The Cloud Native Computing Foundation (CNCF) announced the graduation of Open Policy Agent (OPA).
OPA has demonstrated widespread adoption, an open governance process, feature maturity, and a strong commitment to community, sustainability, and inclusivity to graduate.
OPA is an open source, general-purpose policy engine that enables unified, context-aware policy enforcement across the entire stack. The project was accepted into the CNCF sandbox in April 2018 and one year later was promoted to incubation.
More than 90 individuals from approximately 30 organizations contribute to OPA, and maintainers come from four organizations, including Google, Microsoft, VMware, and Styra.
“As the cloud native ecosystem grows, it’s more important than ever for organizations to have access to policy enforcement tools built for modern cloud native deployments,” said Chris Aniszczyk, CTO of the Cloud Native Computing Foundation.
“Since joining CNCF, OPA has expanded to integrate closer with Kubernetes via the Gatekeeper project but also supports a wide variety of use cases outside of Kubernetes.”
The project has been adopted widely in production by organizations like Goldman Sachs, Netflix, Pinterest, T-Mobile, and many others. According to a recent OPA user survey of more than 150 organizations, 91% indicated they use OPA in some stage of OPA adoption from QA to production.
More than half indicated they use OPA for at least two use cases. The most common use cases for OPA are configuration authorization (such as Kubernetes admission control) and API authorization.
The project has successfully integrated with several CNCF projects, including Kubernetes, Envoy, CoreDNS, Helm, SPIFFE/SPIRE, and more. It also integrates with Gatekeeper to provide a Kubernetes-native experience for admission policy enforcement and auditing.
“When we started OPA, we knew that policy and authorization were going to become more critical than ever, due to heterogeneous and complex app deployments,” said Torin Sandall, OPA co-founder and VP of Open Source at Styra.
“We also knew we’d need the support of the community for integrations, performance, and knowledge-sharing. It’s thanks to this amazing group of folks that OPA today has become a graduated project and the de facto toolset and framework for expressing authorization policy across the stack.”
During its time in the CNCF incubator, OPA underwent two external security audits, the results of which can be found here and here, and OPA completed the SIG-Security assessment process.
The team has defined a security vulnerability disclosure process and a security response team, which includes individuals from three current maintainer organizations.
“Thanks to OPA’s streamlined policy language, I can take policies that would otherwise require dozens of lines of code, and instead write them in just five or six lines.
This means I was able to—literally overnight—take all of our existing policies and transition them to OPA,” said Joe Searcy, Member of Technical Staff, Distributed Systems at T-Mobile. “OPA policies are significantly faster to create, easier to maintain, and can be applied throughout our stack.
We’ve reached the point that anytime, and with any new project, when we think about policy we automatically turn to Open Policy Agent.”
“Extensibility is really important to us, because we knew from the start that we’d be using OPA as part of a larger ecosystem, built into other code,” said Chris Stivers, Principle Engineer, PaaS, at Atlassian.
“The community, the integrations, and the performance were what reassured us that OPA would meet our needs at Atlassian.”
To officially graduate from incubating status, the project was certified for CII Best Practices Badge, completed security audits and addressed vulnerabilities, defined its own governance, and adopted the CNCF Code of Conduct.