Kubernetes Overview & Architecture Policy Primer via Examples Tutorial: Ingress Validation Debugging Tips
Other Use Cases Docker HTTP APIs Kafka SSH and sudo Terraform Envoy
Operations Management APIs Configuration Deployment Monitoring Security
Miscellaneous WebAssembly EcosystemEditor and IDE Support Comparison to Other Systems FAQ Rego Playground
Support Enterprise and Commercial
AWS API Gateway
AWS API Gateway
The AWS API Gateway controls API traffic for your application running on AWS. OPA can be configured as an external authorizer for that Gateway to implement authorization policies on APIs.
Code
Boomerang Bosun Policy Gating
Boomerang Bosun Policy Gating
Boomerang Bosun is a policy-based gating system that combines Policy Templates with Rules and data to validate Gates.
Inventors
Code
Ceph Object Storage Authorization
Ceph Object Storage Authorization
Ceph is a highly scalable distributed storage solution that uniquely delivers object, block, and file storage in one unified system. OPA provides fine-grained, context-aware authorization of the information stored within Ceph.
Inventors
Tutorials
Videos
Kubernetes Admission Control using Vulnerability Scanning
Kubernetes Admission Control using Vulnerability Scanning
Admission control policies in Kubernetes can be augmented with vulnerability scanning results to make more informed decisions. This integration demonstrates how to integrate Clair with OPA and run it as an admission controller.
Code
Tutorials
Cloudflare Worker Enforcement of OPA Policies Using WASM
Cloudflare Worker Enforcement of OPA Policies Using WASM
Cloudflare Workers are a serverless platform that supports WASM. This integration uses OPA's WASM compiler to generate code enforced at the edge of Cloudflare's network.
Code
Tutorials
Conftest -- Configuration checking
Conftest -- Configuration checking
Conftest is a utility built on top of OPA to help you write tests against structured configuration data.
Code
Videos
- Applying Policy Throughout the Application Lifecycle with Open Policy Agent - Kubecon San Diego 2019
- Gareth Rushgrove - Snyk
Custom Application Authorization
Custom Application Authorization
Application require authorization decisions made at the API gateway, frontend, backend, and database. OPA helps developers decouple authorization logic from application code, define a custom authorization model that enables end-users to control tenant permissions, and enforce that policy across the different components of the application (gateway, frontend, backend, database).
Tutorials
Videos
- OPA in Practice: From Angular to OPA in Chef Automate - OPA Summit at Kubecon San Diego 2019
- Michael Sorens - Chef
Blogs
- https://blog.verygoodsecurity.com/posts/building-a-fine-grained-permission-system-in-a-distributed-environment/
- https://choria.io/blog/post/2020/02/14/rego_policies_opa/
Library-based Microservice Authorization
Library-based Microservice Authorization
Microservice authorization can be enforced through a network proxy like Envoy/Istio/Linkerd/... or can be enforced by modifying the microservice code to use a common library. In both cases OPA makes the authorization decision that the network proxy or the library enforce.
Videos
HTTP API Authorization in Dart
HTTP API Authorization in Dart
This integration demonstrates how to leverage OPA to perform basic HTTP API authorization in a simple Dart microservice. OPA makes it possible to provide fine-grained context-aware authorization for each REST endpoint and access method.
Inventors
Code
Tutorials
Docker controls via OPA Policies
Docker controls via OPA Policies
Docker's out of the box authorization model is all or nothing. This integration demonstrates how to use OPA's context-aware policies to exert fine-grained control over Docker.
Inventors
Code
Tutorials
Elasticsearch Data Filtering
Elasticsearch Data Filtering
Elasticsearch is a distributed, open source search and analytics engine. This OPA integration lets an elasticsearch client construct queries so that the data returned by elasticsearch obeys OPA-defined policies.
Inventors
Code
Tutorials
Container Network Authorization with Envoy
Container Network Authorization with Envoy
Envoy is a networking abstraction for cloud-native applications. OPA hooks into Envoy’s external authorization filter to provide fine-grained, context-aware authorization for network or HTTP requests.
Inventors
Code
- https://github.com/open-policy-agent/opa-istio-plugin
- https://github.com/tsandall/minimal-opa-envoy-example
Tutorials
- https://github.com/tsandall/minimal-opa-envoy-example/blob/master/README.md
- https://www.openpolicyagent.org/docs/latest/envoy-authorization/
Videos
- OPA at Scale: How Pinterest Manages Policy Distribution - OPA Summit at Kubecon San Diego 2019
- Deploying Open Policy Agent at Atlassian - OPA Summit at Kubecon San Diego 2019
- How Yelp Moved Security From the App to the Mesh with Envoy and OPA - Kubecon San Diego 2019
Blogs
GCP audit with Forseti
GCP audit with Forseti
Google cloud provides a plethora of software as a service. Forseti, built using OPA, lets you run policy checks against the software resources on Google cloud and remediate violations.
