Open Policy Agent


Torin Sandall
 

Hello!

Here are extra materials that were requested on the call.

You can find out more about OPA at openpolicyagent.org. We have a number of tutorials with examples across Kubernetes, Terraform, SSH, etc:


Here are two examples that show how you can write high-level declarative policies in OPA for different use cases like authorization and workload placement.

# REST API authorization example.

# First rule allows employees to GET their own salary.
# This rule shows how you can use variables in rules. In this case, employee_id
# is a variable that will be bound to the same value across the last two expressions.
allow {
    input.method = "GET"
    input.path = ["salary", employee_id]
    input.user = employee_id
}


# Second rule allows employees to GET the salary of their reports (transitively).
# This rule uses data/context loaded into OPA (data.management_chain). For example,
# the data may be organized as {"management_chain": {<employee_id>: [<mgr1>, <mgr2>, ...]}}
allow {
    input.method = "GET"
    input.path = ["salary", employee_id]
    input.user = data.management_chain[employee_id][_]
}


# Cluster placement example. In this case, the input would be an object representing
# a workload (or part of a workload, e.g., a Kubernetes Deployment.)

# First rule generates a set of clusters to place a workload on.
# This rule shows how you compose rules/functions.
desired_clusters = {name |
cluster = data.clusters[name]
satisfies_jurisdiction(input.deployment, cluster)
}

# This rule decides whether a cluster satisfies the deployment's jurisdiction requirements.
satisfies_jursidiction(deployment, cluster) {
deployment.jurisdiction = "europe"
startswith(cluster.region, "eu")
} else {
not deployment.jurisdiction
}

As Tristan mentioned on the call, OPA can also ingest and evaluate configuration like RBAC rules. This is what Istio is planning to do. The benefit of this approach is that it provides a simple interface for administrators, but at the same time, if they need to tweak or extend the policy, they can do so by dropping down to the lower level policy language. They do not have to modify the policy engine itself.

-Torin

Join cncf-toc@lists.cncf.io to automatically receive all group messages.