►
Description
With our digital systems growing increasingly distributed and our tech stacks increasingly heterogeneous, we need to devise new models around policy and access control. In this presentation, we’ll introduce Open Policy Agent (OPA) - what problems it solves and how it unifies policy across the whole cloud native stack. After a brief introduction, we'll take a closer look at Rego, the policy language used by OPA, before exploring how OPA may be used for building guard rails around our Kubernetes clusters.
A
So
that's
kind
of
how
I
got
involved
in
in
oppa
in
the
first
place,
so
I've
been
on
on
both
sides
so
to
speak.
When
I,
when
I
don't
work
with
oppa,
my
main
passions
include
cooking
food
and
football
and
you'll
find
me
on
twitter
and
get
out
and
so
on,
all
right.
So
what
problem
are
we
trying
to
solve
here
or
what's
the
challenge,
so
the
challenge
is
basically
to
manage
policy
in
increasingly
distributed
complex
and
heterogeneous
systems.
A
A
And
and
cloud
resources,
of
course,
so,
and
then
also
course
data.
So
any
modern,
like
normally
sized
company,
is
going
to
have
at
least
probably
half
of
these
technologies
and
the
more
the
more
the
bigger
the
company,
the
more
of
these
technologies,
and
the
problem
is
that
the
these
technologies
all
have
their
way
of
working
with
policy.
A
So
oppa
is
an
open
source,
general
purpose
policy
engine.
It
offers
a
unified
tool
and
a
framework
for
working
with
policy
across
the
stack.
What
opa
does
it
decouples
policy
from
application
logic,
so
meaning
it
kind
of
extracts?
The
part
that
is
policy
and
it
moves
that
out?
Okay,
sort
of
like
you'd
move
data
from
your
app
and
into
your
database.
A
A
A
These
policies,
they're
written
in
a
language
called
rego,
which
is
a
declarative
language
which
we'll
look
into
more
in
a
bit
and
since
it
is
a
general
purpose
policy
engine,
it's
found
use
cases
in
in
everything
from
kubernetes
admission,
control,
app
or
microservice
authorization,
infrastructure
policies,
data
source,
filtering
or
data
source
access,
and
so
on.
So
pretty
much
anywhere.
Where
you
can,
where
you
can
find
policy,
you
can
find
oppa
and
oppa
is
a
vibrant,
open
source
community
we're
we
have.
A
I
think
these
numbers
are
a
little
dated
by
now,
so
I
think
we
have
we're
almost
200
contributors,
50
plus
integrations
listed
and
yeah.
It's
it's
a
it's
a
big
and
vibrant
open
source
community,
and
not
only
is
there
oppa
like
the
core
policy
engine,
but
there's
also
these
kind
of
projects
surrounding
opa,
such
as
conf
test
for
for
using
rego
and
oppa
on
on
configuration
and
and
there's
gatekeeper
for
for
using
opa
as
an
admission
controller
and
there's
editor,
plugins
and
so
on.
A
But
of
course
it's
it's
not
just
a
hobbyist
open
source
project,
but
oppa
is
used
by
some
of
the
biggest
companies
in
the
world,
and,
if
that,
that's
not
enough
to
convince
you,
maybe
this
tweet
will
the
open
policy
agent
project
is
super
dope.
I
finally
have
a
framework
that
helps
me
translate
written
security
policies
into
executable
code
for
every
layer
of
the
stack.
So
that's
pretty
much
that
pretty
much
sums
it
all
up.
What
elba
is
about?
A
Okay,
so
rigo,
then
or
oppa?
How
does
it?
How
does
it
work?
How
can
oppa
work
with
all
these
diverse
technologies?
So
the
way
the
policy
decision
model
works?
It's
kind
of
like
this
there's
normally
a
request
coming
in
to
your
service
and
when
I
say
service
that
could
be
anything
that
could
be
your.
A
But
it
might
as
well
be
kafka,
it
could
be
the
linux
power
module
or
it
could
be
docker.
It
could
be
the
kubernetes
api
server.
So
anything
anything
that
can
intercept
or
accept
requests
is
kind
of
a
viable
target.
So
so
that's
the
model
and
and
this
service
in
turn
turns
to
oppa
to
to
for
a
decision.
A
Basically,
so
it
sends
a
policy
query,
and
this
is
all
http,
it's
a
rest
api
and
it's
like
all
just
json,
so
any
service
or
any
any
technology
which
can
talk,
http
and
which
can
talk
json
is
can
can
ask
opa
for
a
decision
and
and
of
course,
pretty
much
any
service.
The
last
20
years
or
so
can
can
do
this.
So
that's
why
oppa
can
be
so
pervasive
deployment,
then
the
way
it
works.
Oppa
is
itself
it's
it's
a
tiny,
little
self-contained
binary.
So
it's
a
single
file
and
it's
lightweight.
A
So
ideally
you
deploy
them
everywhere.
There's
no
like
one
big
fat,
oppa
per
server
that
everyone
would
talk
to,
but
rather,
if
you
have
eight
or
nine
pods
serving
your
app,
then
you'd
have
eight
or
nine
oppas.
You'd
have
one
running
inside
of
each
pod
and
the
normal
kind
of
deployment
pattern
is
often
a
side
car
in
kubernetes
or
it's
a
daemon
running
on
the
same
host
and
again
applications.
They
talk
to
oppa
through
the
opa
rest
api,
but
there
are
also
a
few
other
options
available.
A
What
about
rigo,
then,
this
policy
language,
it's
a
declarative,
high-level
policy,
language
which
is
used
by
oppa
and
when
we
say
declarative
it's
it's
kind
of
like
sequel,
you
that
you
you've
got
brother
rather
than
saying
exactly
how
something
should
be
done.
You
just
specify
what
you
want
done
and
a
policy
is
pretty
much
just
a
set
of
rules
and
any
rule
can
can
return
a
decision.
So
a
decision
could
be
true
or
false,
or
it
could
be
a
string.
A
But
one
thing
we
should
mention
here
before
we
we
do.
That
is
normally
the
policy
in
themselves.
They
they
are
useful,
but
they
need
data
for
in
order
to
to
make
these
decisions
they
need
to
know
like
who
is
the
user?
What
endpoint
are
we
trying
to?
Are
you
trying
to
reach?
What
operation
are
you
trying
to
do?
A
So?
There
are
a
number
of
ways
we
can
provide
that
to
to
oppa
and
the
most
common
one
is
probably
just
as
part
of
the
query.
So
when
you
ask
oppa,
you
also
provide
some
data,
so
you
say
I
am
an
admin.
Am
I
allowed
to
to
reach
this
endpoint,
but
if,
if
you
need
more
data
or
you
or
you
need
data
in
other
forms,
you
can
also
like
push
data
into
oppa
through
the
opa
rest
api.
A
You
can
also
provide
whole
data
as
in
form
of
bundles,
which
oppa
goes
and
fetch
and
fetches,
and
that's
the
last
one
there's
also
an
http
client
that
you
can
use
from
from
inside
of
your
policy.
So
if
you
really
need
to
go,
go
out
and
fetch
some
data
at
policy
evaluation
time,
that
is
also
an
option,
and
with
that
I'm
going
to
hop
over
here
to
the
rego
playground
where
we
can
look
at
you
know
what
what
policy
offering
entails
so
to
the
left.
A
A
The
user's
path
and
the
method
is,
is
get
and
the
way
we'd.
The
way.
What
the
service
then
would
expect
is
for
us
to
say
that,
yes,
this
is
allowed,
or
this
is
not
allowed
and
we
could,
if
we
wanted
to,
we
might
also
want
to
respond
back
with
a
reason.
If
we
deny
someone
we
might
want
to
say
no,
you
can't
you
can't
access
this
end
point
because
you
don't
have
the
role
of
a
doctor
or
whatever,
whatever
is
the
requirement
so
again,
and
a
policy
is
just
a
number
of
rules.
A
A
So
if
I
just
say
something
super
simple,
like
I
say
that
yeah
this
is
true,
and
I
evaluate
this,
I'm
gonna
see
that
the
output
with
oppa
decide
here
is
that
the
allow
rule
is
true
and
if
I
add
another
condition
here
where
I
say
false,
we're
gonna
see
that
the
allowance
rule
is
no
longer
true.
In
fact,
it's
no
longer
nothing
because
you
know,
but
if,
if
something
is
not
true,
it's
just
undefined
at
least
that's
the
default.
