If you need a policy management tool for your Kubernetes clusters, you have several options to choose from. Two popular policy tools are Open Policy Agent and jsPolicy.
Open Policy Agent, or OPA, is a domain-agnostic and general-purpose policy engine that allows you to decouple policy- and decision-making from a system so enforcement is handled separately. OPA uses high-level declarative language to define policies as code. It can be used to enforce policies in microservices, Kubernetes, CI/CD pipelines, and API gateways.
This article will compare OPA and jsPolicy in Kubernetes as well as their language and learning curves in relation to developer experience; we’ll then look at policy testing so that you can select the best tool for your projects.
OPA uses Rego, which is a domain- and platform-agnostic declarative language for defining and enforcing policies in a cloud-native environment. Rego allows users to focus on what the queries should return rather than how they should be returned. The language also optimizes queries to improve performance. According to the Rego documentation, it is designed in layers and therefore not Turing complete, meaning it isn’t a language that can perform every type of computation.
To read more about Rego’s design pattern, check out this article.
Rego is not a platform-dependent language, but the developer or operator would still need to learn it as well as how to use it to define policies in the cluster.
There are several ways to set up OPA. If you are using Go, you can import the OPA policy package into your application as a dependency. You can also set up OPA as a daemon, which is a separate process. You can run the daemon deployment as a sidecar container in one of your pods, which makes it easy to access the OPA container. It’s also possible to run the OPA process in one of your Kubernetes nodes.
The most important thing is to ensure your applications can access the OPA daemon easily without sacrificing latency. For example, it doesn’t make sense to deploy the daemon on a node while your application resides on a separate node. This can cause your application to make unnecessary calls between nodes.
This image (courtesy of magalix.com) shows the various deployment options:
To set up jsPolicy in your cluster, just install the charts via
To install the policy via Helm v3, you can run:
helm install jspolicy jspolicy -n jspolicy --create-namespace --repo https://charts.loft.sh
Then, create a sample
policy.yaml file and apply it to your cluster:
OPA also contains several tools for building and developing policies, which makes it easier to define policies during the development stage. A VS Code plugin can be installed to ease testing, debugging, and analysis of policies for a particular project.
While OPA allows you to create several policies using Rego, there is no limit to the number of policies that can be created and tested with the OPA test framework (
opa test). Maintaining a large number of policies written in Rego can be a problem because it’s hard to use for writing policies in the first place and even harder to understand. When the number of policies written with Rego goes up, this can be difficult to maintain due to the complexity of the language and the learning curve. Since OPA allows you to write and verify the correctness of your policies, you will need to maintain the test files and various test cases and ensure it’s always passing at all times. This can improve and validate the quality of the policies as new ones are added over time, making it easy to maintain and scale the policies.
#Testability of Policies
OPA makes it easy to test and verify your policies. This can speed up the development of policies as well as the addition of new ones. OPA provides the CLI
opa test for testing policies, which are usually written in Rego. For example, running this command against some Rego files in a particular folder outputs the results of OPA tests.
For running tests in
opa test . -v
This will run all the tests in the directory with Rego files, ie, with
.rego file extension.
opa test will execute any Rego file with the rule name prefixed with
test_. The OPA test CLI also discovers tests in a folder by loading the contents of the folders recursively and executing with the rule name prefixed with
test_. Other features supported by the OPA CLI include:
- data mocking
- modifying test result outputs
On its website, OPA provides comprehensive details on how to verify and test policies. You can learn more here.
OPA is widely used in organizations. Netflix uses OPA to control access to its internal API resources. Chef uses it to provide IAM capabilities for its end-user products. Cloudflare and Pinterest also use it to enforce policies on their platforms. You can read more about this here.
Loft Labs, the company that created and maintains jsPolicy, is gaining traction due to innovative tools like vcluster, an open source tool for creating virtual Kubernetes clusters. This visibility will likely help increase the adoption of jsPolicy.
Either engine could be a good choice for your business. Consider which factors are most relevant to your project and your use case before you make a decision. You can learn more about jsPolicy here and about OPA here.