Skip to content

An introduction to Open Policy Agent (OPA)

During one of our recent Tech Fridays, focused on Cloud Native Platforms, we dove into OPA, which is short for Open Policy Agent. Sounds fancy, but I had never heard of it before.

The event was hosted by our colleague Peter Macdonald. When Peter was introduced to OPA at KubeCon last May, he realized that security deserves more focus in our sector. Currently, Peter is looking for OPA appliances. His enthusiasm resulted in him becoming a valued contributor to the OPA project.

So, what is OPA and why should you use it?

OPA is an open-source project and was created by Styra. It is currently being incubated in the Cloud Native Computing Foundation. Its goal is to simplify creating security policies across your stack and it can be applied to a variety of systems: Kubernetes, Terraform, Docker, and many more. It uses its own language, rego, to formulate policies. These policies can be applied over the whole stack; from application level to infra. In short, OPA unifies policy enforcement and assigns the decision-making to a dedicated engine.

Now a bit about me, Robin Mohan, the person writing this short blog post. I work a lot with Kubernetes and OpenShift in my current client project. The first thing I wondered was: why would I use OPA? Users and groups already exist and we can manage their authorization through roles and role bindings. Isn’t that enough?

Open Policy Agent in practice

Well, I soon found out that I underestimated its significance. Right after Peter’s presentation, we dove into some exercises. In pairs, we started working on implementing OPA to a Kubernetes cluster. The goal was to write and apply some rego-written policies that restricted users from choosing any hostname for their ingress.

After that, we learned that we could limit workloads based on specific criteria and manage labeling rules for workloads in order to reduce costs and enforce a healthy setup for the cluster. These use cases really show the value and importance of OPA.

In the beginning, we were not completely sure how OPA fitted into Kubernetes. We asked for some help from another pair, but once we installed it and had written our first policies, it became much clearer. It even became really fun when we actually tested the policies.

Exploring new technologies together

I think fun is really the keyword during these Tech Fridays. It gives a lot of energy to sit down with a group of people and dive into cutting-edge technology. Because it is so cutting edge, we were really challenged to apply these new concepts, reflect on our own knowledge and learn from others. On top of that, for the first time, external people had been invited to our knowledge-sharing event. This was really a great opportunity to extend our knowledge to the outside world and bring the expertise and experiences of like-minded professionals inside.

Watch the KubeCon 2022 breakout on Open Policy Agent

More OPA resources for further discovery

Want to join our next Tech Fridays and dive into cutting-edge tech with us?

As Devoteam, we understand that thriving in the tech world means we need to discover new grounds continuously. Tech Enthusiasm is what binds us and what keeps us on the edge of innovation. Our Tech Friday sessions, where we dive into new stuff, are a prime example of our tech-driven culture. Jealous? Good. Come join us next time.