Open Policy Agent (OPA) unifies policy enforcement across the cloud-native stack. It enables developers, operations, compliance and security teams to build and enforce consistent authorization policy at scale, enhancing security and reducing the manual burden placed on staff as a result.
Want to learn more? Let’s take a deeper dive.
Why Universal Policy?
Prior to OPA, every development team had to manually create its own authorization policies and subsystems. There was no singular way to solve policy creation or policy enforcement.
In legacy, on-premises environments, this manual process was relatively simple (though still inefficient) because companies only managed a few disparate systems. But due to the rise of microservices architecture, containerized apps and cloud platforms, there are many more discrete components that require their own authorization policies baked in. This makes the development and management of policy exponentially more complex and time-consuming, opening the door to human error.
However, ensuring access control is also a crucial part of application development. Every application needs authorization and every development team is tasked with policy implementation. So why should engineers have to reinvent the wheel when all organizations (and applications) face similar access control issues?
Authorization itself is a relatively simple concept based on logical expressions that decide who is permitted to do what. It makes sense that organizations could leverage the same structure of authorization policies in the same environments, albeit with some tweaking. With that premise, I went to work on OPA.
What is OPA?
In 2015, I cofounded Styra to work on the problem of authorization for the cloud-native tech stack. Torin Sandall, Styra’s VP of open source, and I created OPA in 2016 with the help of hundreds of open source contributors. OPA is only possible at scale thanks to the contributions of the open source community.
OPA is an open-source project that implements a single policy language and policy engine that can be applied to solve policy and authorization problems at every layer of the cloud-native stack. It uses a purpose-built declarative language, Rego, to express sophisticated logic over complex hierarchical data structures. OPA has over 50 integrations and is able to enforce policies in Terraform, microservices, Kubernetes and more. Because OPA is open-source, it grew quickly and organically by solving real-world problems users were experiencing.
OPA and Rego set a universal standard for policy and authorization in the cloud. With a single language deployed and hardened by the CNCF community, engineers can implement strong access controls in a fraction of the time it would take to build it themselves. Additionally, OPA future-proofs those implementations so as access control requirements change, engineers can easily meet evolving requirements, whether they stem from architecture, data dependencies, or policy logic itself.
Two years after creating OPA, Styra donated it to the Cloud Native Computing Foundation (CNCF), where it reached graduation status in 2021. OPA is the CNCF’s 15th open source project to graduate and the first focused entirely on authorization. It has over 120 million downloads and is currently helping many well-known enterprises solve authorization at scale.
Best practices before starting your OPA journey
Before diving headfirst into OPA, you will want to start with these best practices to set yourself up for success:
- Focus on a single use case: Embracing a new paradigm such as a policy engine may seem daunting at first, but by starting small you can quickly grow your expertise. When first working with OPA, pick a specific use case to solve, like Terraform risk management, microservice authorization or Kubernetes admission control. Become comfortable with that solution, learn from it and only then, continue your journey toward securing your cloud-native stack.
- Establish ownership: Make sure your OPA investment survives the tenure of its champions. Be sure to establish a sustainable framework with ownership across the policy management lifecycle, which includes policy authoring, testing, deploying, enforcing and ongoing monitoring. Realize that there may be many stakeholders involved in the policy lifecycle (like developers, product managers, operations, security and compliance professionals), but your framework should establish a clear owner for each step of the process. This also makes it easy to onboard new employees and software.
- Engage with the OPA community: OPA would not be what it is today without the open-source community. Take advantage of forums like GitHub and Slack which have thousands of active members. Whether you ask a question or simply follow along with discussions, you’ll be sure to learn from a broad range of experts including the people who maintain OPA and those who have integrated OPA into both small and large enterprises.
Where to learn more
If you’re interested in learning more, there are many resources to help you get started with OPA and Rego:
- The Styra Academy: Interactive, free courses offered by the creators of OPA on how to build and enforce authorization policy across your cloud-native stack.
- OPA Slack Workspace: Engage with the OPA community for day-to-day conversations related to OPA, Rego and authorization policy.
- Getting Started with OPA: Step-by-step instructions on where to access OPA and how to get started.
- The Rego Playground: An interactive environment where users can learn, develop and share Rego policies entirely in a web browser.
- SugarCRM, Atlassian and Netflix OPA case studies: Three stories of how successful OPA adopters used OPA to solve critical security challenges.
OPA has a proven track record of helping hundreds of companies solve authorization in the cloud and is quickly becoming the standard building block for policy creation. By embracing a standard, efficient policy language, you and your team can benefit from faster policy implementation, stronger application security and time back to focus on innovation.
This article originally appeared in the Container Journal on February 8, 2022.