RFC @cncf/toc

@brendandburns has volunteered to do the due diligence and support OPA

FYI @cncf/toc

some due diligence via @brendandburns

Here's some verbatum feedback from one of my engineers who lead the azure policy controller and is helping lead gatekeeper (opa + admission control), I'll do my own look too, but I thought I'd pass this along.

--brendan

Vision

At the heart of the OPA’s premise is to decouple the definition of policy from the enforcement of it providing ability to define fine-grained policy control at various levels of the stack. At the basics it is JSON document store with Rego as the query-able language. The design of it being a general open policy engine allows easily building platform specific policy controllers Gatekeeper to be successful.

Quality

The project is well structured and is maintainable, follows good design patterns. I had a chance to add the contribute and enhance the query method in OPA core project. It was easy to make changes i.e. straightforward to satisfy new requirements, and add new test cases in existing test infrastructure. The project has clear and good documentation. The code review process is thorough. The project has does good performance test and security analysis. The github issues are well documented for fresh developers to start making contributions.

Community Support

The support is awesome and growing (supported by folks at Styra). Questions get answered in a near real time. The Gatekeeper project would not have been successful without the help of the level of support (special mention Torin and Tim)

Adoption

In my last several months of closely working and monitoring this project I see fast growing adoption and interest in the project. With the Gatekeeper project we see interest from all major clouds expecting this project to make it to large number of test and production environments. I am already see products and teams within organization like Microsoft e.g Office, AAD, IOT solving policy problems where OPA would be a natural fit.

Improvements

There are always this that we are striving to improve, in that spirit arguably there is a learning curve associated with writing new policies in Rego, and sizable portion of questions on Slack channel are related to policy syntax and bugs . The project has done incredible work it making it debuggable and testable to tooling (e.g. vs code extensions). There is work going on via Gatekeeper project to build a constraint framework a higher level abstraction on top of Rego to make policies more reusable.

OPA is like SQL for authorization. You have uniformity on how to externalize authZ from platform and how to implement platform /app specific authz rules. You don't need to come up with your own ways of implementing authz like K8 Web Hook and another way on different platform.

To @lsitaraman's analogy, in our use of OPA, we literally created postgres connector as a data source so that we could use OPA "as SQL". Not only did we use OPA as SQL, but used it not for its intended core focus of authorization use cases, but to @brendandburns's point, we used it as a general open policy controller to decouple the definition of policy from the enforcement of policy under the use cases (policies) of duplication and correlation. In stark contrast to alternatives like jBPM, Camunda, and Drools, its cloud native architecture proved to be the best starting point providing ability to define flexible policy control.

An area of ask (with respect to our use cases) is with respect to the ability to define policies and create a workflow of policy relationships:

Policy 1 eval -> on success -> Policy 2 eval -> on success -> Policy 3

When new data comes in, it will be applied the initial policy. So the next time it is taken for processing, the next policy in the flow will be applied. Auditing changes to workflows and policies and versioning for flows and policies are nice-to-haves here.

+1 binding TOC votes (6/9):
Brendan: https://lists.cncf.io/g/cncf-toc/message/3081
Alexis: https://lists.cncf.io/g/cncf-toc/message/3082
Jeff: https://lists.cncf.io/g/cncf-toc/message/3086
Liz: https://lists.cncf.io/g/cncf-toc/message/3088
Matt: https://lists.cncf.io/g/cncf-toc/message/3118
Michelle: https://lists.cncf.io/g/cncf-toc/message/3136