Open Policy Agent Graduating in the CNCF Proves Need for Cloud Native AuthZ
We’re really excited to announce that Open Policy Agent (OPA) is now a graduated project in the Cloud Native Computing Foundation (CNCF)! OPA joins projects like Kubernetes, Envoy, Prometheus, Fluentd (and ten others) that the CNCF recognizes for achieving broad adoption by the cloud-native community and maturity in its development processes. As the creators of OPA, we couldn’t be prouder!
We still remember the early days of the project, when we spent as much time explaining to people what OPA was as we spent writing code and documentation. It’s crazy to think that not that long ago we were excited about the first million downloads, and now we’re seeing a million downloads every week. Milestones like this one are a great opportunity to think and write about what we’ve learned about the policy space.
Top 6 things we’ve learned about policy
The need for unified policy.
One thing that was clear from the very beginning is that people want a unified solution to policy and authorization. We’ve talked personally to thousands of people over the last few years, and only a couple have ever said that instead of the one API, language, and model that OPA provides they’d rather use many different ways to manage authorization. The broad adoption of OPA signified by graduation implies an organic desire throughout the world for unified authorization.
Unified policy is a journey.
We always knew that bringing about unified authorization would require more than a technical solution. People want it to work, but they need a starting point. They need the technology to solve a real problem that they must solve right now, AND that would start them on the journey to a single authorization solution. And so we worked hard with the community to solve several real problems with OPA and explain those solutions to the world: authorization problems for Kubernetes, microservices, CI/CD, Terraform, Kafka and more. Solving any one of those problems is reason enough to adopt OPA, but include the fact that it also puts you on the path to unified authorization, and it’s a no-brainer. As OPA has matured toward graduation, we’ve found multiple teams within a single organization embracing OPA, sometimes independently but sometimes strategically. Regardless of the motivations, the journey toward unification has a clear path.
The journey includes vistas along the way.
When we started the project and Styra, we didn’t fully realize how many microcosms within the cloud-native software ecosystem would benefit from unified authorization:
Unified policy across polyglot microservices
Unified policy across different components of an application, e.g. front-end, backend, database
Unified policy across different vendor software running on Kubernetes
Unified policy across the sea of services on a single public cloud or even across multiple public clouds.
OPA is production-ready.
Solving real-problems en-route to unified authorization isn’t enough if the technology doesn’t withstand the fires of production usage at scale. OPA is currently being used by luminaries in the cloud-native space for years and across different use cases. Those organizations using OPA have demonstrated its ability to withstand the pressures of production environments at some of the most technologically advanced environments in the world, e.g. Netflix, Pinterest, Yelp, Atlassian, CapitalOne, Intuit, Goldman. This kind of multi-year, production usage is part of what graduation signifies—the technology is proven beyond doubt.
Policy management is a problem to solve all by itself.
Having a single language, toolset, and framework for solving authorization enables a unified solution to policy management—to writing, organizing, distributing and analyzing policies and the decisions they make. We have seen organizations build a unified policy management solution around OPA themselves, and we have helped people roll out our commercial policy management system. What we’ve concluded is that unified policy is more valuable the more chaos exists within an organization, and the more chaos that exists within the organization the more important the rigor around managing those policies becomes.
Unification is itself perhaps inherently cloud-native.
While unified policy and authorization is for us a natural goal, having worked toward it for so long, many of the graduated projects (arguably) each aim to unify something in their own right. Prometheus unifies monitoring; fluentd unifies logging; Envoy unifies network functions across polyglot microservices; Jaeger unifies tracing across polyglot microservices; Kubernetes unifies resource management. In retrospect this isn’t all that surprising because another way of describing a unification effort is to say that a project does one thing and does it well, and since that one thing needs to interoperate with a host of existing technologies, it unifies those technologies it integrates with.
Thank you
From all of us at Styra, we wanted to take this opportunity to thank all the maintainers who helped build OPA, the users who embraced OPA and helped guide it, and the vendors who integrated OPA (check out our post on OPA’s blog for a few shout outs to specific contributors). Your input has helped guide project decisions, features and integrations since the beginning. OPA would not have reached this exciting milestone without you!
We’d also like to take this time to thank some of the customers, visionaries, analysts, journalists, and industry experts that have helped us steer the company. In particular, thanks to Marlene, Jorge, Jelle, Joe, Martin, Mark, Fernando, Anders, Tony and Magnus. All the time and energy you put into us and our software, helping us understand where we fit into the bigger picture, and giving us insight into how it should all really work has been truly invaluable.
To us, achieving Graduation status from the CNCF is a reflection of the maturity of the project. Our interest has always been solving real problems, engaging with the community and helping people learn and adopt authorization policy. This moment is just a snapshot in time for the project, and while we’re really excited about it, there is still work to be done in making OPA the de-facto standard of authorization across the cloud-native environment. But for today, we’ll celebrate with the OPA community on this exciting new milestone. Cheers to everyone using both OPA and Styra’s Declarative Authorization Service!
Join the excitement and sign up to receive an OPA World Tour shirt!