Design Patterns for OPA and Cloud Native Authorization

Introduction to Open Policy Agent (OPA) and its flexibility in policy language and deployment options

• OPA is a decision point for authorization decisions made by any service
• Policy queries can be any arbitrary JSON value and the policy language is purpose-built to handle deeply nested JSON data
• Context-aware policies can be created by injecting arbitrary data into OPA
• Policy decisions can also be arbitrary JSON objects
• OPA is flexible in deployment options, including running as a CLI, embedded library, or centralized authorization service
• The policy language is expressive but not as complex as a programming language

An example of OPA's flexibility is the ability to write a policy that only allows on-call personnel to make changes to a production Kubernetes cluster. This information is typically stored in a third-party service like PagerDuty, but can be pulled and injected into OPA to inform authorization decisions.

Part of the beauty of the cloud-native ecosystem is its rich selection of best-of-breed solutions that span the entirety of the software development lifecycle: from datastores, to CICD pipelines, to programming languages, to test frameworks. The challenge, however, is that all of these different projects and components need to be independently configured to meet security, compliance, and operational mandates. In this talk we focus on the problem of authorization (controlling which users and machines can perform which actions on software) and how to solve that authorization problem across many different kinds of software using the CNCF's graduated Open Policy Agent. OPA has been used by 100s of companies all over the planet to solve a plethora of authorization challenges in different domains, e.g. Kubernetes, service-meshes, infrastructure-as-code, SSH guardrails, and application-level authorization. For a new user, the challenge is understanding how to apply OPA to solve their own authz challenges. This talks helps by describing the 4 most popular design patterns for OPA and giving the audience pointers to documentated examples of how leaders in the cloud-native space (e.g. Pinterest, Atlassian, Goldman Sachs), have applied those patterns successfully.