Posted on

How Do You Integrate Emissary Ingress With OPA

API gateways play a vital role while exposing microservices. They are an additional hop in the network that the incoming request must go through in order to communicate with the services. An API gateway does routing, composition, protocol translation, and user policy enforcement after it receives a request from the client and then reverse proxies it to the appropriate underlying API. As the API gateways are capable of doing the above-mentioned tasks, they can be also configured to send the incoming client requests to an external third-party authorization (authz) server. The fate of the incoming request then depends upon the response from this external auth server to the gateway. This is exactly where Open Policy Agent (OPA) comes into the picture.

There are many open-source Kubernetes native API gateways out there like Contour, Kong Gateway, Traefik, Gloo, etc. In this article, we will be exploring the Emissary Ingress.

Posted on

Building with Open Policy Agent (OPA) for Better Policy as Code

When we hear the term Policy as Code, it’s for the most part associated with the enforcement aspects of applying policy at scale within organizations.  Whether in the context of GitOps or just popular open source projects like Open Policy Agent (OPA), applying global policy is the end goal.

However, OPA as an open source project is quite unique in its capabilities. There is a whole pre-enforcement set of tools that provide incredible insights into our systems that have long been overlooked.  A new wave of infrastructure drift has arisen in the cloud world due to the layers of abstraction and automation. When building Firefly, we channeled the power of OPA as a policy discovery engine, not just an enforcement mechanism.

Posted on

Multi-Cloud API Authorization Challenges

As more and more companies move to a multi-cloud strategy and increase usage of a cloud-native infrastructure, API providers are under a lot of pressure to deliver APIs at scale in multi-cloud environments. At the same time, APIs should follow each company’s security requirements and best practices, no matter the cloud platform. These reasons explain why many providers have such complex API authorization requirements.

Let's assume in a company that multiple teams from different lines of business are building and deploying APIs in the Azure cloud. Different teams use different technologies to build these APIs (e.g., Azure Functions, Node.js). A company might host applications that consume the APIs on the same network, such as a company's AWS account or external SaaS applications. 

Posted on

What Is Open Policy Agent and How It Works

Open Policy Agent is an open-source engine that provides a way of declaratively writing policies as code and then using those policies as part of a decision-making process. It uses a policy language called Rego, allowing you to write policies for different services using the same language.

OPA can be used for a number of purposes, including:

Posted on

OPA and Gatekeeper: OPA or Gatekeeper?

In the last couple of posts, I wrote about Open Policy Agent (OPA). People almost always ask one question: what is the difference between OPA and Gatekeeper when it comes to Kubernetes admission control? And, generally, follow up with another question: so should I use Gatekeeper instead of OPA?

Admittedly, the OPA documentation does a nice job explaining OPA and its use cases. It also has a brief section about the difference between Gatekeeper and OPA. But for those just getting started with OPA, this difference isn't always clear.

Posted on

Leveraging Kubernetes Open Policy Agent

One of the big challenges of going cloud-native and using containers is enforcing security and usage policies. This is an easy task to complete when the cloud infrastructure is relatively simple and has only a limited number of users. Once the cloud environment becomes complex or there are more end-users utilizing cloud resources, having clear governance is a must.

In Kubernetes, policy management and governance are easy thanks to the Open Policy Agent Gatekeeper project or Gatekeeper in short. It enables compliance checks and more thorough management of policies without sacrificing agility or ease of use. Gatekeeper acts as the agent that validates CRD-based policies run by Open Policy Agent.