Introduction to Open Policy Agent

Conference: KubeCon + CloudNativeCon North America 2021

2021-10-15

Authors: Rita Zhang, Ash Narkar

Summary

OPA is a general-purpose policy engine that can be integrated with various systems to enforce custom security policies. The community is working on improving documentation, updating tutorials, and optimizing memory usage.

OPA is a policy engine that uses a high-level declarative language called Rego to write policies that can be sets, objects, collections of values, strings, and more.
OPA can be deployed as a sidecar, a host-level daemon, or embedded inside Go code.
OPA provides management APIs to pull policy and data from a remote service and upload logs and decisions to a remote service for offline auditing.
OPA has a rich set of tooling, including a unit test framework and integrations with IDEs like Vim, VSCode, and IntelliJ.
OPA is a general-purpose policy engine that can be integrated with various systems to enforce custom security policies.
The community is working on improving documentation, updating tutorials, and optimizing memory usage.

OPA can efficiently load policies and data from disk during evaluation, which can reduce memory usage. For example, loading raw JSON data inside OPA takes 20 times more memory than loading the same data on disk in a compact serialized manner. The community is looking for ways to store policies and data on disk to optimize memory usage.

Abstract

Come to this session to learn about the Open Policy Agent (OPA) project. OPA is a general-purpose policy engine that solves a number of policy-related use cases for Kubernetes, microservices, CI/CD, cloud, and more. During this session the OPA maintainers will introduce the project for newcomers and then provide updates on the latest and greatest features landing in OPA and OPA Gatekeeper. If you are interested in policy and security as it relates to cloud native technology, this session is for you.

Materials:

Tags: