Sty -OPA - Rego : What is OPA

 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

 

 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

 OPA is a general purpose policy engine .

All these software that we see on the right at some point of time understands that it needs a policy decision. 


So what it is does it cobles on whatever policy decision that it needs about as a policy query and hands that query over to OPA . And OPA makes the decision and returns into the service , it is the services responsibility to enforce that decision . It is OPA responsibility to make that decision. For example if that service was a kubernetes API server . Kubernetes will decide that some user is trying to create a new resource on it , POD or ingress lets say on the kubernetes cluster . Kubernetes would take that 100 or 500 line of code of JSON or YAMLthat describes the new resource the user trying to deploy on to the cluster and it will hand that entire JSON or YAML code to OPA - OPA will make a decision and return it to the Kubernetes API server and then the Kubernetes will go ahead and enforce that decision

The key thing here is that the Policy query can be any JSON value

OPA does not understand anything about Kubernetes or micro-services . It was designed to general purpose , meaning that OPA just sees JSON coming across and it then evaluates a policy to make a decision and return whatever decision the policy dictates . Now that's why OPA can be so easily used against all these cloud native software. OPA is not build into with a bunch of information of any one of them therefore, it can work with all of them. 

I when as a author write that Policy know what that JSON object represents that is coming in as input . so i can write the appropriate policy . I know what is a Kubernetes pod is or an ingress is so I can write that code. 

The policy language which we call Rego needs to be pretty flexible as well while we write our OPA code. for example if you want all containers in a Kubernetes must come from a trusted registry  

For micro-services most people use Network Proxy . All network traffic to microservice . There is a dedicated sub project within OPA called "Gatekeeper" for Kubernetes

OPA is also used for authorization

OPA for CI / CD pipeline called OPA Conftest

Who is On Call -- This information shall in injected in the Pager duty , OPA help you to extract this information from the pager duty and inject it into OPA. 

The policy decisions that can be returned is not limited to Allow or Deny or True or False , or 1's and 0's.

In fact any Policy decisions that can be returned can be any arbitrary json value for example if you want to write a policy for the computer to rate limit. You would want to return a number . If you want to write a policy to which cluster do you want to deploy an application to then you may be return an array of strings . 

  • One thing that we often do with OPA is return of structure of JSON object that has multiple field within it for example you might return a JSON object that has a bit that says whether or not this request is allowed . 
  • Another field what errors message are to be returned to the user. 
  • And may be another field that contains the HTTP code that gets returned. 


Lets see how this integration work. lets see the Microservices example which is lately called the Network Proxy Integration.











Comments

Post a Comment

Popular posts from this blog

Sty -OPA - Rego : Comparing and Constructing Values

Image
 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++   +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++  How to do some Equality Checks Equality Expressions : Array is above one , below is sets . Sets are sometimes surprising to people.     These two sets has got all the same element . The order in which they appear is Irrelevant and the number of times each of this appears is irrelevant.   There is another kind of Equality operator. The x in the first bracket , it finds x is not  the same as the one on the right and it assume x as variable and assigns the value 2 on the right to x on the left. Rego Build in Functions : Build in functions do a loads of comparisons and functions .
Read more

Sty -OPA - Rego : Basic Rego Rules

Image
 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++    ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++  Boolean Rules & Evaluation OPA Policy Authorization : Through out we will be using API policy evaluation . This is very simple use case and a common use case.  Boolean Rules : Remember that every rule is an IF statement . When you are going to write an IF statement you are going to assign a value . Multiple Rules : In all of those rules we were thinking of them in Isolation . But with OPA you can goahead and write multiple rule and if you do that you will end up with writing a logical OR. Even though you can write multiple . What happens when non of the Rules Succeed. Then the value of that rule is undefined. But in some cases you do not want the default "undefined" result and - if non of the rules succeed. default is_read = false This is achieved by defining the result as - false This says that non of the value s
Read more