Dynamic Policy for OpenStack with Open Policy Agent
Open Policy Agent (OPA) s gaining traction in the CNCF ecosystem is a lightweight engine which you can use as a sidecar, daemon or library. It provides its own language called rego, which gives you a rich set of features to help you write and evaluate policy decisions. There is already integration with Kubernetes, Kafka, Terraform, and other services; o we decided to give try it for OpenStack.
We wrote a translation tool to oslo.policy files policies in rego language; we also made oslo.policy pluggable.
Here, we present our observations when using OPA to evaluate policies for several OpenStack services instead of using the classic oslo.policy enforcer. We'll present data of how this performs, as well as recommended patterns for deploying OPA in OpenStack.
Finally, we'll talk about the next steps in this work, and how we think this will help operators have a centralized place where to store, deploy and update policies for their clusters.
