Open Policy Agent

Hey guys, thanks for taking the time to read the following blog post. I hope it will benefit you in your Kubernetes learning path and help you create a positive impact in your organization.

Let's get into it…

OPA was created in 2016 by Styra, and is a graduate project in CNCF (Cloud Native Computing Foundation). Although it was published a couple of years after Kubernetes and is known to be used in Kubernetes, it has way more variety of implementations as you can see in the following picture.

OPA is a full-featured policy engine that offloads policy decisions from the software. Without it, we would need to achieve policy management from scratch, taking into account many variables and will require substential development time.

OPA uses rego (pronounced as “ray-go”) to as its policy language. To ease the adoption of Rego, there is multiple sources, playground and tools that OPA offers.

OPA admission controller

In Kubernetes, almost any operation goes through the API server, and admission controllers are a critical part of it. Admission controllers can implement mutating and validating webhooks, which will verify or mutate resources carried out by the API.

A simple example is deploying a pod to a non-existent namespace and getting an error namespace “something” not found. Thanks for the NameSpaceLifecycle admission controller we are being validated before creating a resource to none existing namespace.

In 2019, OPA Gatekeeper was announced, an open-source project that provides a first-class integration between OPA and Kubernetes.

Gatekeeper is an admission controller that provides Kubernetes native way to validate and mutate resources with OPA policies. It comes with a policy library and CRDs that help to adopt OPA faster in your organization.

Any resource that is carried out in the API would be validated, mutated, or ignored by the implemented policies.

OPA also has audit functionality and will alert you if the created resource does not follow the new policies in the cluster.

To conclude,

OPA is one of the most recognized tools for policy implementation. If it’s on your software, CI/CD tools, IAC as terraform or in your Kubernetes cluster. You can see it in action in our next blog post "OPA In Action".

For some, OPA is too robust, more so when it comes to learning rego. We also cover Kyverno with example for you to compare.

Relevant links:
Kubernetes NamespaceLifeCycle - https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#namespacelifecycle
Learning Rego - https://www.openpolicyagent.org/ecosystem/learning-rego/
Learning Rego - https://www.openpolicyagent.org/docs/latest/policy-language/