View this email in your browser

The OPA Monthly Newsletter

November Edition!

November has arrived and we are looking forward to the holiday season!

Thanks to all of the community members that stopped by the booth at Kubecon, it was a pleasure meeting you!

User Survey

We are looking for input from the community to see how everyone is using OPA. Take 5 minutes to fill out this 7 question survey to help out the community!

Take the Survey

Ecosystem Updates

Open Policy Agent v0.46.1

• New language feature: refs in rule heads
• Entrypoint annotations in rule metadata
• New Built-in Functon: graphql.schema_is_valid
• New Built-in Functon: net.cidr_is_valid

Gatekeeper 3.10.0

• Kubernetes v1.25+, removal of Pod Security Policies and migration to Pod Security Admission 🔐
• Mutation is promoted to stable 🦠
• Introducing Validation of Workload Resources as alpha 🚀
• Performance improvements 🏃

Contributor Shout Outs

Thanks to all of the contributors that participated in these releases, the OPA community wouldn’t be here without you!

• @mattfarina
• @jaspervdj
• @ricardomaraschini
• @byronic
• @philipaconrad
• @pjbgf
• @caldwecr
• @hzliangbin
• @peterchenadded
• @phantlantis
• @ericjkao
• @TheLunaticScripter
• @humbertoc-silva
• @Juneezee
• @vinhph0906
• @aholmis
• @Joffref
• @olegroom
• @iamatwork
• @fredallen-wk
• @bartandacc
• @max0ne
• @OpenSourceZombie
• @JAORMX
• @Boojapho
• @ethanrange
• @stp-bsh
• @qa-ship-it
• @salaxander
• @boatmisser
• @gracedo
• @meons
• @mariusblarsen

Community Tools

circle-policy-agent

The policy-agent is essentially a CircleCI-flavored wrapper library around the Open Policy Agent (OPA), which will allow the users to write the policy documents in CircleCI terminology.

Star on GitHub

custom-opa-spicedb

This experiment adds support for querying relations from Authzed / SpiceDB via GRPC to check resource level permissions as custom builtin commands for Open Policy Agent.

Star on GitHub

Videos 🎥

Policy as Code with Open Policy Agent — Anders Eknert, Styra

Should user Alice be allowed to read credit reports? Should a cloud instance be deployable without basic security configuration in place? Should service X be allowed to query the database? Policy defines the rules of our systems, but how do we ensure our policies are enforced consistently in increasingly distributed and diverse tech stacks? In this talk we’ll explore the benefits of decoupling policy from our applications, deployment pipelines and platforms, and how Open Policy Agent (OPA) can help unify the way we work with policy across the stack.

Securing kubernetes with opa and gatekeeper

Starts at 3:23:20 as part of the Kubehuddle Edinburgh event.

Blogs

I have a plan! Exploring the OPA Intermediate Representation (IR) format

5 Application Authorization Best Practices for Better Cybersecurity

Intro to sets in Rego

OPA into WASM

Opa for k8s

Spring Security Authorization with OPA

Programming Your Policies: Justin Cormack at QCon San Francisco 2022

Let us know how we did

The OPA monthly newsletter is built for the OPA community, let us know what you liked or what you wanted to see more of. Reach out using one of the links below.

*|IFNOT:ARCHIVE_PAGE|**|HTML:LIST_ADDRESS_HTML|**|END:IF|*

Update Preferences | Unsubscribe

November Newsletter was originally published in Open Policy Agent on Medium, where people are continuing the conversation by highlighting and responding to this story.

View this email in your browser

The OPA Monthly Newsletter

October Edition!

October is here, the leaves are changing colors, and weather is starting to become cool.

The OPA community will be at KubeCon NA, so don’t forget to register for Cloud Native Policy Day with OPA!

Register Today!

Community Updates

The OPA community now has over 300 GitHub contributors! This is such an amazing accomplish, keep up the amazing work everyone!

Our friends over at Postman connected with us to setup an OPA webpage to help our community members explore the OPA API. Take a look!

The OPA API on Postman

Ecosystem Updates

Open Policy Agent v0.45.0

• Feature: Improved Decision Logging with nd_builtin_cache
• New builtin: regex.replace for regex-based search/replace on strings
• Optimization: object.union_n builtin implementation to use a more efficient merge algorithm

Community Tools

Capua

A Kafka Policy engine that will help you validate your resources and artefact creations with style.

