WWWWW — OPA
The Goal of the article is to explain
- What is OPA
- Why its important now
- When we can leverage
- Where its required
- Who can levereage
What is OPA ?
Its an open source policy agent. It decouples the complexity of policy making from policy decision taking from a stack. Policies are json based and decision making is pure declarative.
Why its important now ?
Given all the systems are distributed components, multi-platforms, polygot based services the old generation model of controlling policy in a centralized place is getting harder, time consuming and not agile. Now we can make the policy enforcement in a distributed computing fashion without fear of failure, availability and performant.
When can we leverage ?
Policies are almost required in all lifecycle of SDLC — code, deployment, auditing, security all need policy checking and policy enforcement. Now all these key areas can use one principle and model to achieve 100% expected security.
Where its required most ?
- Docker — Are my images latest and greatest to be less vulnerable ?
- EC2 — Are my EC2s having right security groups ?
- GCP — Image binary checks and Labels.
- HTTP Roles checking — when roles can be strict and growing granular!
- DevOps — Removing hardcoding of rules in jenkins file
- UI — as Feature Flag product, A/B Testing enabler.
- Multi cloud auditing ( AWS / GCP/ Azure )— looking for tag and enforce
Who can leverage ?
AWS tags check — without aws tools if you are multi-cloud. Ex- here looking for costcenter tag in lambda
Rego
package aws.lambda
deny[msg] {
value := input.Tags.costcenter# Check if the label value is formatted correctly.
not startswith(value, “dept-”)msg := sprintf(“Costcenter code must start with `dept-`; found `%v`”, [value])
}Sample lambda tag
{
“Tags”: {
“costcenter”: “dept-1”,
“owner”: “teamA”
}
}
DevOps Check
package kubernetes.validating.images
deny[msg] {
input.request.kind.kind == “Pod”
image := input.request.object.spec.containers[i].image
not startswith(image, “breakitdown.com/”)
msg := sprintf(“Image ‘%v’ comes from untrusted registry”, [image])
}
JWT/Roles check
package app.rbac
# By default, deny requests.
default allow = false# Allow the action if the user is granted permission to perform the action.
allow {
# Find grants for the user.
some grant
user_is_granted[grant]# Check if the grant permits the action.
input.action == grant.action
input.type == grant.type
}# user_is_granted is a set of grants for the user identified in the request.
# The `grant` will be contained if the set `user_is_granted` for every…
user_is_granted[grant] {
some i, j# `role` assigned an element of the user_roles for this user…
role := data.user_roles[input.user][i]# `grant` assigned a single grant from the grants list for ‘role’…
grant := data.role_grants[role][j]
}
How can you run OPA Agent ?
Dockerized is the simplest way, otherwise as script ( testing purposes )
How can you create/test OPA Policy quickly ?
Every cloud provider has different tools but when your organization is going to be multicloud — separating out the policy checker as platform agnostic is a must is my thought.