►
Description
Join us for Kubernetes Forums Seoul, Sydney, Bengaluru and Delhi - learn more at kubecon.io
Don't miss KubeCon + CloudNativeCon 2020 events in Amsterdam March 30 - April 2, Shanghai July 28-30 and Boston November 17-20! Learn more at kubecon.io. The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects
OPA Deep Dive - Tim Hinrichs, Styra & Torin Sandall, Styra
Come to this session for a deep dive on some exciting new features in the OPA project presented by the co-creators. This session will have plenty of time for Q&A!
https://sched.co/Uafr
A
A
B
D
A
D
A
Right
so
I
think
this
is
going
to
be
a
useful
session
for
everybody
in
the
room.
So
you
know
we
talked
about
this
a
little
bit
in
the
keynote,
like
kind
of
why
OPA
exists
right
and
I.
Think
that,
like
when
you
look
at
the
modern
kind
of
like
cloud
native
like
ecosystem,
there's,
just
a
lot
of
choice
out
there
right
and
it
feels
like
there's
like
this
never-ending
list
of
new
projects
to
do
with.
A
You
know:
CI,
CD
and
micro
services,
and
you
know,
databases
and
programming,
languages
and
runtime
platforms
and
so
on
right,
and
so,
if
you
work
in
a
large
enterprise
or
a
large
organization,
that's
just
like
a
fact
of
life.
If
you're,
if
you're
an
architect
or
a
platform
engineer
or
somebody,
you
know
a
security
engineer,
you
just
have
to
deal
with
this.
A
So
this
was
sort
of
the
problem
that
we
that
we
saw
when
we
before
we
started
the
project
and-
and
so
that's
why
we,
we
thought
you
know,
let's,
let's
try
to
fix
this,
and
so
we
we
basically
created
the
open
policy
agent
as
a
way
to
give
you
a
tool
that
you
could
leverage
to.
Really,
you
know
improve
how
systems
are
managed
right.
A
So,
instead
of
you
know
putting
policies
on
wiki's
or
in
spreadsheets,
you
know
we
said,
there's
a
better
way
of
doing
this,
and
so
you
know
we
started
the
open
policy
agent
and
we
we
released
it
four
years
ago,
the
links
to
change,
that's
nice
and
and
yeah,
and
so
like
over
the
last.
You
know
couple
years,
we've
seen
a
lot
of
different
integrations
get
built
for
open,
and
these
are
all
examples
of
integrations
where
people
are
actually
running
them
in
production
right.
A
So
you
know
you
hear
lots
about
how
people
are
using
open
for
kubernetes
around
admission
control.
You
hear
lots
about
how
people
are
using
it
for
micro
service,
API
authorization,
but
there's
a
long
tail
of
use
cases
as
well,
where
people
you
know,
use
open
to
control,
access
to
sensitive
data
in
in
different
kind
of
data
lake
environments,
where
they
use
it
in
CI,
CD
pipelines
to
you
know,
impose
best
practices
on
on
applications
and
configuration.
A
People
think
Oh
open
purpose-built
for
kubernetes,
or
it
only
does
kubernetes,
but
the
fact
is
that
it's
kind
of
widely
applicable
and
and
this
is
kind
of
showing
off
a
little
bit
in
the
in
the
integration
index.
Actually
this
this
screenshots
out
of
data,
it
looks
slightly
different.
Now,
there's
been
some
new
additions
recently,
so
you
know
what
is
Opa.
Opa
is
a
general-purpose
policy
engine,
and
so
what
that
means
is
that
you
can
kind
of
like
use
it
to
offload
policy
decision-making
from
your
software
now.
A
The
reason
we
call
it
general-purpose
is
because
it
works
with
all
these
different
kinds
of
software.
So
you
know
whether
you're
talking
about
kubernetes
or
envoy
or
Linux
Pam.
You
know
you
can
take
OPA
and
you
can
use
it
to
basically
help
enforce
policy
or
authorization
decisions
in
those
in
those
technologies.
A
So
the
core
thing
you're
kind
of
doing
here
is
you're
decoupling
policy
decision-making
from
policy
enforcement.
Now
one
of
the
one
of
the
design
decisions
that
we
made
when
we
started
the
project,
which
is
an
important
one,
was
that
OPA
wasn't
gonna,
be
coupled
to
any
project
or
domain
specific
data
model,
and
so
inside
of
these
policy
queries
you
can
actually
supply
arbitrary
JSON
data.
You
can
supply
any
JSON
value
you
want,
so
this
can
be
a
pod.
A
It
could
be
a
representation
of
an
HTTP
API
request,
so
it
contain
things
like
the
method
and
the
path
and
the
headers
and
so
on,
or
it
could
be.
A
representation
of
you
know
an
ssh
connection
into
a
server
and
then
similarly,
the
decision
that
OPA
sends
back
to
the
service
to
be
enforced
can
also
be
any
JSON
value.
So
we
have
a
simple
API
access
control
use
case.