Inventors
Code
Videos
Gloo API Gateway
Gloo API Gateway
Gloo is an open-source Kubernetes-native ingress controller, and next-generation API gateway. OPA can be used to implement authorization policies for those APIs.
Blogs
- https://medium.com/solo-io/5-min-with-gloo-api-gateway-configuration-with-open-policy-agent-53da276a6534
- https://docs.solo.io/gloo/latest/security/auth/opa/
Gradle Build Plugin
Gradle Build Plugin
Build plugin adding various tasks to support using OPA as part of Gradle builds
Inventors
Code
IPTables
IPTables
IPTables is a useful tool available to Linux kernel for filtering network packets. OPA makes it possible to manage IPTables rules using context-aware policy.
Inventors
- Urvil Patel - Google Summer of Code
- Cisco
- Styra
Code
Tutorials
Container Network Authorization with Istio (at the Edge)
Container Network Authorization with Istio (at the Edge)
Istio is a networking abstraction for cloud-native applications that uses Envoy at the edge. OPA hooks into Envoy’s external authorization filter to provide fine-grained, context-aware authorization for network or HTTP requests.
Inventors
Code
- https://github.com/open-policy-agent/opa-istio-plugin
- https://github.com/tsandall/minimal-opa-envoy-example
- https://github.com/open-policy-agent/opa-envoy-spire-ext-authz
Tutorials
Blogs
Container Network Authorization with Istio (as part of Mixer)
Container Network Authorization with Istio (as part of Mixer)
Istio is a networking abstraction for cloud-native applications. In this Istio integration OPA hooks into the centralized Mixer component of Istio, to provide fine-grained, context-aware authorization for network or HTTP requests.
Inventors
Code
Tutorials
Jenkins Job Trigger Policy Enforcement
Jenkins Job Trigger Policy Enforcement
Jenkins automates software development processes. OPA lets you control which people and which machines can run which Jenkins jobs.
Inventors
Videos
Kafka Topic Authorization
Kafka Topic Authorization
Apache Kafka is a high-performance distributed streaming platform deployed by thousands of companies. OPA provides fine-grained, context-aware access control of which users can read/write which Kafka topics to enforce important requirements around confidentiality and integrity.
Inventors
Code
- https://github.com/llofberg/kafka-authorizer-opa
- https://github.com/open-policy-agent/contrib/tree/master/kafka_authorizer
- https://github.com/Bisnode/opa-kafka-plugin
Tutorials
Videos
API Gateway Authorization with Kong
API Gateway Authorization with Kong
Kong is a microservice API Gateway. OPA provides fine-grained, context-aware control over the requests that Kong receives.
Inventors
Code
- https://github.com/TravelNest/kong-authorization-opa
- https://github.com/open-policy-agent/contrib/tree/master/kong_api_authz
Kubernetes Authorization
Kubernetes Authorization
Kubernetes Authorization is a pluggable mechanism that lets administrators control which users can run which APIs and is often handled by builtin RBAC. OPA's policy language is more flexible than the RBAC, for example, writing policy using a prohibited list of APIs instead of the usual RBAC style of listing the permitted APIs.
Blogs
- https://itnext.io/kubernetes-authorization-via-open-policy-agent-a9455d9d5ceb
- https://itnext.io/optimizing-open-policy-agent-based-kubernetes-authorization-via-go-execution-tracer-7b439bb5dc5b
Kubernetes Provisioning
Kubernetes Provisioning
Kubernetes automates deployment, scaling, and management of containerized applications. OPA decides which resources need to be created on k8s in response to a namespace being created.
Inventors
Videos
- Kubernetes Policy Enforcement Using OPA at Goldman Sachs - Kubecon San Diego 2019
- Miguel Uzcategui - Goldman Sachs
- Tim Hinrichs - Styra
Kubernetes Admission Control
Kubernetes Admission Control
Kubernetes automates deployment, scaling, and management of containerized applications. OPA provides fine-grained, context-aware authorization for which application component configuration.
