Kubernetes Overview & Architecture Policy Primer via Examples Tutorial: Ingress Validation Debugging Tips
Other Use Cases Docker HTTP APIs Kafka SSH and sudo Terraform Envoy
Operations Management APIs Configuration Deployment Monitoring Security Privacy
Miscellaneous WebAssembly OAuth2 and OpenID Connect EcosystemEditor and IDE Support Comparison to Other Systems FAQ Rego Playground
Support Enterprise and Commercial
Kubernetes Admission Control
Kubernetes Admission Control
Kubernetes automates deployment, scaling, and management of containerized applications. OPA provides fine-grained, context-aware authorization for which application component configuration.
Inventors
Code
Tutorials
- https://www.openpolicyagent.org/docs/kubernetes-admission-control.html
- https://katacoda.com/austinheiman/scenarios/open-policy-agent-gatekeeper
Videos
- Securing Kubernetes With Admission Controllers - Kubecon Seattle 2018
- Dave Strebel - Microsoft
- Using OPA for Admission Control in Production - Kubecon Seattle 2018
- Zach Abrahamson - Capital One
- Todd Ekenstam - Intuit
- Liz Rice Keynote - Kubecon Seattle 2018
- Liz Rice - AquaSecurity
- Intro to Open Policy Agent Gatekeeper - Kubecon Barcelona 2019
- Policy Enabled Kubernetes and CICD - OPA Summit at Kubecon San Diego 2019
- Jimmy Ray - CapitalOne
- TripAdvisor: Building a Testing Framework for Integrating OPA into K8s - OPA Summit at Kubecon San Diego 2019
- Luke Massa - TripAdvisor
- Enforcing automatic mTLS with Linkerd and OPA Gatekeeper - Kubecon San Diego 2019
- Enforcing Service Mesh Structure using OPA Gatekeeper - Kubecon San Diego 2019
- Sandeep Parikh - Google
- TGIK: Exploring the Open Policy Agent -
- Joe Beda - VMware
Blogs
- https://medium.com/@sbueringer/kubernetes-authorization-via-open-policy-agent-a9455d9d5ceb
- https://medium.com/@jimmy.ray/policy-enabled-kubernetes-with-open-policy-agent-3b612b3f0203
- https://blog.openpolicyagent.org/securing-the-kubernetes-api-with-open-policy-agent-ce93af0552c3
- https://itnext.io/kubernetes-authorization-via-open-policy-agent-a9455d9d5ceb
- https://medium.com/capital-one-tech/policy-enabled-kubernetes-with-open-policy-agent-3b612b3f0203
- https://blog.openshift.com/fine-grained-policy-enforcement-in-openshift-with-open-policy-agent/
Container Network Authorization with Envoy
Container Network Authorization with Envoy
Envoy is a networking abstraction for cloud-native applications. OPA hooks into Envoy’s external authorization filter to provide fine-grained, context-aware authorization for network or HTTP requests.
Inventors
Code
- https://github.com/open-policy-agent/opa-istio-plugin
- https://github.com/tsandall/minimal-opa-envoy-example
Tutorials
- https://github.com/tsandall/minimal-opa-envoy-example/blob/master/README.md
- https://www.openpolicyagent.org/docs/latest/envoy-introduction/
Videos
- OPA at Scale: How Pinterest Manages Policy Distribution - OPA Summit at Kubecon San Diego 2019
- Deploying Open Policy Agent at Atlassian - OPA Summit at Kubecon San Diego 2019
- How Yelp Moved Security From the App to the Mesh with Envoy and OPA - Kubecon San Diego 2019
Blogs
Kafka Topic Authorization
Kafka Topic Authorization
Apache Kafka is a high-performance distributed streaming platform deployed by thousands of companies. OPA provides fine-grained, context-aware access control of which users can read/write which Kafka topics to enforce important requirements around confidentiality and integrity.
Inventors
Code
- https://github.com/llofberg/kafka-authorizer-opa
- https://github.com/open-policy-agent/contrib/tree/master/kafka_authorizer
- https://github.com/Bisnode/opa-kafka-plugin
- https://github.com/strimzi/strimzi-kafka-operator
Tutorials
Videos
Blogs
Terraform Policy
Terraform Policy
Terraform lets you describe the infrastructure you want and automatically creates, deletes, and modifies your existing infrastructure to match. OPA makes it possible to write policies that test the changes Terraform is about to make before it makes them.
