Manage Open Policy Agent (OPA) Consistently
Last week the CNCF announced the graduation of Open Policy Agent (OPA), an open source, general-purpose policy engine that enables unified, context-aware policy enforcement across the entire stack. It’s a super exciting project that helps anyone responsible for teams, compliance, and security apply it in Kubernetes.
And it’s being used! In an OPA user survey of more than 150 organizations, 91% indicated they use OPA in some stage of OPA adoption from QA to production. More than half indicated they use OPA for at least two use cases. The most common use cases for OPA are configuration authorization (such as Kubernetes admission control) and API authorization.
Enforcing Policies in Kubernetes
OPA’s momentum is evidence that we need more control and visibility into what’s happening in our Kubernetes clusters. So while OPA gives a tremendous amount of functionality around Kubernetes policy enforcement, it also requires technical know-how and time to apply policy across multiple teams and multi-clusters.
The latest CNCF survey shows that most people are running 2–5 clusters in production. However, there are teams running many more.
If you are responsible for managing 10 or 20 clusters, how can you be sure that your OPA policies are consistent across all of them? What’s the time and resource you need and the human error you are willing to accept to manage this headache?
Consistently Manage OPA
OPA, when applied consistently, benefits your application and Kubernetes infrastructure by allowing you to set customized policies around user access, subnet egress traffic permissions, workload deployment, downloadable registry binaries or system access based on time of day for example. You’ll have the ability to create and enforce the policies that are important to your business.
What’s still needed is a way to implement OPA consistently especially if you are managing a team or need to prove compliance/security.
That’s the problem Fairwinds Insights solves. We added support for OPA policies to every part of Fairwinds Insights including CI/CD pipelines, the admission controller, and the in-cluster agent.
Fairwinds Insights is software that checks your cluster configurations against security, efficiency, and reliability checks. It combines the intelligence of many open source projects, including OPA, Polaris, Goldilocks, Trivy, and more, into one centralized dashboard. If you are responsible for ensuring Kubernetes configurations are done right and consistently, you’ll be able to see at any point in time what needs fixing.
When used with OPA, Fairwinds Insights helps you ensure the same policies are being applied across all your clusters and gives some flexibility if you want certain policies to apply to only certain workloads (e.g. only run on prod clusters). It also allows you to run the same policies in CI/CD, Admission Control, and In-cluster scanning, so you’re applying policy consistently throughout the development and deployment process.
Insights can take the same OPA policies and federate them out to all three contexts, and to as many clusters as you’d like. You benefit from the ability to consistently automate, manage and enforce Kubernetes policies across clusters.
You can read more and view some screenshots of how you can manage OPA policies with Fairwinds Insights.