request.
B
Okay,
thank
you,
ash.
That
was
great.
So
now
we're
going
to
turn
and
look
at
new
and
future
features
so
the
first
new
future.
The
first
new
feature
that
we
have
available
here
is
an
update
to
webassembly.
So
remember
that
webassembly
is
this
compilation
approach
that
oppa
supports
that
will
take
opel
policies
and
compile
them
down
into
webassembly
instructions.
B
So
webassembly
is
just
a
binary
instruction
format
for
a
virtual
machine,
and
so
the
one
of
the
benefits
here
is
that
you
can
take
policies
now
compile
them
down
into
webassembly
and
then
evaluate
those
policies
in
any
programming
language
that
has
a
webassembly
runtime
available.
So
that's
pretty
powerful
because
it
reduces
some
overhead
from
just
communicating
with
oppa
when
it's
running
as
a
sidecar,
but
it
also
makes
it
possible
to
run
these
policies
in
environments
that,
for
example,
don't
allow
you
to
run
side
cars,
so
we've
had
pretty
good
support
for
webassembly.
B
The
other
thing
that's
a
bit
new
is
that
the
opa
build
command
has
been
updated,
and
so
now,
when
you're
running
the
open,
build
command
to
con
to
construct
these
wasm
bundles,
the
format
has
changed
a
little
bit
and
there
are
actually
a
couple
of
of
opa
build
updates
that
I'll
get
to
in
a
little
bit
the
next
new.
The
next
new
update
here
is
really
a
new
tool,
so
a
benchmarking
tool.
B
In
contrast,
the
oppa
profiler
does
give
you
similar
kinds
of
output,
but
what
it
really
does
is
it
tells
you
where,
in
the
code
where,
in
your
policies,
there
are
hotspots
so
which
parts
of
the
code
take
the
longest,
but
what
opa
profiling
doesn't
really
do.
A
good
job
of
is
giving
you
absolute
numbers
around
how
long
it
takes
to
do
evaluation,
and
so,
if
you're,
using
opa
bench,
you
can
see
some
of
the
output
shown
over
there
on
the
right
hand
side.
B
So
the
idea
is
openbench
will
run
that
same
query
that
you
give
it
many
times
in
order
to
give
you
statistically
significant
results,
and
so
that's
what
you
see
under
here
in
the
these
histogram
results,
and
then
this
nanoseconds
per
op
is
probably
the
the
one
number.
If
I
had
to
pick
one
that
you'd
care
about
there
in
order
to
use
the
opa
benchmark
command,
you
can
use
just
opa
bench.
So
bench
is
a
new
sub
command
with
an
oppa,
and
then
you
give
it
some
some
data
to
load.
B
So
the
policy
that
you
want
to
load
as
well
as
the
query
that
you
want
to
evaluate
so
that's
that
data.rboc.allow
and
so
it'll
just
go
ahead
and
run
that
query
many
times
and
then
give
you
those
results
that
you
see
on
the
right
hand,
side.
The
other
way
that
you
can
use
the
benchmarking
tool
is
through
opa
test.
So
you
can
go
ahead
and
run
opa
test.
The
way
you
normally
would
and
then,
if
you
give
it
the
dash
dash
bench
flag,
it'll
go
ahead
and
give
you
benchmarking
results
as
well.
B
The
next
one
on
the
list
is
decision,
log
mutation,
so
this
is
another
new
feature.
Remember
that
oppa
has
the
ability
to
create
and
record
all
the
decisions
that
it's
making
in
what
I
like
to
call
a
high
fidelity,
json
log.
So
every
time
open
makes
a
decision.
It
will
record
the
input
that
it
was
provided,
as
well
as
the
decision
that
it
made,
and
then
it
can
sort
of
send
these
in
batches
off
to
some
external
service.
B
So
we've
had
for
a
while
the
ability
to
within
oppa
write
policies
that
dictate
which
pieces
of
a
decision
log
entry
should
be
removed
or
or
or
deleted
from
that
entry.
Why?
Because
maybe
that
particular
piece
of
data
contains
sensitive
information,
maybe
you've
passed
in
a
jot
and,
and
you
want
to
make
sure
that
nobody
can
use
that
jot
before
it
expires.
B
So
what's
new,
in
fact,
is
that
now
opus
supports
the
ability
to
not
only
delete
but
to
update
and
add
information
to
those
decision
logs,
and
so
that's
kind
of
what
you
see
here.
This
is
sort
of
similar
in
spirit
to
the
kubernetes
mutation
policies,
where
what
you're
doing
here
is
writing
a
policy
that
describes
basically
a
json
patch
in
this
case
it's
saying
here's
a
path,
and
I
want
to
set
the
value
of
that
path
to
this
to
this
variable
x.