Inventors
Code
Tutorials
- https://www.openpolicyagent.org/docs/kubernetes-admission-control.html
- https://katacoda.com/austinheiman/scenarios/open-policy-agent-gatekeeper
Videos
- Securing Kubernetes With Admission Controllers - Kubecon Seattle 2018
- Dave Strebel - Microsoft
- Using OPA for Admission Control in Production - Kubecon Seattle 2018
- Zach Abrahamson - Capital One
- Todd Ekenstam - Intuit
- Liz Rice Keynote - Kubecon Seattle 2018
- Liz Rice - AquaSecurity
- Intro to Open Policy Agent Gatekeeper - Kubecon Barcelona 2019
- Policy Enabled Kubernetes and CICD - OPA Summit at Kubecon San Diego 2019
- Jimmy Ray - CapitalOne
- TripAdvisor: Building a Testing Framework for Integrating OPA into K8s - OPA Summit at Kubecon San Diego 2019
- Luke Massa - TripAdvisor
- Enforcing automatic mTLS with Linkerd and OPA Gatekeeper - Kubecon San Diego 2019
- Enforcing Service Mesh Structure using OPA Gatekeeper - Kubecon San Diego 2019
- Sandeep Parikh - Google
- TGIK: Exploring the Open Policy Agent -
- Joe Beda - VMware
Blogs
- https://medium.com/@sbueringer/kubernetes-authorization-via-open-policy-agent-a9455d9d5ceb
- https://medium.com/@jimmy.ray/policy-enabled-kubernetes-with-open-policy-agent-3b612b3f0203
- https://blog.openpolicyagent.org/securing-the-kubernetes-api-with-open-policy-agent-ce93af0552c3
- https://itnext.io/kubernetes-authorization-via-open-policy-agent-a9455d9d5ceb
- https://medium.com/capital-one-tech/policy-enabled-kubernetes-with-open-policy-agent-3b612b3f0203
- https://blog.openshift.com/fine-grained-policy-enforcement-in-openshift-with-open-policy-agent/
Secure Kubernetes using eBPF & Open Policy Agent
Secure Kubernetes using eBPF & Open Policy Agent
Ensure runtime security in any linux machine by combining Extended Berkeley Packet Filter(eBPF) and Open Policy Agent.
Code
Blogs
SSH and Sudo Authorization with Linux
SSH and Sudo Authorization with Linux
Host-level access controls are an important part of every organization's security strategy. OPA provides fine-grained, context-aware controls for SSH and sudo using Linux-PAM.
Inventors
Code
Tutorials
Minio API Authorization
Minio API Authorization
Minio is an open source, on-premise object database compatible with the Amazon S3 API. This integration lets OPA enforce policies on Minio's API.
Inventors
Tutorials
OpenFaaS Serverless Function Authorization
OpenFaaS Serverless Function Authorization
OpenFaaS is a serverless function framework that runs on Docker Swarm and Kubernetes. OPA makes it possible to provide fine-grained context-aware authorization on a per-function basis.
Inventors
Code
Tutorials
HTTP API Authorization in PHP
HTTP API Authorization in PHP
This integration demonstrates using OPA to perform API authorization in a PSR-15 compliant framework.
Code
Tutorials
Spinnaker Pipeline Policy Enforcment
Spinnaker Pipeline Policy Enforcment
Spinnaker is a Continuous Delivery and Deployment tool started by Netflix. OPA lets you configure policies that dictate what kinds of Spinnaker pipelines developers can create.
Inventors
Tutorials
Blogs
Authorization for Java Spring Security
Authorization for Java Spring Security
Spring Security provides a framework for securing Java applications. This integration provides a simple implementation of an AccessDecisionVoter for Spring Security that uses OPA for making API authorization decisions.
Inventors
Code
Tutorials
SQL Database Data Filtering
SQL Database Data Filtering
This integration enables the client of a SQL database to enhance a SQL query so that the results obey an OPA-defined policy.
Inventors
Code
Blogs
Kubernetes Sysdig Image Scanner Admission Controller
Kubernetes Sysdig Image Scanner Admission Controller
Sysdig’s OPA Image Scanner combines Sysdig Secure image scanner with OPA policy-based rego language to evaluate the scan results and the admission context, providing great flexibility on the admission decision.
Inventors
Code
Terraform Authorization
Terraform Authorization
Terraform lets you describe the infrastructure you want and automatically creates, deletes, and modifies your existing infrastructure to match. OPA makes it possible to write policies that test the changes Terraform is about to make before it makes them.
Inventors
Code
Tutorials
- https://www.openpolicyagent.org/docs/terraform.html
- https://github.com/instrumenta/conftest/blob/master/README.md
Traefik API Gateway
Traefik API Gateway
The Traefik API Gateway is open-source software that controls API traffic into your application. OPA can be configured as a plugin to implement authorization policies for those APIs.
Blogs