Inventors
Code
- https://github.com/instrumenta/conftest
- https://github.com/fugue/regula
- https://github.com/accurics/terrascan
- https://github.com/Checkmarx/kics
Tutorials
- https://www.openpolicyagent.org/docs/terraform.html
- https://github.com/instrumenta/conftest/blob/master/README.md
Container Network Authorization with Istio (at the Edge)
Container Network Authorization with Istio (at the Edge)
Istio is a networking abstraction for cloud-native applications that uses Envoy at the edge. OPA hooks into Envoy’s external authorization filter to provide fine-grained, context-aware authorization for network or HTTP requests.
Inventors
Code
- https://github.com/open-policy-agent/opa-istio-plugin
- https://github.com/tsandall/minimal-opa-envoy-example
- https://github.com/open-policy-agent/opa-envoy-spire-ext-authz
Tutorials
Blogs
Authorization for Java Spring Security
Authorization for Java Spring Security
Spring Security provides a framework for securing Java applications. These integrations provide simple implementations for Spring Security that use OPA for making API authorization decisions. They provide support for both traditional Spring Security (MVC), as well as an implementation for Spring Reactive (Web Flux).
Inventors
Code
- https://github.com/open-policy-agent/contrib/tree/master/spring_authz
- https://github.com/Bisnode/opa-spring-security
- https://github.com/build-security/opa-java-spring-client
- https://github.com/massenz/jwt-opa
Tutorials
- https://github.com/open-policy-agent/contrib/blob/master/spring_authz/README.md
- https://github.com/massenz/jwt-opa#web-server-demo-app
Custom Application Authorization
Custom Application Authorization
Application require authorization decisions made at the API gateway, frontend, backend, and database. OPA helps developers decouple authorization logic from application code, define a custom authorization model that enables end-users to control tenant permissions, and enforce that policy across the different components of the application (gateway, frontend, backend, database).
Tutorials
Videos
- OPA in Practice: From Angular to OPA in Chef Automate - OPA Summit at Kubecon San Diego 2019
- Michael Sorens - Chef
Blogs
- https://blog.verygoodsecurity.com/posts/building-a-fine-grained-permission-system-in-a-distributed-environment/
- https://choria.io/blog/post/2020/02/14/rego_policies_opa/
Fairwinds Insights Configuration Validation Software
Fairwinds Insights Configuration Validation Software
Automate, monitor and enforce OPA policies with visibility across multiple clusters and multiple teams. It ensures the same policies are applied across all your clusters and gives some flexibility if you want certain policies to apply to only certain workloads. Run the same policies in CI/CD, Admission Control, and In-cluster scanning to apply policy consistently throughout the development and deployment process.
Inventors
Tutorials
- https://insights.docs.fairwinds.com/features/policy/
- https://insights.docs.fairwinds.com/reports/opa/
- https://insights.docs.fairwinds.com/features/admission-controller/
- https://insights.docs.fairwinds.com/features/continuous-integration/
Videos
Blogs
- https://www.fairwinds.com/blog/managing-opa-policies-with-fairwinds-insights
- https://www.fairwinds.com/blog/manage-open-policy-agent-opa-consistently
- https://www.fairwinds.com/blog/kubernetes-multi-cluster-visibility-why-how-to-get-it
- https://www.fairwinds.com/blog/what-is-kubernetes-policy-as-code
- https://www.fairwinds.com/blog/why-kubernetes-policy-enforcement
- https://www.fairwinds.com/blog/an-interview-with-flatfile-on-why-fairwinds-insights-kubernetes-configuration-validation
HTTP API Authorization in PHP
HTTP API Authorization in PHP
These integrations demonstrate using OPA to perform API authorization in PSR-15 and Symfony compliant frameworks.
Inventors
Code
- https://github.com/segrax/opa-php-examples
- https://github.com/segrax/openpolicyagent
- https://github.com/build-security/opa-symfony-middleware
Tutorials
OPAL (Open Policy Administration Layer)
OPAL (Open Policy Administration Layer)
OPAL is an administration layer for Open Policy Agent (OPA), detecting changes in realtime to both policy and policy data and pushing live updates to your agents. OPAL brings open-policy up to the speed needed by live applications. As your application state changes (whether it's via your APIs, DBs, git, S3 or 3rd-party SaaS services), OPAL will make sure your services are always in sync with the authorization data and policy they need (and only those they need).
Inventors
Code
Tutorials
Videos
Scalr - Policy enforcement for Terraform
Scalr - Policy enforcement for Terraform
Scalr allows teams to easily collaborate on Terraform through its pipeline that runs all Terraform operations, policy checks, and stores state. Scalr uses OPA to check the auto-generated Terraform JSON plan to ensure that it meets your organization standards prior to an apply.
Inventors
Code
Tutorials
Blogs
Ceph Object Storage Authorization
Ceph Object Storage Authorization
Ceph is a highly scalable distributed storage solution that uniquely delivers object, block, and file storage in one unified system. OPA provides fine-grained, context-aware authorization of the information stored within Ceph.