It
could
be
true
or
false,
but
it
could
be
any
JSON
value.
So
you
know
it
could
be
a
string.
It
could
be
an
error
message.
A
It
could
be
a
set
of
strings,
it
could
be
a
set
of
error
messages
or
it
could
be.
Like
a
you
know,
a
complex
JSON
object.
So
when
people
first
deployed
OPA
for
admission
control
and
kubernetes,
they
would
just
have
a
policy
that
would
generate
the
admission
review
structure
and
send
that
back
and
that's
like
a
deeply
nested
JSON
object
right
so
with
OPA,
it's
kind
of
like
just
JSON,
coming
in
JSON
being
evaluated
and
JSON
going
out,
and
so
this
is
why
we
call
it
general
premise
now.
A
Obviously,
your
your
your
policies
have
to
understand
the
semantics
of
the
input
right.
They
need
to
understand
that
that's
a
pod
represented
in
JSON
and
they
need
to
make
sense
of
that.
And
similarly,
your
your
service
needs
how
it
needs
to
know
the
semantics
of
the
the
decision
coming
back,
but
on
its
own
OPA
doesn't
and
that's
why?
It's
that's
why
it's
general-purpose!
That's
why
you
can
use
it
for
all
of
these
different
use
cases.
A
So
what
OPA
actually
gives
you
at
a
high
level
is
kind
of
summarized
here
that
the
kind
of
core
thing
that
it
provides
is
a
high-level
declarative
language
for
expressing
policy
in
and
what
that
language
is
really
good
at
doing
is
helping
you
write
rules
that
answer
questions
that
are
relevant
to
policy
so
things
like.
Can
this
user
perform
this
operation
on
this
resource?
You
know
which
invariants
does
this
workload
you
know?
Would
this
workload
violate
if
it
were
to
be
deployed,
or
you
know
which
records
am
I
Amaya
labs
or
is?
Is?
A
Is
a
user
allowed
to
see,
and
so
since
this,
since
we're
you
know
operating
with
JSON
everywhere,
OPA
the
language
has
kind
of
built-in
mechanisms,
for
you
know
doing
everything
you'd
expect
with
large
complex
hierarchical
data,
so
you
can
kind
of
like
dot
into
complex
objects.
You
can
do
scans
over
arrays.
You
know
you
can
you
can
do
all
kinds
of
things
when
it
comes
to
actually
using
OPA,
you
can
either
run
it.
A
You
can
use
it
as
a
library,
it's
written
go,
so
you
can
embed
it
quite
easily
into
into
go
services
and
applications,
or
you
can
run
it
as
as
a
daemon
and
the
daemon
is
designed
to
be
as
lightweight
as
possible.
So
you
can
use
it
as
a
sidecar
or
a
host
level
daemon
or
if
you
want
to
stand
it
up
as
a
service,
you
can
but
the
way
that
we
think
of
OPA,
as
the
like
kind
of
creators
of
it
is
that
it's
meant
to
be
used
as
a
host
local
cache
for
policy
decision-making.
A
So
we
recommend
that
you
take
OPA
and
you
run
it
as
close
to
the
thing
that
needs
decision-making
as
possible.
The
reason
why
we
recommend
that
you
do.
That
is
because,
if
every
single
time
OPA
has
to
or
the
service
has
to
get
a
decision,
it
has
call
out
over
the
network,
then
you
know
you,
like
you're
gonna
pay
a
performance
hit
for
that
right.
A
There's
gonna
be
extra
latency
introduced
into
the
request
path
and,
if
you're
dealing
with
say,
like
a
micro
service
architecture,
where
you
know
several
micro
services
might
be
involved
in
the
servicing
of
a
top-level
request,
then
that
starts
to
add
up.
Also
importantly,
if
every
time
you
have
to
make
a
decision,
you
have
to
call
out
over
the
network,
then
you're
gonna,
be
your
availability
is
gonna,
be
impacted
by
the
network.
A
So
you
can
deploy
OPA
it'll,
keep
all
of
the
policy
and
data
that
it
uses
to
evaluate
decisions
in
memory
and
when
you
ask
it
for
a
decision,
it's
not
going
to
call
out
over
the
network
to
get
anything
else
on
its
own.
So
all
the
decision-making
can
happen
locally
on
that
node.
Now
we
do
have
mechanisms
where
you
can
like
call
out
on
the
fly
inside
the
policy
if
you
want,
but
we
recommend
that
as
much
as
possibly
you
you
avoid
trying
to
do
that
if
you
don't
need
to
now.
A
Obviously,
if
you
have
a
bunch
of
oppa's
running
around
in
your
infrastructure
and
they're
all
storing
policy
and
data
in
memory,
you
know
you
need
some
way
to
manage
them.
You
need
a
source
of
truth
for
the
policy
and
the
data,
and
so
open
exposes
a
set
of
management.
Api's
that
let
you
do
things
like
distribute
policy
down
to
it.
A
We
also
have
api's
for
visibility,
though,
so
we
have
like
a
status
api
that
you
can
configure
to
receive
status
updates
from
OPA.
They
tell
tell
you
the
version
of
the
bundle,
that's
the
the
bundles
that
have
been
activated
or
whether
there
were
any
errors
trying
to
activate
the
last
version
that
it
that
it
got,
and
then
we
also
have
a
what
we
call
the
decision
log
api.
So
the
session
log
is
basically
a
record
of
all
the
policy
decisions.
They've
been
made
by
OPA
over
the
past
few
minutes.
Let's
say
so.
A
Every
time
you
ask
OPA
for
a
policy
decision,
it
keeps
a
little
record
of
that
in
memory
and
what
it'll
do
is
it'll
periodically
upload
those
records
to
a
remote
HTTP
endpoint
and
the
the
powerful
thing
there
is
that
inside
those
decision
log
records,
you
have
the
full
extent
of
the
input
data,
the
input
JSON
that
was
supplied
to
OPA
in
the
policy
query.
You
also
have
the
revision
of
the
policy
bundle
and
you
have
the
decision
that
was
made.
A
So
you
have
a
full
record
of
the
policy
decision
making
process,
and
so
you
can
send
that
up.
You
can
use
it
for
audit
purposes.
It's
useful
for
a
lot
of
other
things
like
debug
and
test
as
well,
and
so
the
last
thing
I'd
mention
here
is
that
OPA
also
kind
of
embodies
this
idea
of
policy
as
code,
and
so
it's
got
a
kind
of
a
rich
tool
chain
that
helps
you
build
test
and
debug
your
policies.
A
We
have
like
an
interactive
shell
that
you
can
use
to
run
queries
interact
with
policies,
kind
of
experiment
with
them.
We
have
a
test
framework,
so
you
can
write
like
unit
tests
for
your
policies
and
verify
that
they're
correct
before
you
go
off
and
deploy
them.
It's
something
that
we
recommend
that
people
do
when
they
when
they're
writing
policy,
because
it's
you
know,
you
want
to
make
sure
that
it's
correct.
A
We
had
one
user
that
was
like
taking
OPA
and
they
were
they
had
to
ship
it
to
a
customer
and
run
it
in
an
air-gapped
environment
for
a
hedge
fund
and
the
ability
that,
like
to
test
their
policies
up
front
and
gain.
You
know
confidence
in
the
correctness
before
they
handed
this
off
into
like
an
air-gapped
environment
where
they
weren't
gonna
be
able
to
go
in
and
change.
Anything
was
like
instrumental
in
their
success,
so
the
test
framework
is
a
really
powerful
thing
that
you
can.
You
can
use
with
OPA.
A
We
also
have
like
IDE
into
extensions.
So
there's
a
vs
code
plug-in
that
you
can
use
to
kind
of
develop
the
policies
you
can
do
interactive
evaluation.
You
can
run
tests,
you
can
get
coverage,
it's
quite
useful
and
we
also
have
other
things
like
tracing
and
profiling.
That
are
more
sort
of
advanced
all
right,
so
this
one
I
hand
it
over
to
Tim
who's,
going
to
do
a
little
bit
of
a
use
case,
deep
dive,
so
take
it
away.
Thank
you.
C
C
That's
always
fun
for
the
audience
all
right,
so
this
is
sort
of
a
zoom
in
on
kubernetes.
We've
heard
a
moment
ago
how
any
service,
whether
it's
kubernetes
or
otherwise,
is
going
to
be
asking
OPA
for
decisions
from
time
to
time.
Now,
in
the
Cooper
Nettie's
case,
this
happens
every
time
someone
tries
to
create,
update
or
delete
a
resource
on
the
cluster,
and
so
as
I
would
expect
many
people
here
already
know
inside
of
the
kubernetes
api
server,
there's
a
there's,
an
entire
pipeline
that
every
request
goes
through.
It
starts
with
authentication
who
are?
C
You
then
goes
on
on
to
authorization,
auerbach
and
then
finally
goes
to
admission
and
at
admission
control
there
are
now
validating
web
hooks.
There
are
mutating
web
hooks
as
well,
but
there
are
web
hooks
that
you
can
set
up,
and
that
is
where
OPA
integrates.
So
in
this
world
every
time
a
new
request
comes
into
the
cluster.
That
request
makes
its
way
down
to
admission,
let's
say
and
the
kubernetes
api
server
hands
that
request
over
to
OPA
and
then
I'll
show
you
an
example
of
this
in
a
moment,
and
then
OPA
makes
the
decision.
C
Is
this
authorized
or
not,
and
it
returns
an
admission
review
response
that
admission
review
response
includes
error
messages
that
get
returned
to
the
user.
All
right.
This
is
a
pretty
standard.
This
is
the
standard
integration
and-
and
there
are
different
ways
of
embodying
this,
but
but
that's
what
we're
gonna
see,
so
that
is
OPA
and
then
what
we're
gonna
do
now
is
flip
over
and
do
a
little
bit
of
live
coding.
