Open Policy Agent - The future of cloud-native decision making
Welcome to the 26th edition of DevShorts!
I write about developer stories and open source, partly from my work and experience interacting with people all over the globe.
Some previous issues from DevShorts:
Join 1000+ developers to hear stories from Open source and technology.
Predii is an AI platform company which works in the automotive space. They work on exciting datasets and data problems. They are looking to hire folks for their Pune office - A NLP Researcher, Full Stack Dev. You can apply here if you are interested.
Open Policy Agent
Kubernetes(k8s) is the de facto container orchestration platform. Also called the platform of platforms because, today, most software is run on k8s in one way or the other. Gone are the days when you spin up a virtual machine to run your workload.
All is well! But managing access control for the k8s is challenging, in addition to auditing and maintaining compliance requirements according to government laws.
Yesteryear, each software system is used to export an API/PDF to give out the compliance report. In addition, organizations use scanners to coalesce information from each system; these are validated at the end of the quarter to ensure compliance.
Fast forward, things have become more dynamic with treating infrastructure as cattle than pets. Containers are the norm for packaging your application. As a result, the access, audit and compliance burden has increased, especially in regulated industries like Banking & Finance.
Enter Open Policy Agent(OPA); enforcing policies from your organization has become easier than ever, especially in the cloud-native world.
If you are still with me 😃 or confused - let us dig a bit deeper to understand.
What is a Policy?
Organization Acme Inc, only allows apps to be run on port 9243 and https protocol.
A sample policy in a simple text could be like the one stated above.
Usually, enterprise security companies like McAfee, Symantec, and Crowdstrike have agents that run on the hosts. A central manager enforces these rules by an admin in the form of a policy. You can have multiple policies applied on different servers or server groups.
Why do we need it?
Policies ensure reporting and help maintain an organization-wide security posture. They also help in security certification audits.
Adding on: the complexity of the cloud + k8s makes it more challenging. A multitude of apps run by different users or teams with varying levels of access is a reporting nightmare for security/compliance teams.
What advantages does OPA present?
Myriad tools, technologies, and many security vendors tried to solve this problem for each organization. As a result, some of them have built multi-billion companies in the course. But unfortunately, over the period, the user lost the choice to choose the technology or the security vendor, unable to deliver all the integrations in a performant manner.
OPA follows a policy language called Rego. Policies are written in Rego. It has some learning curve but is justified with its use cases.
What does it not cover?
OPA is not a kernel-level security agent. For example, it can’t preempt a process. Instead, it is a general-purpose policy engine and can help with admission control. Infact, OPA itself needs to be configured for TLS, authentication and authorization to verify client identities, etc.
Who incorporated OPA in their toolchain?
Many companies have already started integrating OPA for various use cases like authorization and policy enforcement. You can see some names from the ecosystem, but it is not an exhaustive list. There are more like Kubescape, Elastic, Rafay, Spacelift
Are you charged now to learn more about OPA? Then, click the button below to land on a getting started tutorial.
Working in the Software industry circa 1989 - This is an exciting and interesting article.
Replibyte is a project from Qovery - a cloud provider from Europe. It is a problem for any developer who wants to test the app with real data. RepliByte, even though it sounds like Replit.com quite different from the use case. Seems interesting to me!
If you’re finding this newsletter valuable, consider sharing it with friends or subscribing if you haven’t already.
Aravind Putrevu 👋🏽
Thanks for reading Dev Shorts!