B
B
There
are
a
few
additional
features
that
I'll
mention
here,
so
one
of
which
is
some
of
enhancements
to
partial
evaluation.
So
remember
that
partial
evaluation
is
a
compilation
technique.
The
idea
is
that
you
want
to
evaluate
as
much
of
a
policy
as
you
can
at
the
time
you
build
the
bundle
or
at
the
time
you
you
compile
that
policy
as
possible
and
in
so
doing
the
hope
is
that
you've
got
less
work
to
do
at
evaluation.
Time,
therefore,
yielding
faster
evaluation
results.
B
So
if
you've
got
a
directory
of
rego
files-
and
you
want
to
build
a
bundle
so
that
that
bundle
could
be
distributed
to
to
oppas
in
in
real
life,
then
you
can
go
ahead
and
use
opa
build,
and
then
you
just
give
it
the
rego
files
that
you
want
to
include
in
that
bundle
that
second
command.
There
allows
you
to
not
only
build
an
open
bundle,
but
also
utilize
that
partial
evaluation
compilation
technique
and
effectively
optimize
the
bundle
for
evaluating
the
query
that
you've,
given
it
there.
So
in
this
example
example
slash.
B
So
what
we're
trying
to
do
here
is
enhance
the
usability
of
of
compilation
features
like
partial
evaluation,
so
that
you
can
just
choose
an
optimization
level
and
in
so
doing,
tell
oppa
how
aggressive
to
be
when
it
comes
to
building
that
bundle
and
then,
like
we
said
a
slide
or
two
ago,
you
can
still
use
up
a
build
to
go
ahead
and
target
and
build
out
wasm
bundles.
Here,
though,
all
you
need
to
do
is
add
the
t
flag
for
target
and
tell
the
opel
build
command
to
target
wasm.
B
If
you
don't
provide
a
dash
t
by
default,
it's
going
to
just
target
rego
the
third,
a
new
feature
that
I'll
mention
here
is
that
there's
a
now
a
new
parser
for
rego.
So
this
has
been
pretty
nice
in
terms
of
performance.
It's
roughly
a
hundred
percent
faster,
so
almost
2x
faster
on
nearly
all
the
benchmarks
and
then
there's
some
cases
that
it's
it's
it's
it's
much
much
much
faster.
B
So
this
is
one
of
those
examples
where
you
just
download
a
new
version
of
opa
and
suddenly
it
starts
running
a
bit
faster
and
that's
the
same
kind
of
thing
that
we
see
in
this
lower
right
hand
corner
this
optimization
for
group
by
idioms.
So
it
turns
out
that
there
are
some
common
and
somewhat
expensive
patterns
that
we've
seen
people
using
when
they're
writing
rego.
So
this
particular
kind
of
pattern
is
basically
taking.
B
Well,
that's
a
kind
of
a
group
by
idiom,
and
so
anyway,
in
the
back
end,
what
we've
done
is
we've
identified,
there's
an
optimization
that
now
looks
for
that
kind
of
of
pattern
and
goes
ahead
and
and
implements
it
more
effectively.
So,
instead
of
it
being
an
n
squared
operation
now
effectively,
it
becomes
a
linear
time
operation.
Again,
another
great
example
where
you
just
upgrade
opa
and
and
your
policy
starts
to
run
faster.
B
That's
it
for
features
that
are
already
in
in
the
latest
release
of
opa.
So
now,
let's
turn
to
some
upcoming
features,
some
work
that
is
coming
in
that
that
that
you
may
want
to
know
about
so
the
first
one
is
that
bundle
so
remember,
bundles,
as
I
I
just
explained,
but
but
remember,
oppa
uses
bundles
to
sort
of
download
policy
from
an
external
service.
B
The
next
new
feature
that's
coming
is
that
is
always
on
tracing.
So
one
of
the
things
that
sometimes
people
ask
for
is
well
okay,
my
service
has
asked
for
a
decision
from
oppa.
Oppa
gave
an
answer.
Maybe
it's
maybe
it
was
an
allow
deny
decision,
and
so
the
response
was
simply
true
false,
but
but
that
service
maybe
now
needs
to
know
a
little
bit
more
about
why
that
decision
was
made.
B
And
so
one
of
the
things
we're
working
on
is
ensuring
that
each
time
open
makes
a
decision
that
it
can
provide
a
little
bit
more
information
back
to
the
service
if,
if
requested
for
that
explains
why
that
decision
was
made.
So
in
this
example,
what
we
might
do
is
just
say
for
each
of
the
virtual
documents
for
each
of
the
variables
that
are
used
in
the
policy
which
ones
were
actually
successful
and
which
ones
were
not.
