Every application that is accessed by more than one user must answer the crucial question: Is this user really allowed to perform the desired action? A role model usually defines what a user is allowed to do in software. However, this poses numerous challenges, particularly in the cloud or for infrastructure-as-code. Admins can control user rights more flexibly with the free Open Policy Agent.
Infrastructure-as-code (IaC) has become a recipe for success for declarative, machine-readable code, so it makes sense to apply it to the topic of security and in particular to the writing of policies. With this approach, companies attempt to implement rules within an organization in a scalable manner. The Open Policy Agent (OPA) project [1], which is backed by the start-up company Styra, is a representative of this genre that has recently received increasing attention. OPA is a universally applicable policy engine that enables the uniform, context-aware enforcement of policies across the entire stack.
Open Policy Agent at a glance
OPA is hosted by the CNCF (Cloud Native Computing Foundation) – the organization responsible for Kubernetes. OPA is designed for cloud-native environments and combines the relatively easy-to-learn and read policy language “Rego” with a policy model and an API. This provides a kind of universal framework for applying rules to all types of stacks. One of the major advantages of OPA is thus the decoupling of security policies and code and its application – regardless of how often the code changes.
Technically, OPA is tied to input. As soon as this data is available, the OPA code decides how to deal with the corresponding input (e.g. allowing or prohibiting with an allow/deny policy). Another advantage is the fact that OPA processes input and output in both JSON and YAML format, meaning that IT managers do not have to adhere to a predefined API. Overall, this makes writing rules relatively easy – OPA also supports REPL, i.e. shell-based execution of code. It is also practical that you do not have to write all the policies yourself, as there are already ready-made policy bundles on the Internet for many use cases, which contain a useful, predefined set of rules. There is both a freely accessible Playground and a free Styra Academy for practicing.