Ok,
so
let's
do
this
all
right,
all
right
anytime!
That
I
am
writing
any
sort
of
policy.
C
The
first
thing
I
do
is
I
grab
a
sample
of
the
input
that's
going
to
be
handed
over
to
OPA,
so
in
this
case
from
kubernetes,
that
would
be
an
admission
review
request,
and
so
here,
on
the
right
hand,
side
you
can
see
that
written
a
job
JSON.
What
I'm,
actually
opening
here
is
the
Rago
playground.
I
forgot
to
mention
this,
so
this
is
a
purpose-built
editor
that
that
is
available.
C
That
allows
you
to
not
only
do
syntax,
highlighting
and
evaluation
of
policy,
but
it
also
allows
you
to
share
that
policy
with
others,
and
that's
really
helpful
if
you
ever
jump
on
a
slack
which
we
encourage.
Definitely-
and
you
have
questions
put
it
in
the
playground-
it's
much
easier
to
exchange
ideas
and
tips
over
over
the
playground.
So
on
the
right-hand
side
that
we
see
the
input
that
oppa
is
going
to
receive
in
this
particular
example
for
those
of
you
who
haven't
seen
an
admission
review
object
before
this
is
the
way
it
works.
C
The
request
there
is,
where
all
the
actions
that
it
gives
you
a
kind
here,
it's
got
the
usual
group
version
kind,
as
you
would
expect
it
tells
you
what
namespace
the
object
belongs
to
if
it's
belongs
to
a
namespace
and
then
here
under
object
is
where
we
see
what
we
would
typically
think
of
as
the
object
that
we're
handing
over
the
kubernetes
api
server.
So
it's
got
metadata
here.
It's
got
its
got
aspect,
because
this
is,
after
all,
a
pod.
C
It's
got
the
containers
there
within
the
spec.
It's
got
the
init
containers,
that's
great,
and
it's
got
an
operation
just
create
in
this
case.
Alright.
So
that's
an
example
of
the
input
that's
going
to
come
into
the
OPA
and
now
our
job
as
policy
authors
is
to
go
ahead
and
write
whatever
policy
we
care
about
right
and
so
in
this
example.
What
we're
gonna
do
is
ensure
that
all
the
images
that
show
up
in
a
pod
come
from
a
trusted
registry.
C
That
registry
is
Huli,
calm,
alright,
so
the
way
we're
gonna
get
this
started
is
that
we
know
what
the
input
is
and
so
I.
As
an
author
there's
a
little
bit
of
boilerplate
for
often
for
kubernetes
I
won't
bother
showing
you
the
boilerplate,
but
what
I
will
show
you
is.
That
is
the
core
of
the
logic
and
the
core
of
that
logic.
At
the
end
of
the
day
is
going
to
be
we're
going
to
be,
writing
denies
statements,
and
so,
as
you
would
expect,
with
OPA
it's
a
policy
language.
C
We
expect
to
be
able
to
write
a
bunch
of
allows
and
denies
so
let's
go
ahead
and
start
that
here
in
OPA,
you're
writing
a
number
of
different
rules.
We're
here
we're
just
going
to
write
it
deny,
and
the
first
thing
we're
going
to
do
is
we're
going
to
check
that
in
fact
we're
only
going
to
be
applying
this
rule
to
pods,
and
so
how
do
we
do
that?
Well,
input
here
is
a
keyword
for
OPA.
B
C
Then
I
can
check
that
that
is
actually
equal
to
pot
all
right
input
table,
request,
icon
another
everybody
I
would
expected
kind
of
guess
what
that's
going
to
do
it
does
that
you'd
expect
alright.
So
first
we
know
it's
a
pod,
and
now
we
want
to
check
that
all
images
come
from
this
trusted
registry.
Well,
how
are
we
going
to
do
that?
Well,
we're
gonna
start
the
same
way.
We're
gonna
start
dotting
down
through
that
object
in
order
to
grab
the
list
of
containers
that
exist
so
input,
dot,
request,
dot,
object,
dot,
spec,
dot
containers.
C
Well,
if
we
kind
of
look
at
that.
Okay.
So
that's
a
that's
an
array
of
containers,
great
okay,
but
now
we
have
an
array
of
containers,
so
we
don't
want
to
dot
down
through
it
anymore.
We
need
to
iterate
all
right.
How
are
we
gonna
iterate?
Well
we're
gonna
iterate
with
some
alright,
so
we're
gonna
say
that
here
there
is
some
I
and
then
we're
going
to
go
ahead
and
actually
grab
after
that
I
the
image
name.
C
So
for
each
of
the
elements
in
this
containers
array,
we
have
an
image
field,
so
we'll
go
ahead
and
grab
it
and
we'll
assign
it
to
a
variable
image.