A
So
if
we
want
to
change
that,
we
might
we
might
want
to
do
something
like
this.
We
might
want
to
say
that
by
default,
allow
is
equal
to
false.
That
seems
like
a
pretty
good
default
for
for
any
like
security
policy.
Doesn't
it
so
we
can
say
that
that
if
we
evaluate
this
again,
we
can
see
that
now.
Allow
is
false,
even
though
these
conditions
are
are
not
true,
because
that's
kind
of
the
fallback
condition
and
if
we
have
that
removed,
you
can
see
that
allow
is
not
true.
A
So
of
course
this
this
is
kind
of
a
silly
example.
So,
let's,
let's
actually
do
something
useful
here.
You
can
see
here
that
we
have
some
data
as
part
of
the
input.
So
so,
let's
use
that.
So
we
might
want
to
say
here:
that's
the
user's
endpoint,
that's
kind
of
a
public
endpoint,
so
anyone
should
be
able
to
to
to
read
that.
So
we
say
if
inputpath
this
equal
to
users
or
or
writers,
let's
see
yeah,
let's
start
with
that,
and
the
input
method
is
equal
to
get
so
again.
A
If
both
of
these
conditions
are
true,
then
the
rule
is
considered
to
be
true.
So
if
we
change
something
here
now
or
if
we
evaluate
that
yeah,
that's
still
true,
if
we
change
something
out
of
the
input,
so
we're
trying
to
put
something
in
the
users
see
that's
the
rule
is
no
longer
true.
So
so
that's
kind
of
super
basic,
the
basics
of
how
how
regal
rules
work.
A
Let's
change
this
back
here
and
and
of
course,
this
is
just
when
we
we're
probably
going
to
have
like
hundreds
of
endpoints
or
at
least
a
dozens
of
endpoints
and
and
maybe
several
operations
so
the
way
we
could
do
here,
we
could
create
new
rules
and
we
can
aggregate
him
into
like
a
single
one.
Another
thing
we
could
do
is
just
we
could
work
with
what
we
call
incremental
rules
and
these
are
kind
of
forms.
A
So
what
we
do
here
is
just
we
create
another
rule
with
the
same
name
and
the
way
things
work
here
like
I
said
here
that
if
all
the
rules
in
the
body
are
true,
then
the
rule
is
going
to
be
true
but
you're
outside
of
the
bodies.
If
one
of
the
rules
are
true,
then
the
rule
is
true,
so
it's
gonna
and
inside
of
the
rules
and
or
outside
of
it.
A
A
A
A
A
That's
no,
that's
not
allowed
either,
but
that's
kind
of
that
can
that's
it's
kind
of
a
bug
here,
maybe
in
our
in
our
policy,
because
we,
our
intention
here,
was
just
that
anyone
can
view
users.
They
might
not
modify
them,
but
so
what
we
could
really
do
here
if
we
say
like
just
if
the
first
path
component
is
equal
to
users,
then
we
should
be
allowed
okay,
so
that's
policy
offering
in
rego.
A
A
B
B
A
A
These
modules
are
chainable,
so
there
could
be
any
number
of
authenticators
authorizers
or
admission
controllers
as
on
on
the
way
to
etsy
and,
of
course,
kubernetes
ships
with
quite
a
few
of
these
modules,
some
of
them
are
more
used
and
more
commonly
seen
than
others
like
the
rbac
module.
I
guess
which
pretty
much
anyone
uses,
but
from
an
open
perspective.
A
What's
really
interesting
is,
is
the
webhook
module,
so
in
any
of
these
modules,
you
can
say
instead
of
consulting
one
of
these
built-ins
I'd,
rather
send
a
request,
an
http
request
to
some
remote
endpoints,
with
with
this
request,
with
with
these
resources
that
you're
trying
to
persist,
I'd
rather
send
that
to
a
remote
endpoint
and
see
what's
what
that
has
to
say
about
it,
so
that
sounds
kind
of
familiar
right.
That's
kind
of
web
hook,
model
http
and
json
body
right.
B
A
B
A
Which
should
be
enforced
in
our
clusters,
as
as
cluster
administrators
or
or
as
just
developers
and
and
some
of
these
pretty
common
enforcements
include
forcing
or
enforcing
a
specific
docker
registry,
an
internal
company
registry
and
other
image
constraints
like
you
can't
use
the
latest
tag.