Like on GitHub

Videos 🎥

rq: Datalog for your shell pipelines

rq brings the full power of Rego, a Datalog dialect created for Open Policy Agent (OPA) to your shell pipelines. It allows you to easily transform and query data in a variety of commonly used formats using Rego expressions, which allows for concise, general-purpose, performant transformations. This talk discusses the background of OPA and Rego, explains some simple Rego expressions, and demonstrates a few of the capabilities of rq.

Speaker: Charles Daniels, Backend Software Engineer, Styra Inc.

Blogs

This has been a busy month of writing for the OPA community. Check out all the new blogs.

How DoorDash Ensures Velocity and Reliability through Policy Automation

Deploying Gatekeeper policies as OCI artifacts, the GitOps way

Rego — The unified policy language for better policy management

Creating Custom OPA Policies with Azure Policy

Use OPA Gatekeeper to prohibit specific IAM users from creating resources in a specific Namespace

[Copy and paste OK] Procedure for linking Open Policy Agent with Python

Events 📆

Cloud Native Policy Day with OPA, Oct 25th

Cloud Native Policy Day with OPA hosted by Styra, the creators of Open Policy Agent, will bring together the OPA community for a day of sharing and discussing policy-as-code best practices, key learnings and creative use cases for OPA. Project maintainers will be on hand to field 1:1 questions and provide live-coding demos — and you’ll see proven real-world implementations from various OPA adopters during each of the sessions.

Whether you’re looking to start down your policy journey, or are an OPA adopter with Rego skills to share, join the community for sharing, learning and socializing.

Attendees are invited to come for the full day with lunch provided or to stop by just for the sessions that interest them most. To register for the event, add Cloud Native Policy Day with OPA from the co-located event list selections when registering for KubeCon + CloudNativeCon NA 2022 or add it to your existing registration by selecting “modify” on your confirmation page or clicking the “modify” link in your confirmation email.

👉 Register Today! 👈

Let us know how we did

The OPA monthly newsletter is built for the OPA community, let us know what you liked or what you wanted to see more of. Reach out using one of the links below.

*|IFNOT:ARCHIVE_PAGE|**|HTML:LIST_ADDRESS_HTML|**|END:IF|*

Update Preferences | Unsubscribe

October Newsletter was originally published in Open Policy Agent on Medium, where people are continuing the conversation by highlighting and responding to this story.

View this email in your browser

The OPA Monthly Newsletter

September Edition!

Happy September Everyone! This month’s edition is coming in a little late, but don’t worry, it’s still packed with great information.

Don’t forget to register for Cloud Native Policy Day with OPA! More info at bottom.

Register Today!

Community Updates

The Rego Playground now has a “Format” button! 🎉

This button auto-formats your policy code in the editor, as well as your input/data JSON documents.

Ecosystem Updates

Open Policy Agent v0.44.0

• security fixes, which mitigate CVE-2022–36085 in OPA itself, and CVE-2022–27664 and CVE-2022–32190 in our Go build tooling.
• Linear performance scaling for sets up into the 500k key range and beyond
• The union builtin is now about 15–30% faster than the equivalent operation in pure Rego.
• This release introduces two new builtins: strings.any_prefix_match, and strings.any_suffix_match.

NPM-OPA-WASM v1.8.0

• New Feature: add loadPolicySync by @elliots in #255

We will discuss these new features in the September 20th Office Hours. Sign up today and send in your questions.

Join OPA Office Hours

Community Tools

Goast

Go AST (Abstract Syntax Tree) based static analysis tool with Rego.

Like on GitHub

Java App with OPA Policies

Motivation for this code and application was to try to understand and implement the Hexagonal Architecture — also called Port and Adapter Architecture.

Test it out

OPA Support for Go Fiber

Open Policy Agent support for Fiber.

Note: Requires Go 1.16 and above

Try it

Blogs

Read up on how the OPA community is using OPA.

Control User Access and Permissions in CVAT with Open Policy Agent

What Exposed OPA Servers Can Tell You About Your Applications

Using XACML with OPA and Rego: The Best of Both Worlds

Authorize REST API with OPA (Japanese)

Controlling Kafka Data Flows using Open Policy Agent

Introduction of Open Policy Agent / Rego to realize Policy as Code (Japanese)

Collaborating on Access Control Policies with Open Policy Agent

Events 📆

Cloud Native Policy Day with OPA, Oct 25th

Cloud Native Policy Day with OPA hosted by Styra, the creators of Open Policy Agent, will bring together the OPA community for a day of sharing and discussing policy-as-code best practices, key learnings and creative use cases for OPA. Project maintainers will be on hand to field 1:1 questions and provide live-coding demos — and you’ll see proven real-world implementations from various OPA adopters during each of the sessions.

