Managing compliance across cloud-native systems was never easy. Today, with more developers employing AI/ML tools and coding assistants, IT and security leaders need robust solutions to streamline and future-proof code security and regulatory compliance.
One way to achieve compliance and maintain code security over time is to use policies to automate enforcement through code, also known as Policy-as-Code (PaC). As many as 96% of technical decision-makers say policy-as-code practices are vital for secure and scalable cloud software.
The most straightforward (and potentially cheap) approach to implementing policy-as-code is to use Open Policy Agent at the heart of your policy-driven decision-making processes.
What is Open Policy Agent, and how does it work?
Open Policy Agent is an open-source policy engine recently graduated by the Cloud Native Computing Foundation (CNCF). Developed by the community and maintained by Styra, the OPA project aims to offer a unified framework to define, manage, and enforce policies through policies-as-code (PaC) across the technology stack layers of cloud-native applications.
OPA policies use a declarative high-level language---Rego ---specifically designed to implement policy-as-code. With Rego, you can define, implement, and enforce policies for K8s, CI/CD pipelines, API gateways, and microservices. Other alternatives to Rego are available, such as Hashicorp, Sentinel, and Cedar, so you can choose the option you are most comfortable with.
One of OPA's key features is decoupling policy decision-making from policy enforcement. It functions as a service that can evaluate inputs against your pre-defined policies and tag each input as passing or failing. Then, it delivers the authorization decision to the integrated application for enforcement policy violation handling, thereby strengthening cloud application security.
Alternatives to Open Policy Agent include Hashicorp Sentinel, AWS Cedar, and Google Zanzibar.
Why use Open Policy Agent?
Flexible, collaborative, and reusable
Open Policy Agent can build policies and rules around structured hierarchical data (like YAML and JSON) using purpose-built Rego language, primitives, and built-ins customized for concise policy authoring. OPA can be deployed as a daemon, embedded as a library, or run from the CLI, and you can use a massive selection of built-in functions. These make OPA exceptionally adaptable to most cloud-native systems today.
There are many use cases for OPA across cloud-native systems (some of which we'll discuss later in this post). Still, OPA's general-purpose nature allows organizations to use it as a single policy enforcement tool across their stack---from infrastructure to Kubernetes admission control. Moreover, teams can create and reuse standard policy templates, collaborate, and share best practices across projects and environments.
Open source
OPA is an open-source project licensed under the Apache 2 license that allows anyone to read and change the source code to suit their needs for any application. In addition, since several companies use OPA as part of their service and product offerings, you can rest assured that the code is maintained by professionals. Open source also means it's free and doesn't tie you into a system-wide dependence on any particular vendor.
Cloud-native and lightweight
OPA is exceptionally lightweight since it was built and designed to run in cloud-native and containerized environments. This makes the Open Policy Agent especially suited for highly distributed systems (like securing serverless workloads and microservice-based architectures).
It's also worth noting that OPA recently graduated as a project within the CNCF (Cloud Native Computing Foundation), aligning it with trusted open-source cloud-native projects like Prometheus and Kubernetes.
Thriving ecosystem
The Open Policy Agent project's popularity, flexibility, and permissive OSS license have attracted individual developers and organizations to create an extensive ecosystem with over 50 integrations for languages and tools.
Compliance and auditing
Clearly and explicitly defined policies serve as a version-controlled and auditable record of changes that satisfy compliance audit requirements. They can serve as a documentation suite of infrastructure, application configuration, and management guidelines.
5 use cases for using Open Policy Agent
Where can you leverage OPA to enhance the security of your cloud-native systems, and how? There are numerous use cases for Open Policy Agent in cloud-native systems, and here are four notable ones:
1. Kubernetes Admission Control
Some of the most common applications of Open Policy Agent are authentication in Kubernetes workloads, clusters, containers, and service mesh deployments. Specifically, OPA is often used to enforce admission control policies.
The most effective way to integrate OPA with Kubernetes is to use OPA Gatekeeper, a dynamic admission controller. It lets you enforce the admission policies of your K8s resources at the admission stage to ensure that any resources created or modified comply with your pre-configured policy.
OPA Gatekeeper is a Kubernetes admission controller webhook that intercepts requests to create, update, or delete a K8s resource. The OPA then evaluates the request against your policies; the output is a decision to allow or deny the request.
