Kubernetes administration policy made easy with brewOPA

Administering policies across Kubernetes and other cloud native environments isn't easy. Now, Cyral wants to take the trouble out of the job with brewOPA.

Cloud-native computing -- with such technologies as Kubernetes, service-mesh, and continuous integration and continuous delivery (CI/CD) -- is revolutionizing IT. But managing can still be a major pain in the server. That's where Open Policy Agent (OPA), an open-source Cloud Native Computing Foundation (CNCF) project, comes in. But it has its own steep learning curve. Cyral with brewOPA wants to ease their climb and make managing policies across cloud-native platforms much easier.

OPA's very popular because it allows policy evaluation to be decoupled from an application's core business logic. This means your policy engine internals are abstracted out, so you can easily reuse them across multiple components. Thus, you can write your policy once and apply it across your entire portfolio of cloud-native programs. It also boasts a lightweight design, a general-purpose policy engine, and flexible deployability. You can sidecar it or use it as a host-level daemon or library. With this versatility, many companies, such as Netflix, Intuit, Yelp, Pinterest, and others are using OPA.

The problem with OPA is you must write policies in its JSON-friendly declarative, domain-specific languages (DSLs) language, Rego. This is a newish language meant just for writing OPA policies. OK, who wants to learn yet another, DSL? Yeah, that's right, not many of us.

What brewOPA brings to the table in an extensible open-source framework, which enables developers to easily brew OPA policies by writing them in a language any cloud-native computing programmer or system administrator knows: YAML.

BrewOPA is still in its early days of development, but its developers believe it has a lot of potential to make it very easy for developers, DevOps, and SecOps teams to interface with policy engines of the future. Specifically, they see a lot of potential for how it uses YAML interfaces to bridge the gap between DSLs for data security.

BrewOPA is now available under the CNCF umbrella on GitHub. Its developers would love to have you check it out and you may love how much simpler it makes deploying policies over your cloud-native computing stacks.

Related Stories: