Manage Open Policy Agent (OPA) Consistently

Last week the CNCF announced the graduation of Open Policy Agent (OPA), an open source, general-purpose policy engine that enables unified, context-aware policy enforcement across the entire stack. It’s a super exciting project that helps anyone responsible for teams, compliance, and security apply it in Kubernetes.

And it’s being used! In an OPA user survey of more than 150 organizations, 91% indicated they use OPA in some stage of OPA adoption from QA to production. More than half indicated they use OPA for at least two use cases. The most common use cases for OPA are configuration authorization (such as Kubernetes admission control) and API authorization.

Enforcing Policies in Kubernetes

OPA’s momentum is evidence that we need more control and visibility into what’s happening in our Kubernetes clusters. So while OPA gives a tremendous amount of functionality around Kubernetes policy enforcement, it also requires technical know-how and time to apply policy across multiple teams and multi-clusters.

The latest CNCF survey shows that most people are running 2–5 clusters in production. However, there are teams running many more.

If you are responsible for managing 10 or 20 clusters, how can you be sure that your OPA policies are consistent across all of them? What’s the time and resource you need and the human error you are willing to accept to manage this headache?

Consistently Manage OPA

OPA, when applied consistently, benefits your application and Kubernetes infrastructure by allowing you to set customized policies around user access, subnet egress traffic permissions, workload deployment, downloadable registry binaries or system access based on time of day for example. You’ll have the ability to create and enforce the policies that are important to your business.

What’s still needed is a way to implement OPA consistently especially if you are managing a team or need to prove compliance/security.

That’s the problem Fairwinds Insights solves. We added support for OPA policies to every part of Fairwinds Insights including CI/CD pipelines, the admission controller, and the in-cluster agent.

Fairwinds Insights is software that checks your cluster configurations against security, efficiency, and reliability checks. It combines the intelligence of many open source projects, including OPA, Polaris, Goldilocks, Trivy, and more, into one centralized dashboard. If you are responsible for ensuring Kubernetes configurations are done right and consistently, you’ll be able to see at any point in time what needs fixing.

When used with OPA, Fairwinds Insights helps you ensure the same policies are being applied across all your clusters and gives some flexibility if you want certain policies to apply to only certain workloads (e.g. only run on prod clusters). It also allows you to run the same policies in CI/CD, Admission Control, and In-cluster scanning, so you’re applying policy consistently throughout the development and deployment process.

Insights can take the same OPA policies and federate them out to all three contexts, and to as many clusters as you’d like. You benefit from the ability to consistently automate, manage and enforce Kubernetes policies across clusters.

You can read more and view some screenshots of how you can manage OPA policies with Fairwinds Insights.




Fairwinds — The Kubernetes Enablement Company | Editor of uptime 99

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

#Drupalcares: will donate equal to 3 months of subscriptions for all new sign-ups!

Why Golang should be your go-to language for developing blockchains

The Seen and The Unseen Part 3

How to Add Hangfire to a VB.NET Project

A laptop with code screen

Life with completely Immutable Infrastructure

WordPress Plugins That Your Site Needs

SymfonyCon Lisbon 2018 was a blast!

SymfonyCon Lisbon 2018 - Wall banner

How to Find a Proper Microsoft 365 Backup Solution

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store


Fairwinds — The Kubernetes Enablement Company | Editor of uptime 99

More from Medium

In anticipation of the KubeCon + CloudNativeCon conference that will take place in Valencia, Spain…

Test new Releases of ArgoCD with SOPS secrets

Kubernetes Liveness, Readiness Probe Explained

Newsletter of Carlos Santana — Issue #30