Introduction to Open Policy Agent

What Is Open Policy Agent?

Open Policy Agent is a project which allows you to implement fine-grained access control. It is written in Go and is part of the Cloud Native Computing Foundation as an incubating project. Its source code is available publicly under the Apache License 2.0.

Why Use OPA?

Policy-making has been implemented with various frameworks in the past (have a look at the AWS policies for an example). OPA attempts to unify these different approaches and allows you to use the same tool for policy-making across your different services.

Who Uses OPA?

OPA can now be used with Kubermatic Kubernetes Platform. Additionally, companies and projects like Docker, Istio, Kafka and Terraform use OPA to implement their policy decision making. There are tutorials on the OPA website showing you how to implement decision making with these products. We will show how to use Kubermatic Kubernetes Platform with OPA in our next tutorial.

What Are the Basic Components of OPA?

OPA lets you define policy as source code. The language used within OPA is Rego, OPA’s native query language. Decision making with OPA consists of three components:

  • Data: The first component is all the information about your domain that OPA will use to make decisions. For example, it might be a list of users or a list of endpoints.
  • Query Input: The second element is the question your application sends to OPA. It must be formatted in JSON. The question might effectively be, for example, “is the user X authorized to access ressource Y?”
  • Policy: The final component is the policy which OPA uses to make a decision and return the result to you. It might be a simple “yes” or “no.” Note that you still have to implement your application’s response to the policy yourself; i.e. if the user is not authorized, it is your responsibility to implement the resulting notification.

Which APIs Are Part of OPA?

You can use the following APIs within OPA:

  • Bundle service API: This is what you use to send policy data to OPA. OPA constantly checks it to ensure the current policy version is up-to-date.
  • Status service API: This is what you use to determine the current status of the service.
  • Decision log service API: This is the logging component which records every decision made by OPA. It is particularly useful for troubleshooting.

What We Have Learned So Far

  • OPA is a project to unify policy decision making across your services
  • It defines policy as code
  • It has its own language, Rego
  • We have seen an overview of the building blocks of OPA and its main APIs

See Our Next Tutorial for Information on These Topics

  • Using OPA with a Kubermatic Kubernetes Platform (KKP) cluster
  • The project Gatekeeper and how it simplifies working with OPA
  • How to audit pre-existing resources
  • Where to find additional resources
Irina Lindt

Irina Lindt

Software Engineer