For example, if we wanted to ensure that all our pods have set resource limits, our Rego code would look like this:
package k8srequiredresourcelimits
deny[msg] {
input.request.kind.kind == "Pod"
not limits_defined(input.review.object.spec.containers)
msg := "All containers must have resource limits defined."
}
limits_defined(containers) {
container := containers[_]
container.resources.limits.cpu
container.resources.limits.memory
}
2. API Authorization and Least Privilege Access
Another use case for OPA is implementing least privilege access for APIs, microservices, and gateways. When integrated with your data access layer, OPA enables you to define and enforce fine-grained API authorization, ensuring that only authorized accounts can access specific endpoints based on your custom policies.
For example, a typical Rego policy for access authorization based on role and path would look something like this:
package example.authz
default allow = false
allow {
input.user.role == "admin"
}
allow {
input.user.role == "user"
input.action == "read"
input.path == "/public"
}
allow {
input.user.role == "user"
input.action == "write"
input.path == "/user-area"
}
3. Infrastructure as Code (IaC) Security
You can integrate OPA with most IaC tools used today to enforce security and compliance policies on infrastructure configuration within your CI/CD pipeline. You can easily incorporate OPA with Terraform using an open-source extension to evaluate each configuration for specific security vulnerabilities, risks, and non-compliance.
For example, to disallow public S3 buckets, the policy in Rego would be:
package terraform.s3
deny[message] {
resource := input.resource_changes[_]
resource.type == "aws_s3_bucket"
resource.change.after.acl == "public-read"
message := sprintf("Public S3 buckets are disallowed: %s", [resource.address])
}
deny[message] {
resource := input.resource_changes[_]
resource.type == "aws_s3_bucket"
resource.change.after.acl == "public-read-write"
message := sprintf("Public S3 buckets are disallowed: %s", [resource.address])
}
4. CI/CD control engine
An excellent example of using Open Policy Agent as a control engine (as demonstrated by our own David Melamed at the DevSecOps Conference) is helping reduce alert fatigue from various security tools. You can do this by using OPA to filter out security scan findings that don't require enforcement or a "control decision"---for example, whether or not to fail a build or block a deployment based on the tool's findings.
5. Compliance and Regulatory Requirement Enforcement
Because Open Policy Agent is versatile and reusable, it can be invaluable in maintaining consistent compliance throughout the software development lifecycle. It provides real-time enforcement of policies that prevent non-compliant changes, integrates with existing DevOps tools, and provides you with detailed audit logs for compliance monitoring and audits.
For example, the Rego code below enforces compliance with HIPAA and ensures that all databases are encrypted.
package compliance.hipaa
deny[{"msg": msg}] {
resource := input.resource_changes[_]
resource.type == "aws_db_instance"
not resource.change.after.storage_encrypted
msg := sprintf("Database %s must be encrypted to comply with HIPAA", [resource.address])
}
6. OPA Policy Testing
Last but not least, you should test your OPA policies to ensure they work correctly. Of course, CI/CD pipelines and version control are critical to testable OPA policies. However, you can write unit tests for your OPA policies in Rego using the aptly named function test. For example, to test an access control OPA policy, your code would include unit tests like this:
package example.authz
test_admin_allowed {
allow with input as {"user": {"role": "admin"}, "action": "write"}
}
test_user_read_allowed {
allow with input as {"user": {"role": "user"}, "action": "read"}
}
test_user_write_denied {
not allow with input as {"user": {"role": "user"}, "action": "write"}
}
There are also plenty of tools out there that can help streamline OPA policy testing, some of which were developed by the OPA user community.
Policy enforcement automation and compliance with OPA and Jit
Open Policy Agent is a versatile and flexible tool for automating authorization processes in your cloud-based systems using policy-as-code. It has numerous applications, from K8s admission control to IaC security, and offers a proven and robust framework for policy-based decision-making in cloud-based systems and applications.
OPA is not a tool that works in a vacuum but is integrated with other tools, solutions, and middleware to deliver value. When it comes to streamlining application and IaC security testing, OPA serves as an authorization automation engine that can facilitate higher efficiency in orchestrating DevSecOps tools with a solution like Jit, which provides a scalable platform for managing all things security across your CI/CD pipeline in one developer-friendly environment. Explore Jit here.