Whether you’re looking to start down your policy journey, or are an OPA adopter with Rego skills to share, join the community for sharing, learning and socializing.

Attendees are invited to come for the full day with lunch provided or to stop by just for the sessions that interest them most. To register for the event, add Cloud Native Policy Day with OPA from the co-located event list selections when registering for KubeCon + CloudNativeCon NA 2022 or add it to your existing registration by selecting “modify” on your confirmation page or clicking the “modify” link in your confirmation email.

👉 Register Today! 👈

Let us know how we did

The OPA monthly newsletter is built for the OPA community, let us know what you liked or what you wanted to see more of. Reach out using one of the links below.

*|IFNOT:ARCHIVE_PAGE|**|HTML:LIST_ADDRESS_HTML|**|END:IF|*

Update Preferences | Unsubscribe

September Newsletter was originally published in Open Policy Agent on Medium, where people are continuing the conversation by highlighting and responding to this story.

The OPA Monthly Newsletter

August Edition!

August is here and we are feeling the heat! Reply back to this email and let the OPA team know how you’re beating the heat this year!

Community Updates

Office Hours and the Bi-weekly meeting have converged to 1 weekly meeting. Each Office Hours is an open format meeting you can use to ask any questions you’d like.

But now we are reserving the Office Hours Session following a new OPA release to showcase the new features from that release. Join the next session on August 9th to hear about the v0.43.0 release

Sign Up for Office Hours

You can also watch the replays from the OPA Office Hours and the Gatekeeper Weekly meetings on YouTube. Check out the release announcement for v0.42.0 below.

YouTube Videos 🎥

Our community has posted lots of good stuff on YouTube this month, check out these cool videos.

Feature Release Videos

Keywords, Contains and If

How to incorporate the new keywords contains and if into your policies.

Watch Now

Builtin, Object.subset

This new builtin allows you to check if a set, array, or object is a subset of another item.

Watch Now

Events 📆

Cloud Native Computing Meetup | August 25, 2022

OPA Office Hours | August 9th, 2022

Blogs

Open Policy Agent (OPA) For Kubernetes

High-Performance OPA

How to Shape OPA Data for Policy Performance

Ecosystem

Open Policy Agent v0.43.0

• Large Object Performance Improvements
• GraphQL Tutorial

Gatekeeper v3.9.0

• Constraint schema validation testing
• Make gatekeeper validate subresources

Conftest v0.34.0

• Add parse_config and parse_config_file Rego functions to allow unit testing using config file snippets

Calling all OPA End-Users!

OPA Summit is officially scheduled, are you ready to share your OPA development journey? Let me us know how you’re using OPA and we will help you craft a presentation. This event will be colocated at Kubecon in Detroit this October.

👉 Speak at OPA Summit 👈

Let us know how we did

The OPA monthly newsletter is built for the OPA community, let us know what you liked or what you wanted to see more of. Reach out using one of the links below.

August Newsletter was originally published in Open Policy Agent on Medium, where people are continuing the conversation by highlighting and responding to this story.

It’s that time of year again! We have polled the Open Policy Agent (OPA) community to learn a bit more about what members are working on, their goals and how we can improve the project in the future. This year we had over 240 respondents, from various industries ranging from Software, Finance, E-commerce, Security, and more. With this new data set, we can learn if OPA usage has changed from the previous year, what features and tools are utilized the most and how to improve the OPA project as a whole for the community. To start, let’s compare last year’s survey results to this year’s to see how things have changed or remained consistent:

Last Year’s Survey

Year-over-year numbers

Within a couple of percentage points, the number of use cases and respondents’ implementation goals show similar results to last year. Of the users that responded that they have over four use cases, 70% of those reporting have used OPA for a year or longer. This shows us that as OPA usage matures in an organization, users gain confidence in adding additional use cases, helping them achieve their higher-level goals.

Almost 43% of respondents are in production with their OPA usage — a noticeable improvement from last year. With the addition of the Evaluating option, we can assume those users would have chosen experimentation given last year’s choices, making the other two possibilities a few percentage points lower than the current year.

The last metric we highlighted in last year’s survey is the time to production, showing that 40% of users reach production within six months. This year we are seeing about 27% of users in the production phase by this point. However, 50% of the users in this time frame are in a pre-production phase, which is a substantial amount.

