Open Policy Agent 0.30 lands, irons out some kinks

OPA 0.30

The team behind general-purpose policy engine Open Policy Agent (OPA) has pushed out version 0.30 (and 0.30.1 to make it run correctly) of the project, which should help provide a more secure setup and relax things for those using OPA in edge scenarios.

The Open Policy Agent was originally developed by cloud native tooling vendor Styra in a bid to provide a unified way of enforcing policies in microservices, pipelines, Kubernetes and more. In February 2021, it was welcomed into the realms of CNCF graduated projects, a status shared with widely used tools like Prometheus and Kubernetes. Users are said to include Netflix and Chef.

Amongst other things, the update provides teams with a way of preventing the use of old TLS versions. This can be done by setting the new command line parameter --min-tls-version. The default is currently set to 1.2, given that TLS 1.0 and 1.1 are already deprecated. The OPA server however supports v1.0, 1.1, 1.2, and 1.3 — should a setup still require a different minimum.

Users who recently had trouble with bundle-supplied policies being overwritten via the OPA API should find the issue fixed with the current release. The agent will now act as documented again and return a 400 HTTP should someone try to overwrite such a policy. The problem lay in a faulty check.

OPA 0.30 also comes with the capability to listen on abstract Unix Domain Sockets, which wasn’t an option before. Abstract sockets don’t create nodes in the path space, so their name disappears when the socket is closed, meaning there’s no delinking necessary. Another enhancement concerns OPA’s REST plugin, which has learned to let a user specify a CA cert for remote services implementing management APIs such as bundle and status. 

To make downloading bundles a bit less stressful in edge-case scenarios, the cached ETag is reset to the latest successful activation should an error occur. Earlier versions tended to just reset the cached ETag completely, leading to unnecessary downloads.

OPA comes with its own declarative language for specifying policies as code. It is called Rego, and uses the update to fix problems with inlining controls, partial evaluations, cache value size and index checking. 

Apart from that, Rego’s indexer should now be able to understand function arguments, and ast.InterfaceToValue has been fitted to work with non-native types. The static property lookup of objects uses binary search in v0.30, and the rego package has been modified, so that a caller can set a random seed if needed.