Inventors
Tutorials
Videos
SSH and Sudo Authorization with Linux
SSH and Sudo Authorization with Linux
Host-level access controls are an important part of every organization's security strategy. OPA provides fine-grained, context-aware controls for SSH and sudo using Linux-PAM.
Inventors
Code
Tutorials
Docker controls via OPA Policies
Docker controls via OPA Policies
Docker's out of the box authorization model is all or nothing. This integration demonstrates how to use OPA's context-aware policies to exert fine-grained control over Docker.
Inventors
Code
Tutorials
Elasticsearch Data Filtering
Elasticsearch Data Filtering
Elasticsearch is a distributed, open source search and analytics engine. This OPA integration lets an elasticsearch client construct queries so that the data returned by elasticsearch obeys OPA-defined policies.
Inventors
Code
Tutorials
Spinnaker Pipeline Policy Enforcment
Spinnaker Pipeline Policy Enforcment
Spinnaker is a Continuous Delivery and Deployment tool started by Netflix. OPA lets you configure policies that dictate what kinds of Spinnaker pipelines developers can create.
Inventors
Tutorials
Blogs
Conftest -- Configuration checking
Conftest -- Configuration checking
Conftest is a utility built on top of OPA to help you write tests against structured configuration data.
Code
Videos
- Applying Policy Throughout the Application Lifecycle with Open Policy Agent - Kubecon San Diego 2019
- Gareth Rushgrove - Snyk
Flask-OPA
Flask-OPA
Simple to use Flask extension that lets you secure your projects with OPA. It allows HTTP API Authorization and Policy Enforcement Point (AOP using decorators on methods).
Code
Blogs
GCP audit with Forseti
GCP audit with Forseti
Google cloud provides a plethora of software as a service. Forseti, built using OPA, lets you run policy checks against the software resources on Google cloud and remediate violations.
Inventors
Code
Videos
Gloo API Gateway
Gloo API Gateway
Gloo is an open-source Kubernetes-native ingress controller, and next-generation API gateway. OPA can be used to implement authorization policies for those APIs.
Blogs
- https://medium.com/solo-io/5-min-with-gloo-api-gateway-configuration-with-open-policy-agent-53da276a6534
- https://docs.solo.io/gloo/latest/security/auth/opa/
Cloudflare Worker Enforcement of OPA Policies Using WASM
Cloudflare Worker Enforcement of OPA Policies Using WASM
Cloudflare Workers are a serverless platform that supports WASM. This integration uses OPA's WASM compiler to generate code enforced at the edge of Cloudflare's network.
Code
Tutorials
Gradle Build Plugin
Gradle Build Plugin
Build plugin adding various tasks to support using OPA as part of Gradle builds
Inventors
Code
IPTables
IPTables
IPTables is a useful tool available to Linux kernel for filtering network packets. OPA makes it possible to manage IPTables rules using context-aware policy.
Inventors
- Urvil Patel - Google Summer of Code
- Cisco
- Styra
Code
Tutorials
HTTP API Authorization in Dart
HTTP API Authorization in Dart
This integration demonstrates how to leverage OPA to perform basic HTTP API authorization in a simple Dart microservice. OPA makes it possible to provide fine-grained context-aware authorization for each REST endpoint and access method.
Inventors
Code
Tutorials
Container Network Authorization with Istio (as part of Mixer)
Container Network Authorization with Istio (as part of Mixer)
Istio is a networking abstraction for cloud-native applications. In this Istio integration OPA hooks into the centralized Mixer component of Istio, to provide fine-grained, context-aware authorization for network or HTTP requests.
Inventors
Code
Tutorials
Pre-commit hooks
Pre-commit hooks
Pre-commit git hooks for OPA and Rego development
Inventors
Code
Blogs
Pomerium Access Proxy
Pomerium Access Proxy
Pomerium is an identity-aware proxy that enables secure access to internal applications. OPA implements authorization under the hood.
Code
Blogs
Kubernetes Admission Control using Vulnerability Scanning
Kubernetes Admission Control using Vulnerability Scanning
Admission control policies in Kubernetes can be augmented with vulnerability scanning results to make more informed decisions. This integration demonstrates how to integrate Clair with OPA and run it as an admission controller.
Code
Tutorials
API Gateway Authorization with Kong
API Gateway Authorization with Kong
Kong is a microservice API Gateway. OPA provides fine-grained, context-aware control over the requests that Kong receives.
Inventors
Code
- https://github.com/TravelNest/kong-authorization-opa
- https://github.com/open-policy-agent/contrib/tree/master/kong_api_authz
Boomerang Bosun Policy Gating
Boomerang Bosun Policy Gating
Boomerang Bosun is a policy-based gating system that combines Policy Templates with Rules and data to validate Gates.
