Open Policy Agent
Last updated
Was this helpful?
1.2
Last updated
Was this helpful?
Open Policy Agent, "OPA" for short, is a lightweight and responsive framework that was developed to de-couple policy from your services' code, across your service mesh. The capabilities of OPA are far-reaching and we will run you through some of the most helpful functionalities that it offers.
Don't know how to get started with Open Policy Agent?
Add OPA into your Grey Matter service mesh with this !
Once OPA is added into your service mesh and policies are set in place, you are able to edit and delete these policies on the fly with OPA's REST API. It's as simple as creating or modifying a secret in your service mesh and shelling into the pod that contains your policy.
If you want to add a policy to a service pod, remove the current secret opa-policy you have. This can be done with:
This will allow our new policy to be available in the mesh. Now that we're in the same directory as our new policy, we can make that our new opa-policy secret with:
Now, we must shell into the Grey Matter sidecar of the pod we are working on. We will use this kubectl command to get a shell of the sidecar:
It is at this point where we can send policy edits through OPA's REST API. There are three HTTP methods that OPA's REST API has dedicated to editing policies:
PUT - Upload a new policy
PATCH - Edit an existing policy
DELETE - Delete an existing policy
Here is an example of how to upload a new policy through the sidecar using curl and the Rego policy file that we made into a secret:
Protecting your API and establishing authorized users is as simple as running OPA in your API pod and using the following methods to determine who gets what permissions.
Don't want to deal with the hassle of constantly uploading and deleting policies in your mesh to see if they work correctly?
The Rego library includes built in functions for JSON Web Token verification and signing. This gives the ability for OPA to be able to authenticate JWTs, interpret the payload information, and sign JWTs with your certificate.
There are several built-in JWT functions that Rego has in its arsenal, in order to work with JSON Web Tokens. The first step being to split the request strings into the raw token, then comparing it to a certificate, and finally extracting a payload, if necessary. As per the example, one can also utilize this to determine Role Based Access.
Rego also supports JWT Signing in two methods:
Raw: io.jwt.encode_sign_raw(headers, payload, key)
With a Symmetric / RSA key: io.jwt.encode_sign(headers, payload, key)
OPA offers even more control over your security and permissions system. Using OPA's Data API, you can hardcode in Access Control Lists that determine who is authorized to use your API and what permissions they have. These ACL's take the form of json documents that map out users and their individual permissions. Custom Rego policies can extract information from your ACL to help resolve decisions. Here is what one ACL might look like:
We would save this as something along the lines of api-permissions-acl.json. We would go about uploading these data documents the same way we edit policies: first, upload the file as a secret to the mesh, and then use the same PUT/PATCH/DELETE request style in the sidecar. However, the curl syntax is slightly different. We would point the curl to a different endpoint, we would use /v1/data/ instead. Uploading a new ACL data document would look as such:
And to invoke this data in our policy, we would use this include statement:
Test out your policies with test requests / data and check out tons of Rego Policy examples in the !
For instance, take this example HTTP request and Rego policy from the
Note More information on Rego's built in .
Here are two examples of how these functions would look (from ):
Note More information on Rego's built in .
Note More information on OPA's .