Re: OPA to graduation


Gareth Rushgrove
 

On Wed, 9 Dec 2020 at 19:11, Liz Rice <liz@lizrice.com> wrote:

I really like OPA, and the project is doing tons of things really well, but I am struggling to add a +1 on the voting thread for it. When we move something to graduation, the TOC is sending a strong message that we think it's ready for end users to run in production - but to me it's not exactly clear what we're recommending. Anecdotally it seems to me that for a lot of folks in our community, OPA is synonymous with Gatekeeper. And that's a really useful component, and I don't want to do a disservice to the great work being done on it, but I don't think it's necessarily true that webhook + Gatekeeper is a robust, scalable solution that end users can assume they can deploy today with little-to-no risk.

I am very open to hearing why my concern is misplaced - for example am I missing messaging about other situations where OPA is being widely used, or how Gatekeeper is positioned?
I think Gatekeeper is interesting, but it's a sub-project of Open
Policy Agent, not the whole thing. Anecdotally I mainly talk to a lot
more folks using OPA outside Kubernetes than those just using it for
Kubernetes-related use cases. Download stats are imperfect, but do
bring some data points.

At least direct from GitHub, Conftest
(https://github.com/open-policy-agent/conftest/, another sub-project)
gets a lot more direct downloads than OPA. That's intentional (at
least to me, as the creator and one of the maintainers!) as it's
intended for local individual usage. It's developers downloading it to
their desktops, from homebrew or direct from GitHub.

The latest Conftest release has seen ~7000 downloads across platforms
(not including the container image) and was shipped <1 month ago (14th
November).

The Docker Hub published images tell the other part of the story

10M+
https://hub.docker.com/r/openpolicyagent/opa/

1M+
https://hub.docker.com/r/openpolicyagent/gatekeeper

100k+
https://hub.docker.com/r/openpolicyagent/conftest (formerly
https://hub.docker.com/r/instrumenta/conftest)

Gatekeeper here outstrips Conftest, given it's server vs local use
case. OPA itself is more popular still, because while Gatekeeper is
only for Kubernetes, OPA itself can be used with Kubernetes, but it's
also used for other generic policy use cases in the broader cloud
native ecosystem.

GitHub Stars (pah!) are interesting in microcosm here as well:

Conftest - 1.5k
Gatekeeper - 1.4k
OPA - 4.3k

But that's also just direct usage. OPA itself I'd argue is also partly
something others build on top of as a library. Others will have other
private and public examples, but for instance
https://forsetisecurity.org/docs/latest/configure/real-time-enforcer/opa-engine.html
or https://docs.ceph.com/en/latest/radosgw/opa/.

What ties all of those OPA-powered tools together is the Rego policy
language and I think that's an important aspect here with regards to
graduation. Another datapoint was there was enough Rego code on GitHub
for them to add support for code search and highlighting last year
https://github.com/github/linguist/pull/4371#issuecomment-533053406.
The amount of public Rego code has continued to grow as well
https://github.com/search?utf8=%E2%9C%93&type=Code&ref=searchresults&q=extension%3Arego+package,
from around 200 results a over a year ago to more than 7000 now. Note
as well most of the Rego written, by its nature, is going to be
private.

Hopefully that's useful context about the project and ecosystem. There
are likely some good user stories as well that others can share to
compliment my data deluge. The Gatekeeper folks can probably comment
on Gatekeeper specifically too, but Open Policy Agent is a bigger
project with a broader impact on the wider cloud native community I
feel.

Gareth



--
Gareth Rushgrove
@garethr

garethr.dev
devopsweekly.com

Join cncf-toc@lists.cncf.io to automatically receive all group messages.