Inventors
Code
OpenFaaS Serverless Function Authorization
OpenFaaS Serverless Function Authorization
OpenFaaS is a serverless function framework that runs on Docker Swarm and Kubernetes. OPA makes it possible to provide fine-grained context-aware authorization on a per-function basis.
Inventors
Code
Tutorials
SQL Database Data Filtering
SQL Database Data Filtering
This integration enables the client of a SQL database to enhance a SQL query so that the results obey an OPA-defined policy.
Inventors
Code
Blogs
Secure Kubernetes using eBPF & Open Policy Agent
Secure Kubernetes using eBPF & Open Policy Agent
Ensure runtime security in any linux machine by combining Extended Berkeley Packet Filter(eBPF) and Open Policy Agent.
Code
Blogs
App authorization for Clojure
App authorization for Clojure
Authorization middleware for Ring based apps and other utilities for working with OPA in Clojure.
Inventors
Code
Minio API Authorization
Minio API Authorization
Minio is an open source, on-premise object database compatible with the Amazon S3 API. This integration lets OPA enforce policies on Minio's API.
Inventors
Tutorials
NodeJS express
NodeJS express
Express is a minimal and flexible Node.js web application framework that provides a robust set of features for web and mobile applications. OPA can be used to implement authorization policies for APIs used in the express framework.
Inventors
Code
Traefik API Gateway
Traefik API Gateway
The Traefik API Gateway is open-source software that controls API traffic into your application. OPA can be configured as a plugin to implement authorization policies for those APIs.
Blogs
Kubernetes Provisioning
Kubernetes Provisioning
Kubernetes automates deployment, scaling, and management of containerized applications. OPA decides which resources need to be created on k8s in response to a namespace being created.
Inventors
Videos
- Kubernetes Policy Enforcement Using OPA at Goldman Sachs - Kubecon San Diego 2019
- Miguel Uzcategui - Goldman Sachs
- Tim Hinrichs - Styra
Kubernetes Authorization
Kubernetes Authorization
Kubernetes Authorization is a pluggable mechanism that lets administrators control which users can run which APIs and is often handled by builtin RBAC. OPA's policy language is more flexible than the RBAC, for example, writing policy using a prohibited list of APIs instead of the usual RBAC style of listing the permitted APIs.
Blogs
- https://itnext.io/kubernetes-authorization-via-open-policy-agent-a9455d9d5ceb
- https://itnext.io/optimizing-open-policy-agent-based-kubernetes-authorization-via-go-execution-tracer-7b439bb5dc5b
Jenkins Job Trigger Policy Enforcement
Jenkins Job Trigger Policy Enforcement
Jenkins automates software development processes. OPA lets you control which people and which machines can run which Jenkins jobs.
Inventors
Videos
Authorization for Java
Authorization for Java
Integrations for interacting with OPA from Java
Inventors
Code
Gluu Gateway Authorization
Gluu Gateway Authorization
Gluu Gateway provides API authentication and authorization for websites built on Kong. Gluu provides an OPA plugin to handle API authorization.
Code
ANTLR Grammar
ANTLR Grammar
ANTLR4 grammar for Rego.
Inventors
Code
Library-based Microservice Authorization
Library-based Microservice Authorization
Microservice authorization can be enforced through a network proxy like Envoy/Istio/Linkerd/... or can be enforced by modifying the microservice code to use a common library. In both cases OPA makes the authorization decision that the network proxy or the library enforce.
Videos
CoreDNS Authorization
CoreDNS Authorization
CoreDNS is a cloud-native DNS server written in Go. OPA can be used as a plugin to filter queries and responses.
Inventors
Code
AWS API Gateway
AWS API Gateway
The AWS API Gateway controls API traffic for your application running on AWS. OPA can be configured as an external authorizer for that Gateway to implement authorization policies on APIs.
Code
Kubernetes Sysdig Image Scanner Admission Controller
Kubernetes Sysdig Image Scanner Admission Controller
Sysdig’s OPA Image Scanner combines Sysdig Secure image scanner with OPA policy-based rego language to evaluate the scan results and the admission context, providing great flexibility on the admission decision.
Inventors
Code
ASP.NET Core
ASP.NET Core
Use ASP.NET Core to create web apps and services that are fast, secure, cross-platform, and cloud-based. OPA can be used to implement authorization policies for APIs used in the ASP.NET Core framework.
Inventors
Code
Automatically document Rego policies
Automatically document Rego policies
Sphinx extension that automatically documents Open Policy Agent Rego policies using meta properties.
Inventors
Code