Policy libraries

We’ve seen a slight increase in usage for the Gatekeeper policy library from 57% to 62%, for the respondents that indicated they’re using OPA for Kubernetes Admission Control. However, overall we are seeing 50% of respondents indicating that they are not using any external policy libraries. As policy libraries grow around specific use cases we can expect this number to increase.

Feedback

Last year’s request for better debugging tools led to creating two issues, rule-level tracing, and the print function. The Print Function was released in v0.34.0 and happily adopted by the community. Rule-level tracing still needs assistance from the community; perhaps you can help the community and submit a PR?

As we did with the previous year’s survey, we asked the community for feedback to see what improvements would improve their OPA experience. The number one request was for more examples; nearly 33% of respondents asked for examples of specific or complex configurations and tutorials/sample data to go with them. About 12% of respondents asked for more integrations with AWS, such as the AWS CloudFormation integration that came out in June. And another 10% of users asked for additional debugging capabilities.

Learning tools

The official OPA documentation is the most used resource by the community, with over 90% of respondents using it, followed by the Rego Playground at 66%. The OPA docs are consistently evolving and receive updates as new features roll out, but as with most open source projects, we need the community’s help to keep the docs up to date. As for the Rego playground, we maintain this tool in the hopes that it helps users debug problems and collaborate on new policies. If you see any way that we can improve it, please let us know by creating a feature request.

Monitoring

One surprising discovery from this year’s responses is that 36% of users don’t track OPA decisions, and 39% don’t monitor their OPA status. While these metrics are accessible via OPA’s management APIs, perhaps the docs can be spruced up with some new tutorials on configuring monitoring and logging!

Wrap up

To sum it up, we saw consistency in the implementation goals and number of use cases for OPA with a slight uptick in the overall number of users in production. The utilization of policy libraries seems to have dropped to half of what it was last year. Debugging remains a high-priority area where users wish to see additional improvements, along with more examples and tutorials for the documentation. The OPA Docs and Rego playground take home the gold for most valuable resources, but they could use a few more examples to help community members configure monitoring and logging.

Thanks for your participation in this year’s OPA User Survey. If you’ve sent us your mailing address, you can expect your t-shirt to arrive in your mailbox soon!

Happy OPA 2022 Survey from Charlie! 🎉

Open Policy Agent 2022 User Survey Summary was originally published in Open Policy Agent on Medium, where people are continuing the conversation by highlighting and responding to this story.

The OPA Monthly Newsletter

July Edition!

Summer is in full swing, conferences are back in action, and we hope everyone out there is having a great time.

OPA News and Articles

This has been a busy month in the OPA world, check out all of these articles that have come out!

Deploying Open Policy Agent (OPA) as a sidecar on Amazon Elastic Container Service (Amazon ECS)

Play with Terraform Cloud Run Tasks (GA) and your own Open Policy Agent server

More blogs..

🚓 Kubernetes Security Policy Enforcement Using OPA

⚙️ Evaluating open policy agent in rust using wasm

🔐 Harden Amazon EKS in minutes with Styra DAS Free and OPA

🧑‍💻 Implement a policy and use it in CLI

OPA Talks

Data Protection Guardrails using Open Policy Agent (OPA)

Catch the replay!

Deep-dive into Open Policy Agent + Conftest + GateKeeper

Catch the replay!

OPA-tunities!

There is still time to show us all the new and unique ways you are using Open Policy Agent! Share your “New OPA-tunity” on Twitter and tag @OpenPolicyAgent and @Styrainc for a chance to be featured in an industry publication and win some awesome swag! You can also email your submission to kayla@styra.com.

Learn Open Policy Agent

Check out the three new courses from Styra Academy: “OPA Performance”, “Microservice Authorization with Styra” and “Terraform Validation with Styra”. The free online portal provides exclusive Open Policy Agent and Rego training from the creators of #OPA.

Styra Academy

Tools

OPA Alfred

Reasonably usable self-hosted version of OPA’s Playground

Rego Style Guide

The purpose of this style guide is to provide a collection of recommendations and best practices for authoring Rego. From Styra, the founders of Open Policy Agent (OPA), and some of the most experienced members of the community, we hope to share lessons learnt from authoring and reviewing hundreds of thousands of lines of Rego over the years.

Integrations

Integration of the Open Policy Agent with the SSI Kit

Ecosystem

Open Policy Agent v0.42.0

• New built-in function: object.subset
• New keywords: “contains” and “if”

Calling all OPA End-Users!

OPA Summit is officially scheduled, are you ready to share your OPA development journey? Let me us know how you’re using OPA and we will help you craft a presentation. This event will be colocated at Kubecon in Detroit this October.

👉 Speak at OPA Summit 👈

Let us know how we did

The OPA monthly newsletter is built for the OPA community, let us know what you liked or what you wanted to see more of. Reach out using one of the links below.

Open Policy Agent, The July Newsletter! was originally published in Open Policy Agent on Medium, where people are continuing the conversation by highlighting and responding to this story.

The OPA Monthly Newsletter

June Edition!

June has arrived and summer is starting! The OPA team is wishing you a festive summer!

Kubecon EU Updates

Owlina is now a part of the OPA family!

Announced at Kubecon EU Keynote, Owlina is the new mascot for the Open Policy Agent project. She will have many adventures with Phippy and friends in the future, and we are just excited to have her onboard.

The OPA maintainers talk sold out the house!

With over 1,100 registrants we had a completely full audience at the OPA maintainers talk. But don’t worry the replay is live on YouTube watch it today!

Catch the replay!

Twitter highlights

We have had quite the month, check out what community members are saying on Twitter!

OPA-tunities!

Show us all the new and unique ways you are using Open Policy Agent! Share your “New OPA-tunity” on Twitter and tag @OpenPolicyAgent and @Styrainc for a chance to be featured in an industry publication and win some really cool swag! We can’t wait to see all the cool new ways people are using OPA!

Tools

OPACTL

opactl executes your own Rego (OPA) policy as CLI command.

RBAC-POLICE

Retrieve the RBAC permissions of serviceAccounts, pods and nodes in a Kubernetes cluster, and evaluate them using policies written in Rego.

sanshell

sanssh is a simple CLI with a friendly API for dumping debugging state and interacting with a remote machine. It also includes a set of convenient but perhaps-less-friendly subcommands to address the raw SansShell API endpoints.

Ecosystem Updates

OPA v0.41.0

• GraphQL Built-in Functions
• Built-in Function Metadata

NPM OPA WASM v1.7.0

• Support customBuiltins parameter
• Simplifying exports
• Improved PowerShell experience

Kube-mgmt v7.0.0

• new CLI argument for log level
• improved policy/data config map reconciliation

Kube-mgmt v6.0.0

• ARM64 supports
• Chart is listed at ArtifactHub

OPA News and Articles

AUTHORIZATION CONTROL USING OPENPOLICY AGENT AND GOOGLE GROUPS

How to avoid Security Group changes corruption in terraform by applying Open Policy Agents (OPA)?

OPA Summit

We are looking for speakers for the OPA Summit in October! This is going to be a collection of OPA users telling their stories about getting OPA adopted and deployed to production. If you have an OPA story to share now’s your chance!

👉 Speak at OPA Summit 👈

OPA User Survey 2022

Filling out this survey helps the OPA community grow each year, please take a few minutes to fill it out. By doing so you’d be helping out the community, and you are eligible for a free t-shirt!

👕 Fill out the survey ✅

Let us know how we did

The OPA monthly newsletter is built for the OPA community, let us know what you liked or what you wanted to see more of. Reach out using one of the links below.

Open Policy Agent, The June Newsletter! was originally published in Open Policy Agent on Medium, where people are continuing the conversation by highlighting and responding to this story.

Intro

After an extended holiday break, the OPA newsletter is back in 2022 with our first edition! This edition brings new versions of OPA and Conftest, as well as some amazing community contributions and tools.

Community Updates

The latest news in the OPA community.

Call for maintainers

The OPA project is a great way to get involved in open source and cloud native technology. We have 2 sub-projects that are a great place to get started!

• Do you like writing Javascript, are you interested in WebAssembly? Check out the: NPM Module
• Like to hack on IDE integrations? Take a look at the: Intellij Plugin

On the fence? Not sure if being an OPA maintainer is right for you? Drop us a note in the #development channel in Slack.

Public Calendar

There is now a public calendar for OPA events. Want to get something added to the calendar, just let us know.

• Public Calendar Link

Office Hours

Every Thursday hang out with someone from the OPA team, ask some questions, and learn some OPA tips.

• Invite Link

GitHub Discussions

The GitHub Discussions repository has been renamed from Feedback to Community. This is still the place to go to ask questions and to receive support from the community. But now we want to expand it to include even more helpful community tools.

• Community Discussions

OPA Mailing List

Now you can receive the latest OPA news right to your inbox! Going forward we will be using a standard email list to send out the monthly newsletter as well as other OPA tips and tricks. Sign up today so you don’t miss out!

• Join our mailing list! http://eepurl.com/hSFrEP

Community Shoutouts

We have two amazing community contributions this month.

The first up is an OPA Guide Book, originally written in Korean and translated to English. The English version is an open source project managed by the author Sangkeon Lee!

• OPA Guide Book: https://sangkeon.github.io/opaguide/

This next one comes from the Japanese OPA community, an OPA Advent Calendar. We love to see contributions from our communities around the world! Created and managed by Masayoshi Mizutani!

• OPA Advent Calendar: https://adventar.org/calendars/6601

Slack Updates

We’ve welcomed over 350 new Slack members since the last newsletter, now there are over 5400 members to chat with! It’s awesome to see everyone showing up being a part of the OPA community.

Some small changes, we’ve added bookmarks to each of the channels to help members quickly find relevant resources. You can see these right under the channel names.

For the new members of the community here is a quick breakdown of the most common channels.

• #announcements — OPA team shares information about the project
• #chit-chat — For community introductions and general communication
• #help — Help getting started with the OPA project
• #development — To talk about code contributions
• #opa-gatekeeper — For Gatekeeper questions
• #opa-conftest — For Conftest questions

Hint: for technical help check out GitHub Discussions

GitHub Shoutouts

There were so many amazing community contributions this month, a big shout out to all of these members for their contributions!

• Rien Valkenaers gave a huge contribution with OpenTelemetry support
• Jordan Shaw Four new functions for working with HMAC
• Kristian Svalland and Omolola Olamide added builtins for reversing arrays and strings
• Mira Yadav Updated http.send built-in to count inter-query cache hits
• Jasper Van der Jeugt fixed an issue with opa fmt
• Branden Horiuchi exposed the HTTP router to the plugin manager
• Gasc Florian fixed an unintended switch between long/regular polling
• Christian Schuetz and Oren Zohar add opa.runtime() to the SDK
• Alan Ma added a feedback button to all of the docs
• Johannes Larsson and Rory McCune updated the CI builds
• Shuhei Kitagawa upgraded golangci-lint to v1.43.0

Twitter Highlights

While we can’t show all of the tweets we receive every month, we appreciate the love from the OPA community on Twitter ❤️ 🐦! Here are a few of the highlights.

Direct links to posts

• https://twitter.com/jromanmartin/status/1466316630024241157
• https://twitter.com/k8satl/status/1464261313744547846?s=20
• https://twitter.com/ApacheAPISIX/status/1470317000471629824
• https://twitter.com/Josh__Ferrell/status/1478870131149357059
• https://twitter.com/damienjburks/status/1483885506203205632?s=21

Ecosystem Updates

Another month means new releases for OPA and the OPA subprojects!

OPA Release v.0.36.0

• Added OpenTelemetry support. #1469
• New command ‘opa exec’ for one-off policy evaluation #3525
• New functions crypto.hmac.md5, crypto.hmac.sha1, crypto.hmac.sha256, and crypto.hmac.sha512 #1740
• New capability ‘allow_net’ added to restrict network connections #3665
• Added AWS credential provider #2786
• New Flag ‘ — tls-cert-refresh-period’ for opa server #2500
• Added v1/status endpoint#4089

Conftest Release v0.30.0

• Always use ORAS context when interacting with a registry
• Update containerd to v1.5.9

Conftest Release v.0.29.0

• Add check flag to fmt command
• Support for terragrunt default config files
• feat: add a quiet flag to verify command

Kube-mgmt Release v3.2.0

• Make cert-manager certs duration configurable
• Enable setting admissioncontroller annotations

Tools from the Community

Every month we discover new tools that were created by the OPA community. Try these out in your project!

• Terraform Plugin: ​​https://github.com/echoboomer/terraform-opa-buildkite-plugin
• Kubernetes sidecar: https://github.com/hooksie1/cmsnr
• Gatekeeper Intro: https://github.com/romerobu/intro-gatekeeper
• APISIX integration: https://apisix.apache.org/blog/2021/12/24/open-policy-agent/
• Github Action https://github.com/infracost/setup-opa
• Kubernetes Helper https://github.com/anderseknert/kube-review

Let us know how we did.

Thanks for reading the January edition of the OPA Newsletter! This is an ongoing process and we are always looking to improve it. Let us know what we can do better, or send us content for the next newsletter: opa_newsletter@styra.com.

If you’re new to OPA or to the community check out these resources.

• Chat with the community on Slack
• Start a thread on GitHub Discussions
• Write a CFP or Host an OPA Meetup Send us an email!
• Receive OPA insights right in your inbox! Subscribe!