Name
and
now
we
just
need
to
check
that
this,
that
if
this
image
name
fails
to
start
with
Huli
calm,
then
in
fact
we
want
to
deny
right
so
not
starts
with
starts
with
is
what
we
call
a
built-in
and
OPA.
It's
just
a
some
pre-built
code
that
helps
us.
Do
things
like
string,
manipulation
and
the
like
image
name
is
Hui
comm.
E
C
Late,
fine,
all
right,
so
let's
go
ahead
here
and
hit
this
evaluate
button
and
resize
the
window,
so
we
can
see
the
result.
Oh
wonderful,
all
right
deny
is
true.
So
why
is
the
night
true?
Because
if
we
look
at
the
containers,
there's
an
image
here,
engine
X,
it
does
not
come
from
hooli
comm,
so
that
is
denied.
This
is
sort
of
incomplete,
though,
because
what
we
all
know
is
that
we
want
more
information
back
than
simply
no
try
again.
C
What
we
want
to
be
able
to
do
is
return,
error
messages,
and
so
the
way
that
we
do,
that
is
that
we
go
ahead
and
add
a
term
deny
instead
of
a
boolean
verge
open,
can
return
decisions
that
are
not
just
true
false,
not
just
boolean's,
but
could
return
any
JSON
object.
We're
gonna,
actually
turn
deny
into.
Basically
a
set.
C
Think
of
a
set
is
basically
an
array,
but
here
what
we're
going
to
do,
then,
is
we're
going
to
turn
deny
into
a
set
and
we're
going
to
do
and
we're
going
to
return
a
set
of
error
messages
back
to
the
user.
So,
as
printf
pod
contains
an
image
from
an
untrusted
registry,
the
and
do
image,
name
and
name
all
right.
C
All
right,
wonderful,
okay,
so
now
we've
got
little
bit
more
information.
Deny
your
pod
contains
an
image
from
okay,
it's
Engine
X,
as
we
would
expect.
That's
wonderful!
That's
great!
Oh,
and
this
is
typically
how
we
write
policies
for
kubernetes.
We
do
actually
turn
return
a
set,
and
then
that
met
those
error.
Messages
get
sent
back
to
the
to
the
user,
but
there's
a
bug.
Anybody
see
it
just
a
head
nod.
C
That's
true!
That's
very
good!
That's
a
very
deep
question,
though
work
work,
I
mentioned
this
earlier.
If
we
look
at
the
input,
containers
is
one
of
the
fields
under
spec,
but
so
is
init
containers
look
okay,
so
we
should
be
checking
both
the
containers
in
the
init
containers.
Let's
say
so.
One
way
to
do
this
is
to
just
take
this
rule
and
we
can
make
a
copy
of
it
and
then
we
can
just
go
in
here
and
change
containers
to
init
containers,
and
then
we
should
be
good.
C
Of
course
that's
not
well,
let's
see
if
it
work.
Okay!
Well,
that's
great!
So
now
we
get
to
answers
pod,
that's
engine
X
and
busy
box.
I
didn't
really
show
you,
but
busy
box
is
one
of
the
init
containers.
Okay,
so
that's
okay,
fine,
but
at
the
same
time
nobody
if
you're
writing
code,
would
copy
and
paste
like
that.
So
what
we
might
want
to
do
is
actually
go
ahead
and
add
an
abstraction
here.
C
So
one
of
the
interesting
things
is
that
with
OPA,
allow
and
and
I
are
not
keywords:
they're
just
they're
just
more
variables.
You
just
get
to
make
them
whatever
you
want,
and
so
in
addition
to
that,
we
can.
We
can
build
our
own.
We
can
build
a
helper
here
called
container
of
ste.
We're
gonna,
make
it
another
set,
and
what
we're
going
to
do
is
we're
going
to
make
this
true
of
all
of
the
containers,
as
well
as
the
init
containers.
So
if
we
do
C
equals.
C
Of
I
and
I
should
make
that
a
some
okay.
So
now
what
we're
saying
here
is:
go
ahead
and
grab
all
the
containers
and
the
object
go
ahead
and
grab
all
of
the
init
containers
and
the
object
and
now
I've
got
this
set
containers
which
I
can
use,
however
I
like
but
I'm
gonna
use
it
inside
of
the
rule.
So
let's
give
this
guy
I,
don't
need
him
anymore,
and
so
now,
instead
of
this
I'm
gonna
do
input.
It's
gonna,
be,
let's
just
do
container
C.
D
C
C
Thank
ya
air
programming,
okay,
great
okay,
so
now
assuming
this
is
all
right,
evaluate
it
hopefully
it'll
work.
One
of
the
things
that's
happening
here
is
that
when
I
hit
evaluate
I'm
actually
evaluating
all
of
those
symbols
in
the
in
the
policy,
and
so
what
you
see
is
output
here
as
containers
is
coming
in.
Why?
Because
that
was
a
symbol
defined
in
the
in
the
package
down
below.
We
also
see
deny
and
denies
also
defined
in
the
package.
C
One
of
the
things
we
use
all
the
time
here
is
that
we
can
go
ahead
and
highlight
portions
of
the
policy
in
order
to
do
a
partial
evaluation
of
it.
It
was
a
wrong
poor
choice
of
words
there.
If
we
want
to
evaluate
just
a
part
of
the
policy,
then
we
can
do
it
that
way.
If
you
like
and
I'll
I
will
stop
here
very
quickly,
you
can
even
highlight
entire
fragments
of
the
policy
and
ask
for
an
evaluation,
and
there
are
different
reasons
for
doing
that,
but
we're
running
on
time.
Okay,.
C
A
Thanks
Tim,
so
you
know
what
we
announced
at
the
keynote:
was
this
new
ability
to
take
Rago
policies
and
basically
compile
them
into
webassembly
and
actually
before
I
get
into
this?
You
know
a
bunch
of
the
things
we're
going
to
talk
about
right
now
might
seem
a
little
bit
like
weird,
but
they're,
all
kind
of
like
around
this
idea
of
improving
the
performance
of
policy
evaluations.
A
That's
sort
of
the
theme
that
we
have
right
now
is
to
kind
of
you
know,
sort
of
deliver
a
bunch
of
optimizations
that
really
allow
open
to
be
used
in
some
new
ways
that
are
quite
interesting.
So
what
we
added
in
the
most
recent,
what
we
completed
in
the
most
recent
release
was
like
an
incremental
set
of
work
to
be
able
to
take
Rago
policies
and
compile
them
down
into
webassembly
webassembly.
Is
this
standard
instruction
format
for
a
virtual
machine?
That's
supported
by
the
major
browsers?
A
A
There
are
two
ways
of
kind
of
doing
this.
One
is
just
on
the
command
line,
so
you
can
give
OPA,
basically
the
the
policies
it
could
be
one
or
more
policies
and
then
a
query
to
to
compile
and
then
what
open
does
is
it
basically
takes
that
that
query
and
those
policies
and
it
generates
a
plan,
and
then
it
compiles
that
plan
into
a
web
assembly
binary.
So
this
is
something
you'd,
probably
end
up
doing
in
your
development
environment
or
in
a
CI
environment.
A
Whenever
the
policies
change
and
then
the
idea
is
that
you'll
take
those
webassembly,
executables
and
you'll
publish
them
somewhere,
so
they
can
be
downloaded
just
like
you
do
today,
with
with
regular
OPA
bundles,
but
now,
instead
of
just
shipping,
the
raw
Ray
go
down
to
the
opus
or
the
enforcement
points.
I
should
say
you
send
down
these
these
wasum
executables.
A
So
today
we
have
support
for
like
a
node
J
s
SDK.
So
if
you
want
to
try
to
experiment
with
with
this
functionality,
that's
right,
a
kind
of
recommend
you
start
is
play
around
with
it
inside
of
node
J
s,
but
in
the
two
or
three
days
that
after
we
kind
of
talked
about
this
and
announced
it,
somebody
already
started
working
on
a
c-sharp
SDK
as
well.
So
you
know
in
the
future
we
plan
to
have
SDKs
for
C,
C++,
C,
sharp
JVM,
and
on
and
on.
A
There
are
some
things
that
are
kind
of
like
missing
today,
and
so
the
plant
improvements
right
now
are
around
extending
support
for
built-in
functions
out
of
out-of-the-box.
You
can
implement
the
built-in
functions
inside
of
the
the
host
language,
the
host
environment,
if
you
want
to-
but
obviously
you
don't
wanna-
have
to
do
that.
A
You
know
every
single
time
and
so
we're
gonna
try
to
have
more
built-in
functions,
support
it
out
of
the
box
as
much
as
possible,
and
then
we're
also
gonna
focus
on
on
the
the
SDK
side,
which
will
involve
like
adding
support
for
the
management.
Api
is
right
so
that
you
can
kind
of
have
an
out-of-the-box
way
of
getting
policies,
distribute
it
down
to
your
enforcement
points.
That's
webassembly,
one
thing
that
that
hasn't
been
worked
on,
but
work
that
we're
planning
to
do
is
improve
support
for
partial
evaluation
in
OPA.
A
A
So,
for
example,
here
we
have
a
policy
that
says.
Allow
is
true
if
any
one
of
the
the
ackles
in
this
data
set
match
the
input,
and
so
here
what
we're
basically
doing
is
we're
just
searching
over
this
large
ackles
this
this
Ackles
array
and
we're
seeing
if
any
of
those
match
the
input
action
resource
user
now.
Obviously,
if
that
array
gets
really
big,
we're
still
doing
a
linear
scan,
and
so
the
evaluation
times
going
to
go
up
and
so
I'll
talk
about
how
that
works
in
a
second.
A
But
the
important
thing
to
notice
here
is
that
before
the
policy
gets
evaluated,
certain
pieces
of
the
policy
may
be
already
known
right.
