OPA: A general-purpose policy engine for cloud-native

As your organization embraces the cloud, you may find that the dynamism and scale of the cloud-native stack requires a far more complicated security and compliance landscape. For instance, with container orchestration platforms like Kubernetes gaining traction, developers and devops teams have new responsibility over policy areas like admission control […]

As your organization embraces the cloud, you may find that the dynamism and scale of the cloud-native stack requires a far more complicated security and compliance landscape. For instance, with container orchestration platforms like Kubernetes gaining traction, developers and devops teams have new responsibility over policy areas like admission control as well as more traditional areas like compute, storage and networking. Meanwhile, each application, microservice or service mesh requires its own set of authorization policies, for which developers are on the hook.

It’s for these reasons that the hunt is on for a simpler, more time-efficient way to create, enforce and manage policy in the cloud. Enter Open Policy Agent (OPA). Created four years ago as an open-source, domain-agnostic policy engine, OPA is becoming the de facto standard for cloud-native policy. As a matter of fact, OPA is already employed in production by companies like Netflix, Pinterest, and Goldman Sachs, for use cases like Kubernetes admission control and microservices API authorization. OPA also powers many of the cloud-native tools you already know and love, including the Atlassian suite and Chef Automate.

[ Also on InfoWorld: Where site reliability engineering meets devops ]

OPA provides cloud-native organizations a unified policy language — so that authorization decisions can be expressed in a common way, across apps, APIs, infrastructure, and more, without having to hard-code bespoke policy into each of those various languages and tools individually. In addition, because OPA is purpose built for authorization, it offers a growing collection of performance optimizations so that policy authors can spend most of their time writing correct, maintainable policy and leave performance to OPA.

OPA authorization policy has many, many use cases across the stack—from putting guardrails around container orchestration, to controlling SSH access or providing context-based service mesh authorization. However, there are three popular use cases that provide a good launching pad for many OPA users: application authorization, Kubernetes admission control, and microservices. 

OPA for application authorization

Authorization policy is ubiquitous, because virtually every application requires it. However, developers typically “roll their own” code, which is not only time consuming, but results in a patchwork quilt of tools and policies that are difficult to maintain. While authorization is critical for every app, time spent creating policy means less time focusing on user-facing features.

OPA uses a purpose-built declarative policy language that makes authorization policy development simple. For example, you can create and enforce policies as straightforward as, “You cannot read PII if you are a contractor,” or, “Jane can access this account.” But that’s just the start. Because OPA is context-aware, you can also build policy that considers anything on the planet — such as, “Stock trades requested in the last hour of the trading day, which will result in over a million dollar transaction, can only be executed on specific services in a given namespace.”

Of course, many organizations have bespoke authorization already in place. However, if you hope to decompose your applications and scale microservices in the cloud while retaining efficiency for developers, there will be a need for a distributed authorization system. For many, OPA is the missing puzzle piece.

OPA for Kubernetes admission control

Many users also use OPA to create guardrails for Kubernetes. Kubernetes itself has become mainstream and mission-critical, and organizations are looking for ways to define and implement security guardrails to help mitigate security and compliance risk. Using OPA, administrators can set clear policies so that developers can accelerate pipeline production and rapidly bring new services to market, without worrying about operational, security, or compliance risk.

Copyright © 2020 IDG Communications, Inc.

Source Article

Next Post

How Much Does It Cost to Build and Maintain a Website for Business?

Wed Sep 2 , 2020
A website is one of the most important digital assets for any business. The high traffic on your site can easily bring in several inbound leads per month. Your website is indirectly a source of revenue generation for your business. But you already know that. If you have decided to […]