New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We鈥檒l occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add OPA review and incubation proposal #199
Conversation
Signed-off-by: Torin Sandall <torinsandall@gmail.com>
RFC @cncf/toc |
@brendandburns has volunteered to do the due diligence and support OPA FYI @cncf/toc |
some due diligence via @brendandburns
|
OPA is like SQL for authorization. You have uniformity on how to externalize authZ from platform and how to implement platform /app specific authz rules. You don't need to come up with your own ways of implementing authz like K8 Web Hook and another way on different platform. |
To @lsitaraman's analogy, in our use of OPA, we literally created postgres connector as a data source so that we could use OPA "as SQL". Not only did we use OPA as SQL, but used it not for its intended core focus of authorization use cases, but to @brendandburns's point, we used it as a general open policy controller to decouple the definition of policy from the enforcement of policy under the use cases (policies) of duplication and correlation. In stark contrast to alternatives like jBPM, Camunda, and Drools, its cloud native architecture proved to be the best starting point providing ability to define flexible policy control. An area of ask (with respect to our use cases) is with respect to the ability to define policies and create a workflow of policy relationships: Policy 1 eval -> on success -> Policy 2 eval -> on success -> Policy 3 When new data comes in, it will be applied the initial policy. So the next time it is taken for processing, the next policy in the flow will be applied. Auditing changes to workflows and policies and versioning for flows and policies are nice-to-haves here. |
+1 binding TOC votes (6/9): |
馃憢
After chatting with @caniszczyk, we felt it was time to propose OPA for the incubation level. There's a link to next week's TOC slides at the end which include additional content.
Signed-off-by: Torin Sandall torinsandall@gmail.com