So,
in
this
case,
data
tackles
is
already
known
right.
It
may
be
shipped
down
to
OPA,
along
with
the
policy
itself
right,
so
the
permissions
are
updated.
It
would
just
get
sent
down
to
open.
The
input,
though,
is
a
little
bit
different
right,
that's
unknown
that
changes
on
every
single
policy
query,
and
so
what
partial
evaluation
does?
A
Is
it
kind
of
lets
us
pre,
evaluate
the
policy
and
remove
a
lot
of
the
complexity
in
it
and
simplify
it
into
a
into
a
format?
That's
that's
easier
for
oppa
to
understand
and
easier
for
it
to
optimize,
and
so,
if
you
ran
partial
evaluation
on
this
policy-
and
you
said
that
input
was
the
unknown,
then
it
would
produce
something
like
on
the
on
the
right-hand
side.
A
Here
it
would
give
you
back
a
set
of
queries
that
are
just
simple
equality
operations
and
the
cool
thing
about
these
equality
operations
is
that
oppa
can
understand
them
and
it
can
build
an
index
out
of
out
of
these
these
statements
so
that,
when
you
actually
go
to
ask
you
know,
should
this
thing
be
allowed,
it
doesn't
have
to
scan
over
all
the
Ackles.
It
can
quickly
look
up
the
one,
the
the
statements
that
machen
elite,
those
so
you'd
get
basically
constant
time
evaluation.
A
That
only
depend
on
unknown
values,
so
those
will
just
get
partially
evaluated
out
and
then
we're
also
going
to
add
support
for
the
whiff
keyword
inside
the
language
today,
if
it,
if
open
counters
any
of
those,
while
it's
partially
evaluating
the
policy
that
it
just
saves
them
off
and
you
get
them
in
the
result
and
so
that
doesn't
really
have
any
benefit,
I
think
that's
it.
So
then,
let
me
let
Tim
kind
of
talk
about
complexity,
analysis
where
we
out
of
it
says
zero,
zero,
but
I,
don't
know
what
that
last
digit
is
all.
C
C
When
the
pilot
which
class
the
policy
belongs
to
and
the
benefit
there
is
then
that,
as
like
a
cluster
level
administrator,
you
could
say
well
all
of
my
namespace
level
administrators
you
can
put
policies
in,
but
only
if
they
run
in
time,
linear
in
the
size
of
the
input.
So
that's
kind
of
where
we're
going
with
that
and
that's
something
that
we
can
do,
because
it
was
declarative,
because
it's
not
turning
complete
that
you
just
typically
wouldn't
see
in
a
programming
language,
yeah.
A
C
C
A
Yeah,
so
we
do
have
built-in
support.
We
have
built-in
functions
to
verify
signatures
on
JSON
web
tokens.
Today's
we
support,
RSA
and
and
and
other
algorithms.
We
don't
have
like
primitives
to
just
do
that
on
an
I
like
a
straight
leg,
on
a
array
of
bytes,
but
built-in
functions
are
actually
like
the
easiest
way
to
contribute
to
opus.
A
So
if
you
have
a
have
a
use
case
where
you
think
oh,
this
would
be
a
lot
easier
like
I
was
talking
to
somebody
earlier
today
and
they
wanted
to
do
something
that
involved
bit
manipulation
like
and
and
that
that's
not
something
that's
particularly
fun
to
do
today
in
in
Rago,
so
I
said:
yeah
I
mean
please,
you
know.
If
you
have
use
cases
that
require
built-ins,
please
submit
a
patch.
F
C
Mean
I
think
the
well
sorry.
The
question
was
security
context,
for
example,
show
up
in
a
large
number
of
kubernetes
resources,
it'd
be
great
if
there
were
some
helper
libraries
or
the
like.
That
would
allow
people
to
write
policy
over
all
of
those
sort
of
simultaneously
yeah,
so
certainly
building
those
kinds
of
libraries
is
great
and
that's
another
good
place
where
you
can
contribute.
So
if
you
have
ideas
about
libraries,
that
would
be
great
that
that
would
be
certainly
we'd
love
to
see
that
I
think.
C
One
thing
that
we've
hesitated
on
is
that
with
especially
in
the
kubernetes
case
with
CR
DS
people
could
invent
things
that
we
just
don't
know
or
understand,
and
so
at
the
end
of
the
day
like
having
a
library,
could
give
people
a
sense
of
security
because
they
do
false
sense
of
security.
Thank
you
when,
in
fact,
they
need
to
understand
what
is
covered
by
that
and
what
is
not.
So
that
would
be
the
the
pros
and
cons
there.
Yeah
yeah.
A
A
You
know
some
portion
of
your
your
your
use
cases,
but
there's
sort
of
a
long
tail
of
things
they
need
to
be
able
to
lock
down
and-
and
you
know
the
example,
the
Tim
game
gave
is
not
something
that
you
can
express
and
with
role
based
access
control
or
with
I
am
or
anything
like
that
right.