You
can't
use
any
version
below
this
or
that
and
so
on.
A
A
Another
pretty
common
case
is
for
to
verify
like
host
or
path
uniqueness
for
ingress
controllers
and
that's
a
bit
more
advanced
since
then.
You
also
need
to
know
the
current
state
of
your
cluster.
You
can't
just
check
the
the
kind
of
incoming
resource.
You
also
need
to
check,
what's
already
out
there,
just
to
verify
that
you
don't
deploy
a
new
application
and
it
kind
of
takes
over
on
a
path
already
owned
by
somebody
else
or
some
other
app.
A
So,
just
to
kind
of
reiterate
here
on
rigo,
you
learned
the
basics
here,
just
just
a
couple
of
minutes
ago.
So
so
what
would
it
look
like
then?
Well,
as
you
can
see,
the
basics
are
all
the
same.
Here
we
have
json
in
the
input.
The
input
looks
a
bit
different
from
from
what
we
saw
in
the
in
my
example,
but
it's
still
just
it's
just
json,
so
we
have
a
pod
a
bit
about
to
be
admitted
here
and
if
we
check
the
policy
in
the
middle,
it's
a
very
simple
policy.
B
A
There's
not
a
cost
center
provided
if
there's
not
a
cost
center
provided,
then
we
can
move
on
to
the
next
line,
which
is
just
returning
that
message
that
every
resource
must
have
a
cost
center.
So
the
response
back
from
our
oppa,
it's
going
to
be
a
deny.
Every
resource
must
have
a
call
center
label.
So
that's
what
you're
going
to
see
when
you
do
cube
cdl
apply
and
then,
of
course
you
can
just
go
back
to
your
resource.
A
You
might
need
a
better
tooling
for
that
and
that's
where
opus
management
apis
come
in
and
and
what
they
really
what
they
what
they
do
is
they
offer
a
way
to
configure
robot
to
to
kind
of
reach
out
to
remote
endpoints
in
order
to
obtain
policy
to
log
decisions?
That's
another
huge
thing
for
like
when
you
start
to
extract
policy
from
your
application
logic,
because
now,
all
of
a
sudden
you,
you
also
have
a
golden
opportunity
to
actually
see
what's
going
on
in
terms
of
decision.
A
Okay,
so
where
do
you
start,
then,
if
you,
if
you
think
this
sounds
like
a
like,
it
would
be
something
for
you.
I
suggest,
like
start
small,
there's
really,
there's
really
no
reason
not
to
oppai
is,
and
maybe
just
start
with
the
playground,
then
in
in
one
tab
and
maybe
the
docs
in
another
and
try
try
it
out.
A
You
always
have
policy
just
whether
you
do
it
in
a
nice
way
or
not,
and
once
you
once
you've
identified
some
policy,
you
can
start
to
delegate
some
of
that
to
oppa
and
again
you
don't
need
to
rewrite
your
whole
app
in
a
single
setting.
You
can
you
can
start
with,
maybe
one
end
point,
one
operation
or
one
roll
or
or
whatever
just
start
small
and
then
and
then
kind
of
deploy
and
build
experience
from
that.
A
And
after
that,
you
can
start
to
consider
these
kind
of
management
opportunities
or
management
capabilities
such
as
decision
logging,
how
to
serve
how
to
share
have
like
shared
policy
across
hundreds
of
pods
or
applications,
and
a
couple
of
free
resources
from
from
styrates
to
styra
academy,
which
is
a
great
learning
resource
which
is
absolutely
free.
There's
the
styra
das,
which
offers
many
of
these
management
capabilities
once
you've
kind
of
grown
beyond
the
basics
and
there's
the
opa
slack.
B
A
A
B
A
Yeah
yeah
yeah,
of
course,
that
that
we
do
and
and
then
the
follow-up
question
was
how
many
support
hours
do
we
have
to
buy
to
get
such
a
t-shirt
that
we
can.
We
can
certainly
send
send
you
a
t-shirt
rb,
so
just
just
reach
out
to
anders
at
styra
after
and
I'll
I'll
make
sure
you
get
a
t-shirt.
Of
course.