Open Policy Agent - Policy-based control for cloud-native environments

The Open Policy Agent enables fine-grained control across your cloud-native environment. Before we coupled policies with our applications. Open Policy Agent allows us to separate the policy decisions which allows us to apply and change new policies without affecting the running workloads. We also explore the company behind Open Policy Agent Styra and how they plan to expand OPA with a managed service.

Open Policy Agent -
Styra -
Play with Open Policy Agent -

Episode Transcription

Welcome back to The Byte. My last day here in San Francisco. DockerCon has been an amazing event, and like I said in previous episodes I had the opportunity to speak to a lot of vendors and learn a lot from a lot of the attendees. It was a really amazing experience. One of the companies I came across was Styra, and Styra is actually the company behind Open Policy Agent, which I didn't realize. We've used Open Policy Agent on a couple of projects, and Open Policy Agent if you haven't played around with it, it really is ... you know it's a control platform for your environment. So you put this between your environment and your users and you can then change the policies. So you want people to get access into an Ubuntu server for example. Instead of having to change your application and the server and all of these things, you actually just change the policy within Open Policy Agent and then you have access within.

So it's much easier. Easier to audit. Compliance is much happier because it's all documented and you can see these fine-grained policies at a glance. Now, this is a very powerful tool. I mean it's ... it decouples all the policies from your applications, which we've done previously. We actually put policies in our applications, and if we wanted to change something, we had to change our applications.

Open Policy Agent actually allows us to separate our policy decisions outside of our stack, and make these changes from externally, without affecting the workload, which is really, really helpful. So we can declare, we can express in a declarative language, fine-grain policy details. In the Ubuntu example SSH access. I can say, "Hey, I want to block SSH for all of these instances that are running in a certain region, but region two is allowed." You can have that level of detail that's going on. Now, Styra I talked to the founders and I talked to a bunch of the team there, and they were building a managed service for Open Policy Agent, which is quite cool because I didn't realize that even existed.
And this is an interesting space because not many companies are focusing on the compliance side and this type of security. Most of the companies are focusing on firewall and you know, how do we secure the workload? This is really creating policies which every company has, right? We all have some sort of policy we need to define, then we need to validate these and we need to enforce them, and we need some sort of graphical representation of what's actually happening on these decisions. So they're making this as a service, right? Open Policy as a service. It's, I believe it's going to be a SaaS at the moment, but it will be on-prem in the future they indicated. So there's a lot of potentials there. And you know, one of the Docker captains, as I'm looking into this, tweeted out, Scott Coulton, which is based out of Australia, working for Microsoft, really into the Kubernetes world.

He tweeted out yesterday that Open Policy Agent now has a play with Open Policy agents. So play with ... So you don't even need to spin this up. And this is really aimed for the Kubernetes environment. So you can actually open this up. You can play around with the inputs and outputs and see exactly what you can define. I mean it's just right there in your browser, which is really, really helpful. And like I said, we have some financial customers. We have, you know, big telecommunications companies that are interested to enforce these types of policies on their Kubernetes clusters.

Open Policy is becoming almost the standard for defining policies on their clusters. So I can only see the space growing as compliance and more security-aware applications start running on Kubernetes. So I think it's something to watch. Compliance is always some of these ... one of these things that's a slow mover because they need to get all the checkboxes ticked before they can move on to the workload. Open Policies and it will make that possible. But I know in a lot of organizations they can't implement such tools unless there's a company behind it. Well, Styra is a company behind it. They had their own managed service. So this could enable companies that weren't able to use tools like Kubernetes before, with something that has a managed service. You have some dashboards, you can really have some audit trails and you can do like a security policy as code as they said, which was really kind of cool.

I encourage you to try out to play with Open Policy Agent. It's a new tool, and I'm going to start playing with that ... around with it myself. So I'm going to put some GitHub projects out there so people can kind of follow around and see exactly what's possible and yeah, give it a try. is the open-source. You know it's part of the CNCF Stryra ... I can't say that right. So Styro, Styra is actually the company behind Open Policy Agent, it actually created it, and now they're spinning off their managed service offering. And then to play with Open Policy Agent as well. I'll put to all these links in the notes. That's all I have for today. I'm heading back to Switzerland. Can't wait to see the family, and stay tuned. I have a lot more shows, I took a ton of notes during DockerCon, so stay tuned.

I'm also planning to interview a lot of the captains I had dinner with and talked to over the last few days. I mean, speaking to these captains is amazing. Every time I sit with these really intelligent individuals, my to-do list just grows incredibly, because now I have a lot of book recommendations. I have podcasts, I have videos. I mean, the list goes on, so I need to catch up on all of these on this 12-hour flight I have ahead of me, and I'm planning on interviewing all these people in the next few weeks. So stay tuned. There's a lot of exciting content coming. Thanks and have a great weekend. Bye-bye.
© 2020 TheByte