So
they're
two
are
kind
of
complementary.
If
you
can
express
it
in
an
I.
Am
that
that's
that's
good,
but
there's
tons
of
things
that
you
can't
express
and
that
you
need
something
like
hope
before.
C
A
There's
a
there's,
a
blog
post
from
some
folks
at
Daimler
that
run
a
fairly
large
number
of
clusters
and
they
ran
into
a
problem
where
they
want
to
just
Express
a
blacklist,
basically
for
add
authorization
time
as
opposed
to
having
to
like
whitelist.
The
use
case
was
like
you
know:
you
want
to
grant
developers
access
to
every
name
space
except
cube
system
right,
it's
pretty
painful,
to
do
if
you've
got
namespaces
coming
up
all
the
time
because
you
need
to
constantly
be
creating.
These
are
back
objects,
and
so
you
know
open
just
lets.
A
You
express
that
blacklist
very
easily,
so
there
are
use
cases
for
it.
However,
you
can't
dynamically
configure
authorization
web
hooks.
Today,
it's
a
it's
a
cluster
setup
thing
and
it's
also
risky
to
run
like
the
authorizer
on
top
of
Kubb
like
because
it
creates
this
this
loop.
So
it's
definitely
possible
if
people
do
it,
but
you
need
to
have
more
control
over
your
clusters
than
you
get
in
some
cases.
C
Question
is
well
what
happens
if
the
input
that
comes
in
is
malformed,
for
example,
you
dot
down
through
an
object
that
into
a
field
that
doesn't
exist
yeah
so
today
this
is
actually
a
case
where
what
we
do
today
is
just
we
think
of
all
of
the
the
conditions
in
a
rule
as
that
as
conditions.
So,
if
you
were
to
say
input,
request,
foo
and
a
kubernetes
object,
that
would
be
something
that
we
look
at
as
a
condition.
If
that,
if
that
field
does
not
exist,
then
the
body
of
that
rule
fails
it
is.
C
It
is
effectively
false,
roughly
speaking,
so
what
we
do
is
that
that
we
don't
return
null.
We
just
the
the
value
of
that
expression
becomes
what
we
call
undefined
and
then
undefined
propagates,
so
there's
a
negation
that
will
flip
it
undefined
to
true
but
otherwise
undefined
propagate.
So
if
you
say,
if
input
dot
whatever
foo
and
input
out
whose
not
defined
equal
seven,
then
the
whole
thing
is
undefined
and
then
the
the
body
just
doesn't
evaluate
it.
True,
yeah,
that's
a
good
question.
A
So
the
question
is:
are
we
gonna
use
a
full?
Are
we
gonna
require
a
full
y'see
interface?
I,
don't
know
how
many
people
in
this
room
know
what
Y
Z
is
it's
a
like
us?
It's
a
standard,
that's
emerging
for,
like
the
system
call
interface,
basically
for
webassembly
executables.
The
answer
is
that
right
now
the
the
compiled
blossom
policies
don't
have
any
external
dependencies,
except
for
memory.
You
need
to
give
them
an
some
memory
to
work
with,
but
yeah
so
they're
they're
kind
of
free
on
their
own.
So
you
don't
have
to
worry
about
that.
C
A
A
When
you,
you
kind
of
like
just
configure
the
the
envoy
filter,
basically
to
talk
to
OPA
like
with
sto,
they
do
provide
a
CRT
that
lets
you
do
that,
so
it
like
works.
Well,
there
I,
don't
know
about
ambassador
specifically
I
will
mention
that
there
are
there's
a
talk
tomorrow
from
Yelp
about
how
they're
using
open
an
envoy.
So
if
you
are
interest
in
that
use
case,
I'd
recommend
checking
that
out
because
they're
doing
it
in
a
lot
of
different
laces.
C
A
Heard,
okay,
so
yeah
so
yeah.
So
when
we
say
JSON,
we
just
mean
kind
of
like
any
kind
of
complex,
hierarchical,
structured
data.
When
you
run
open
as
a
daemon,
it
exposes
an
HTTP
API
that
allows
you
to
ask
it
for
policy
decisions
and
that
API
only
supports
JSON.
Today,
if
you
embed
open
as
a
library
and
go
you
could
have,
you
could
have
like
protobuf,
you
know
serialize
things
coming
into
that
service
and
then
getting
passed
into
OPA.
That's
that's!
Actually
how
the
Envoy
plugin
works.
C
Good
question
it
was
most
of
the
examples,
are
validating
examples
or
were
just
accepting
or
rejecting
a
new
or
updated
resource.
Can
you
do
anything
around
mutation
and
potentially
provisioning?
So
one
other
talk
I'll
call
out
here
is
tomorrow
at
5:00
one
yeah
same
time:
goldman
sachs
is
going
to
be
talking
about
how
they're
doing
provisioning,
for
example,
provisioning
auerbach
in
when
a
new
name
space
is
created,
they're
using
open
to
do
that.