Experimenting with open policy agent
Download the OPA interactive shell (a.k.a. REPL), for your platform, from the OPA github releases page. For example, downloading release 0.5.10 for 64-bit Linux:
curl -L -o opa https://github.com/open-policy-agent/opa/releases/download/v0.5.10/opa_linux_amd64 \
&& chmod 755 ./opaMake sure you can run (./opa run) and quit (Ctrl-D or exit) the REPL.
The repository includes two experiments:
- istio-opa-design-example - A policy definition based on the Istio OPA adapter design
- Sherlock - a fictional microservice based service, loosely based on Istio Bookinfo application
In addition to the actual network isolation policies, there may exist requirements on who can define policies for each service, and whether policies, or specific rules and condition defined within a policy, defined by one role (e.g., CISO or other security personnel) can be overridden by service teams (e.g., DevOps engineers)
- Policy control (who can define policies, which can be overridden, etc.)
- Policy processing in case of multiple policies applied to an operation (e.g., priority, conflict resolution)
While it may be possible to resolve the above using OPA and Rego, this work is beyond the scope of this experiment.