Open Policy Agent Graduates 🎓

It wasn’t that long ago (KubeCon 2018) that Open Policy Agent (OPA) was a Sandbox project, and now it's a CNCF graduate! OPA is a declarative policy system that has its own DSL; so you can control what/who can access not only your cluster but all of your cloud native resources. In this week's issue we dive into why OPA exists, what problems OPA tackles, and of course some real world experiences and gotchas using the ecosystem that has formed around it.

Issue #120

Fuzzykb provides us a great introduction to OPA. They cover a bit of everything that can get us off to a great start when diving in. On the theory side, it dives into the motivations behind the project; while on the pragmatic side it gives a tangible use case and examples of tooling in the ecosystem. 🛡

This guide does an excellent job of laying out the different pieces you need when implementing OPA in your cluster. It touches on admission controllers, and gives examples of enforcing specific labels by namespace and limiting what registries your images can originate from. It also walks you through setting up your own constraints, and puts you in a position to start testing on your own clusters immediately. BONUS: How to use Kube-mgmt with OPA 🧩

The people that brought us OPA in the first place give us an update on adoption within the k8s ecosystem. Downloads are officially a hockey stick, and large adopters (Intuit, Goldman Sachs, TripAdvisor) keep popping up daily. Other vendors are announcing integrations, and things seem to be moving rapidly towards adoption! 📈

OPA actually has its own DSL (Rego) to enable you to define policy as code. Rego has a straightforward syntax and a small set of functions and operators, and is optimized for queries. The team over at Fugue has a great writeup of good practices for navigating Rego and brings you back to your CS days (recursion, tree navigation, references etc.) 📄

This article runs us through the gambit for OPA Gatekeeper. It briefly walks us through the design decisions for Gatekeeper and then discusses ConstraintTemplates and CI/CD integrations. Ggctwts does a good job of explaining the different use cases for OPA Gatekeeper and how to augment your existing workflows. 🚪

2020 was a banner year for OPA and this article dives into the numbers and growth in the ecosystem. TL;DR: 29m downloads, 1500 gh stars, 1700 slack users, 750 commits, expansion of management services, a whole bunch of tooling, and much more! Add CNCF graduation to the list for 2021! 🎉

Running containerd? Good news, nerdctl is now part of the containerd project!