What is Open Policy Agent and how do you use it in cloud-native environments?

What is Open Policy Agent and how do you use it in cloud-native environments?

Open Policy Agent (OPA) helps you to increase application security and to reduce the risk of unauthorized access to sensitive data even in case of a breach of the application. 

It achieves this by simplifying access authentication and authorization within the application architecture, which in turn secures internal communication and access.

Many multinational corporations are using Open Policy Agent in their IT operations to establish, validate and enforce access control and security policies across the architecture of the application, thus allowing them to customize and strengthen security strategies for the application.

Why should Open Policy Agent matter to your business?

Take, for instance, edge security, which is used to protect corporate resources, users, and apps at the “edge” of your company’s network, where sensitive data is highly vulnerable to security threats. The edge security model trusts all internal communication and checks a user identity only at an ingress API-Gateway.

With Open Policy Agent it is possible to plug this gap by building a distributed authorization as close to a data source as possible without having to build the authorization logic directly into services. That increases security at every level of your application.

Here’s how major enterprises are using OPA

  • Goldman Sachs uses Open Policy Agent to enforce admission control policies in their Kubernetes clusters as well as for provisioning Role-based access control and Quota resources central to their security.

  • Google Cloud uses Open Policy Agent to validate configurations in several products and tools including Anthos Config Management and GKE Policy Automation.

  • Netflix uses Open Policy Agent to enforce access control in microservices across languages and frameworks in their cloud infrastructure and to bring in contextual data from remote resources to evaluate policies.

But what is OPA, exactly?

Open Policy Agent (OPA) is a tool that helps you write and test policy-as-code for Kubernetes to improve operational efficiency and promote scalability and repeatability. OPA decouples policies from application configurations and provides policy-as-a-service. Since this engine unifies policy enforcement across the stack, it allows security, risk, and compliance teams to adopt a DevOps methodology to express desired policy outcomes as code as well as offload policy decision-making from software. Created by Styra, and now part of the Cloud Native Computing Foundation (CNCF) alongside other CNCF technologies like Kubernetes and Prometheus, OPA is an open source, general-purpose policy engine. 

When and How can OPA be used to improve your IT Ops?

Infrastructure Authorization

You can use make all elements of your application infrastructure more secure using OPA.

OPA enforces and monitors security policies across all relevant components. For instance, you can centralize compliance across Kubernetes and application programming interface (API) gateways. 

With Open Policy Agent, you can add authorization policies directly into the service mesh, thereby limiting lateral movement across a microservice architecture. That way, since authorization is required at entry to every microservice, improper access to one microservice does not necessarily compromise others.

(You can learn more about Service Mesh and how it can help you with cluster security here and here.)

Admission Controller

You can control admission to your resources by working with an OPA-powered Gatekeeper.

Azure Gatekeeper and other Kubernetes policy controllers work with OPA to allow you to define policy to enforce which fields and values are permitted in Kubernetes resources. They can mutate resources. 

A common example of a mutation policy would be changing privileged Pods to be unprivileged, or setting imagePullPolicy to Always for all Pods. When you’re able to mutate resources server-side, it’s a really easy way to enforce best practices, apply standard labeling, or simply apply a baseline security policy to all resources.

Azure Gatekeeper for example is a Kubernetes policy controller that allows you to define policy to enforce which fields and values are permitted in Kubernetes resources. It operates as a Kubernetes admission controller and utilizes Open Policy Agent as its policy engine to ensure resources are compliant with policy before they can be successfully created.

Application Authorization

With the level of automation OPA provides, your team can make changes with the confidence that access authorization will remain accurate. 

Since Open Policy Agent uses a declarative policy language that lets you write and enforce rules, it comes with tools that can help integrate policies into applications as well as grant end users permissions to contribute policies for tenants. This enforces policies across organizations for end-user authorization with the OPA deciding level of user access in the application.

Open Policy Agent is also used to resolve problems around service-level authorization to control who can do what at different parts of the stack. 

What are the advantages of using OPA?

The OPA policy improves operational efficiency, allows for virtually unlimited scalability, eases interpretation, offers version control, and ensures repeatability. It essentially provides a uniform, systematic means of managing policies as well as auditing and validating them to avoid the risk of introducing critical errors into production environments. That’s because in Kubernetes, policies are best defined in code and OPA allows you to write and validate policy-as-code. 

By leveraging code-based automation instead of relying on manual processes to manage policies, your team can move more quickly and reduce the potential for mistakes due to human error. At the same time, your application architecture remains absolutely secure. Want to know more about how OPA can make your business more efficient? Contact us at Akku.