Policy engine Open Policy Agent, or OPA for short, has been accepted into the incubator of the Cloud Native Computing Foundation (CNCF). The project joined the CNCF’s sandbox in March 2018 and is now expected to graduate within the next two years.
To get into the incubating stage of the CNCF, a project needs at least two members of the technical oversight committee as sponsors, and it must document that it is successfully used in production by at least three independent end users of adequate quality and scope (the TOC decides on what that looks like). Other than that, it has to have a “healthy number of committers” as well as a “substantial ongoing flow of commits and merged contributions”.
OPA can be integrated into a system as a library, sidecar, or host-level daemon. Uses for the engine range from authorisation and remote access handling to data filtering with services handing over policy decisions to the project through queries it has to answer.
Policies can be specified in a declarative language and make use of document oriented data to enforce requirements. They are loaded into the tool via the filesystem or APIs. Kubernetes users for example can let OPA take care of admission control once set up, companies such as Netflix have been using the project for quite a while to realise authorisation across their cloud apparently.
The CNCF is a sub-section of the Linux Foundation, whose aim it is to “make cloud native computing ubiquitous” by “fostering and sustaining an ecosystem of open source, vendor-neutral projects”. Projects join the foundation at different maturity levels (sandbox, incubating or graduation), with the community behind them working on getting the to graduate this track.
Container orchestrator Kubernetes, monitoring platform Prometheus, and the Envoy proxy are three out of the five projects that managed to do that up until now. At the moment the CNCF sandbox is home to thirteen projects, while sixteen are incubating.