B
And
so,
if
you
structure
your
policies
correctly,
that's
a
good
way
of
getting
a
basic
explanation
out,
thanks
to
patrick
for
working
on
that.
The
third
upcoming
feature
is
intellij,
so
opa
does
have
a
plugin
for
vs
code.
That
does
things
like
syntax,
highlighting
evaluating
policy
right
there
in
the
editor,
doing
testing
doing
building
that
kind
of
thing,
and
so
we've
got
some
folks
working
on
doing
the
same
thing
for
intellij.
B
A
user
is
allowed
to
see
and
then
compile
them
down
and
and
infuse
them
sort
of
splice
them
into
a
query,
that's
being
sent
to
that
database
so
that
it's
the
database
itself.
The
database
query
engine
itself,
that
is
enforcing
the
authorization
policy,
and
so
this
work
with
is
looking
at
the
same
kind
of
thing.
B
Okay,
so
that
about
does
it
for
the
new
and
upcoming
features.
So
now,
let's
turn
and
do
a
few
updates
on
subprojects
within
oppa,
so
gatekeeper
I'd
expect
most
folks
to
to
have
a
sense
as
to
how,
as
to
what
gatekeeper,
is
so
very
quickly
gatekeeper,
takes
opa
and
runs
it
and
enforces
oppa
policies
as
a
kubernetes
admission
controller,
the
idea
being
here
that
each
and
every
time
some
end
user
goes
ahead
and
tries
to
create
a
new
pod
or
an
ingress.
B
They
go
ahead
and
send
that
request
to
the
cube
api
server.
The
api
server
sends
that
request
through
authentication
authorization
and
finally
mission
control,
and
it's
there
at
admission
control
that
that
gatekeeper,
hooks
opa
in
in
order
to
make
decisions
as
to
is
this
pot
or
ingress
configured
correctly
and
safely
for
it
to
be
deployed
onto
the
onto
the
kube
cluster
in
terms
of
new
features.
There's
a
good
list
there.
I
won't,
I
won't
go
through
all
of
them.
I
will
mention
we.
B
We,
the
gatekeeper,
did
go
through
the
cncf
security
review
successfully,
so
that
was
that
was
great
and
then,
in
addition,
there's
we've
there's
been
the
addition
of
pod
security
policies
added
to
the
the
gatekeeper
policy
library,
so
those
same
pod
security
policies
that
are
available
in
upstream
kubernetes.
There
are
now
analogous
policies
that
are
available
in
gatekeeper,
and
that
brings
up
the
point
that
gatekeeper
also
remember,
has
a
number
of
pre-built
policies.
I
think
the
list
on
the
right
there
is
is
pretty
well
up
to
date.
B
B
There
is
now
a
second
sub
project
within
opa
called
conf
test
we've.
This
has
been
announced
publicly,
but
this
is
the
first
kubecon
where
we've
gotten
a
chance
to
talk
about
it.
So
conf
test
is
an
application
of
oppo
where
it
is
designed
to
help
developers
run
policies
over
configuration
files,
so
those
configuration
files
might
be
yaml
files
for
kubernetes
or
or
ini
files,
xml
docker.
B
It
also
has
a
number
of
output
formats,
so
there's
a
user
friendly
output
format
that
just
prints
out
the
results
of
those
of
those
policies.
Here
at
the
at
the
top.
You
can
see
an
example
of
that.
You
simply
run
conf
test
and
say
test
this
deployment.yaml
file
and
then
it'll
print
out
nicely
exactly
what
the
failures
were.
B
Finally,
it's
got
a
number
of
integrations
for
ci
cd
pipeline
and
ci
cd,
tooling,
that
you
see
there
circle,
ci,
tech,
town
and
github
actions.
That's
really
powerful,
because
a
lot
of
people
do
like
using
conf
test
in
ci
cd
pipelines
to
make
sure
that
structured
data
structure,
configuration
files
will
pass
the
organization's
policies
before
they're
actually
merged
into
that
into
that
git.
Repo
welcome
to
conf
test
as
a
new
opa
project.
B
I
certainly
recommend
you
check
it
out
if
you're
looking
at
writing
open
policies
over
configuration
files-
okay,
so
that
does
it
for
us
for
now,
thanks
so
much
for
giving
us
your
time
definitely
check
us
out
online.
Remember
we're
at
opa's
at
openpolicyagent.org
and
then
there's
an
active
slack
channel
so
definitely
hop
on
there
and
ask
questions.
There's
a
community
there!
That
would
more
than
would
love
to
help
you
out.
So
that's
it
for
now,
we'll
open
it
up
for
q,
a.