A Docker-inspired workflow for OPA policies
Now available at openpolicyregistry.io!
A brief history
When we first started using OPA, we were impressed with how flexible it is as a general-purpose decision engine. We were familiar with using it for infrastructure scenarios (like k8s admission control), but thought we could extend its use to application and API authorization scenarios.
One thing we missed, though, is the ability to interact with policy bundles in the same way that we interact with Docker images.
Enter the Policy CLI
We modeled the
policy CLI on
docker - a familiar pattern to most developers. With the
policy CLI, you can build, tag, push, and pull policy images just like you do with
docker. Check it out on GitHub!
By representing policy images as OCIv2 containers, you can push and pull them into any OCIv2-compatible registry. But we thought it would be useful to have a container registry that would focus exclusively on policies as a container image type.
We built opcr.io as a container registry for round-tripping policy image containers.
Bringing together three CNCF ecosystems
We believe that as a "meta-project", OPCR brings together three existing CNCF ecosystems, and makes them "better together":
- OPA: today, OPA’s packaging format is a tarball. Using the OCI container format to package OPA policies allows developers to tag, version, add metadata, and sign layers of a policy, much like they can any OCI container.
- Sigstore/cosign: using
cosignto sign and verify signatures for OPCR container layers brings this value to the OPA ecosystem.
- OCI: formalizing a media type for OPA containers creates another valuable use-case for the OCIv2 image format.
We'd love your feedback
We'd love to hear from you! Tweet / DM us at @openpolicyreg or find us in our Slack community!
Handling data in OPA policies
Passing data into the decision engine is a critical design choice for a robust authorization system. Here are four common patterns, each with their own tradeoffs.
Modern authorization requires defense in depth
Zero-trust architectures encourage defense in depth. Fine-grained authorization solutions are emerging that complement coarse-grained ones.
The challenges of using OPA for application authorization
The Open Policy Agent project is an incredibly flexible and powerful policy engine. In this post, we explore some of the challenges facing developers using OPA for application authorization, and we propose some ways of overcoming those challenges.