The OPA Monthly Newsletter was originally published in Open Policy Agent on Medium, where people are continuing the conversation by highlighting and responding to this story.

Intro

Hello everyone and welcome to the very first edition of the OPA Monthly Newsletter! We are excited to bring you all the happenings in the OPA ecosystem. You can expect to find a bit of everything in this newsletter, some community updates, a bit of contributor news, a handful of release notes, and any interesting content we’ve found on the internet this month.

Slack Updates

Our Slack Org now hosts over 5,150 OPA community members!! The OPA team has been hard at work revamping the space to make it functional and valuable for all of our members. A little while ago you may remember we announced a Slack Reorg to consolidate and update channel names and descriptions. This effort was to give everyone a clear understanding of what’s going on and where to go.

To continue to improve the Slack experience for our members we’ve added 2 new channels. For everyone interested in contributing to the OPA project you can now hang out in the #development channel to speak directly with other contributors and maintainers.

We’ve also added a #vendor channel to allow members to reach out directly to our rich ecosystem of vendors that are building products on top of OPA. Jump into the channel today and ask questions about how to improve your OPA management.

News Highlights

One of our community members @boranx shared with the community that Conftest has made it into the Technology Radar by ThoughtWorks

GitHub Updates

The OPA project wouldn’t be the same without all of the contributions from the community. As such we would like to send a big thank you to all of the contributors from the v0.34 release.

• Edward Paget has contributed (#3826 SDK Feat) & (#3863 Bundles Fix)
• Kirk Patton a long time contributor added (#3773 Fix for exit statuses)
• GitHub User @0xAP first time contributor added (#3860 Bundles improvement)
• Andreas Brehmer first time contributor added (#3836 Fmt fix)
• Florian Gasc first time contributor added (#3879 Storage fix)
• Omolola Olamide has landed (#3910 Tutorial Updates)

Twitter Highlights

For those not active on Twitter, we’ve collected some of the highlights and OPA shoutouts here:

Check out the slides and demos that Nico Meisenzahl created:

• enhance-your-compliance-and-governance-with-policy-based-cicd
• demo-opa-terraform-validation
• demo-opa-cicd-validation

Ecosystem Updates

The OPA Project is always changing, check out the latest updates and features for OPA and some of the sub-projects.

OPA Release v0.35.0

• Early Exit Optimization improves performance in many policy types
• New net.lookup_ip_addr built-in function to resolve host IP addresses
• Massive performance improvement in decision logging compression

OPA Release v0.34.0

• A new in operator for checking membership and for iteration
• New print function for debugging
• New opa inspect command for quickly checking contents of a bundle

Gatekeeper Release v3.7.0

• Mutation has graduated to Beta! 🎉
• Added ModifySet mutator 📐

Conftest Release v0.28.3

• The OPA print function is now supported in Conftest!

Kube-mgmt Release v3.1.0

• Support extra environment variables in opa and kube-mgmt containers

Community Spotlights

• The one and only Developer-Guy has been working tirelessly to add OPA policy functionality to Cosign, Check out the PR to see the awesome work to connect the two projects.

What happened this month?

• Meetup: OPA London Meetup
• Meetup: OPA Stockholm Meetup
• Talk: WTF is Cloud Native talk
• Talk: API Authorization with Open Policy Agent
• Blog: Connecting OPA with AWS Lambda
• Blog: Automated Manifest File Validation Using Open Policy Agent and GitHub Actions

What’s coming up next month?

A list of community meetings, meetups, and conferences.

OPA Bi-Weekly

• Dec 7th at 10 AM PT
• Dec 21st at 10 AM PT

Gatekeeper Weekly

• Dec 2nd, 2 PM PT
• Dec 8th, 9 AM PT
• Dec 15th, 2 PM PT
• Dec 22nd, 9 AM PT

Let us know how we did

This was our very first edition of the OPA Newsletter, we really hope you enjoyed it! While we tried our best to find all the latest and greatest activities in the community we surely missed a lot as well. Want to share some cool content, have an OPA shoutout to make, want to speak at a conference, or host a meetup? Let us know by sending an email to: opa_newsletter@styra.com.

If you’re new to OPA or to the community check out these community resources to get started.

• Chat with the community on Slack
• Ask for help and support on GitHub Discussions

The OPA Monthly Newsletter was originally published in Open Policy Agent on Medium, where people are continuing the conversation by highlighting and responding to this story.

