Implement a policy and use it in CLI
Execute your own Rego rule as CLI command with opactl
Policy in everyday life & everyday task
What is a policy? In short, policy enforces some rules on people or things.
Often, we are under some sort of policy in everyday life. For example, when you want to graduate from a school, you need to achieve some level of scores from courses and tests. In other cases, we need a ticket to enter a theater for enjoying a movie. We need to wait in line to use a crowded public restroom.
Sometimes, we create policies by ourselves. For example, we create a rule for everyday life. For example, in order to go on a diet, we create a limit of calories in one day. In order to keep the budget healthy, we create a limit on expenses in one day.
In summary, the policy is a thing that we are living with and also a thing that we create by ourselves.
As engineers, we need to develop software, test it, and release it. We create configuration data, test data, and so on. We need policies for such tasks…
- We need to maintain resource utilization within a quota to prevent cost rise.
- We need to create a configuration YAML file that meets specific security criteria.
Policy can be written in Rego easily
Open Policy Agent (OPA) is a policy engine and Rego is a language to define policy.
https://www.openpolicyagent.org/docs/latest/
“The Open Policy Agent (OPA, pronounced “oh-pa”) is an open source, general-purpose policy engine that unifies policy enforcement across the stack.”
A policy written in Rego looks like this. A rule consists of multiple conditions (= each line) such as endswith(file, input.extension) . Here is an example.
search = { file |
file := __file_list[_]
endswith(file, input.extension)
contains(file, input.word)
}This rule checks if file names meet some criteria.
__file_list has a list of file names. endswith checks the file name ends with a specified extension extension, for example .yaml . Next, contains checks the file name has another pattern specified by word . Finally, the rule search returns true or false as the check result.
If we can use the power of rules in CLI, it would be very useful.
Execute Rego from CLI
opactl, command line tool, extends OPA and Rego capability to CLI.
If you have your own rules, opactl turns them into CLI commands automatically. For example, when we have search rule which was explained above, opactl can read it and makes the following subcommand automatically.
opactl search
opactl can generate many subcommands at once. As many rules as you have, opactl detects all rules like
opactl rule1
opactl rule2 (subcommand)
opactl rule3 rule31 ... (subsubcommand is also available)After adding your rule, you don’t have to compile or do any other task. All you need is to put your policy file, and run opactl. opactl always detects the latest rules you created.
You can set parameters extension and word with -p flag. The output from ls command is transferred to opactl by pipe. opactl uses the transferred data in the above rule. Then, the output of rules appears finally.
In order to install opactl, you need to get the above repository and run these commands (the last line should be dependent on your environment..)
git clone https://github.com/onelittlenightmusic/opactl
cd opactl
go build
sudo cp opactl /usr/local/bin/After installation, you can investigate how to use opactl with examples.
$ opactl examples helpHelp generation
If you have a rule myrule , I recommend you create another __myrule rule and store description text in this one. After that, opactl detects this description and generates help text automatically. For example,
__search = "Check file name with extension (.yaml) and word (\"index\" etc)"# METADATA
# description: search rule
search = { file |
file := __file_list[_]
endswith(file, input.extension)
contains(file, input.word)
}
When you add the first line, opactl search help generates this help description. In this description, your __search text appears in the third line. (In the future, OPA will enhance annotation capability. So, opactl will align to the annotation later.)
Great job. You created your own CLI command from your Rego rule.
Shortcut every move with completion
In addition to that, auto completion is supported in bash and zsh environments. Only the following command will generate the required scripts for each environment.
opactl completion [zsh|bash]After that, you can just type <tab> to call completion. If you type just opactl <tab> , you will see all subcommands. Note that your help description is shown here as well so that you can choose the right subcommand.
When you type opactl s<tab>, you get quickly opactl search .
Please find the details in README in Github repository.
Summary
opactl extends Rego capability to CLI environment and integrates with existing commands. opactl don’t need you to recompile. Just putting your rule files and running opactl, is all you need.
OPA and Rego are being developed very actively by community. Community works are listed in this awesome list. I would like to thank all of the great community.