The OPA community now has over 4,600 members in Slack! This is a tremendous milestone and we are so excited to have all of the new members join us. With this explosion of new members, the total number of Slack channels has crept up on us. The OPA team has noticed having so many channels has created confusion for our new and existing members on where to post about specific topics or themes. To make Slack easier to navigate we are rolling out a new set of channel names and descriptions. We hope this new structure will make Slack a bit easier for everyone. However, if you have a suggestion on how to make it better we would love to know.

Primary / Default Channels.

Any new members joining the OPA community will want to hang out here to start! Read about the latest announcements, introduce yourself in the community chit-chat and ask questions in the help channel.

#announcements

Previous channel name: #general

The general channel is now the announcements channel. General was our busiest channel by far! It is now our announcements channel so that big news like releases and community events can stick around longer. New channels have been created for chit-chat and general help questions. The announcements channel is still open for anyone to post, but now think about posting things you want the entire community to know.

#chit-chat

Previous channel name: #random

Everyone loves a good random channel and the OPA community is no different. Just because we changed the name you shouldn’t feel the need to change what you’re posting. Drop in your OPA memes and funny web links just like before. But now we also want to include community introductions and general chatter here as well.

#help

Previous channel names:

• #rego
• #openpolicyagent
• #questions_and_answers
• #feasibility-question

We want to make it as easy as possible for you to find help while learning about OPA. So we’ve combined the channels we noticed new members were looking for help into a single channel. We hope that this will make it easier for everyone to know where to go when they need help and where to go when they feel like helping others.

Integrations

For OPA users that have been around for a while you are probably well aware of the Conftest and Gatekeeper projects. These two OPA projects have gained a lot of traction and provide amazing contributions to the OPA community. If you have specific questions about the projects these channels are the best place to go. While the maintainers do hang around these channels, we love seeing community members showing off their OPA knowledge answering questions for each other.

#conftest

Conftest is a must have in your policy toolkit. Write tests against structured configuration files including JSON, YAML, XML, Dockerfile, HCL, and more.

#gatekeeper

Gatekeeper helps you safeguard your Kubernetes clusters by defining OPA-based admission control policies that are enforced via webhooks. Gatekeeper also helps you audit your Kubernetes clusters to detect policy violations.

Topics

Trimmed down from the myriad of channels that existed before, the OPA team has chosen 3 channels that contained the most buzz from the community. Terraform, Envoy and WebAssembly are the 3 topics we noticed everyone likes to chat about. We hope that this buzz continues to grow. Also be on the lookout for programs in the future to be recognized as OPA experts in these areas.

#terraform

Terraform lets you describe the infrastructure you want and automatically creates, deletes, and modifies your existing infrastructure to match. OPA makes it possible to write policies that test the changes Terraform is about to make before it makes them.

#envoy

OPA-Envoy plugin extends OPA with a gRPC server that implements the Envoy External Authorization API. You can use this version of OPA to enforce fine-grained, context-aware access control policies with Envoy without modifying your microservices.

#wasm

OPA is able to compile Rego policies into executable Wasm modules that can be evaluated with different inputs and external data. This is not running the OPA server in Wasm, nor is this just cross-compiled Golang code. The compiled Wasm module is a planned evaluation path for the source policy and query.

Archived Channels

• #intros
• #bosun
• #feedback
• #registry
• #intellij-extension
• #gsoc19

You may notice some of the lesser used channels have been archived, we picked these channels based on a number of factors such as frequency of posts and average rate of responses. Ultimately we feel consolidating these conversations into the primary channel #chit-chat will increase participation and response rates.

Bot Channels

• #bot-github
• #bot-rss

These are not the bots you’re looking for…or maybe they are! Going forward any channels with the `bot-` prefix will be used for channels that include Slack bots or automated tools. Currently, the OPA team uses these channels to keep up to date with external sources like Stack Overflow, Reddit, and GitHub.

Wrapping Up

Whether you’re an OPA power user or looking to write your first Rego policy, we want the OPA Slack community to be your home for all things policy related. The OPA team realizes that sometimes new ideas need their own space to flourish. If you’re interested in creating a new channel, reach out to @peteroneilljr or @tsandall on Slack and join us in our mission to solve policy enforcement across the stack. In addition to these Slack updates, you should also be on the look out for our new GitHub Discussions forum that will officially launch in the next couple of weeks. For a sneak peak check out the link at the bottom of this article!

Join the community on:

• Slack
• Twitter
• GitHub
• Discussions (Launching Soon!!)

OPA Slack Tune Up was originally published in Open Policy Agent on Medium, where people are continuing the conversation by highlighting and responding to this story.