Cloud Native Computing Foundation Announces Open Policy Agent Graduation

The cloud native policy enforcement engine is used in production by organizations like Goldman Sachs, Netflix, Pinterest, and T-Mobile 

SAN FRANCISCO, Calif. – February 4th, 2020 – The Cloud Native Computing Foundation® (CNCF®), which builds sustainable ecosystems for cloud native software, today announced the graduation of Open Policy Agent (OPA). OPA has demonstrated widespread adoption, an open governance process, feature maturity, and a strong commitment to community, sustainability, and inclusivity to move from the maturity level of incubation to graduation.

OPA is an open source, general-purpose policy engine that enables unified, context-aware policy enforcement across the entire stack. The project was accepted into the CNCF sandbox in April 2018 and one year later was promoted to incubation. More than 90 individuals from approximately 30 organizations contribute to OPA, and maintainers come from four organizations, including Google, Microsoft, VMware, and Styra.

“As the cloud native ecosystem grows, it’s more important than ever for organizations to have access to policy enforcement tools built for modern cloud native deployments,” said Chris Aniszczyk, CTO of the Cloud Native Computing Foundation. “Since joining CNCF, OPA has expanded to integrate with many of today’s most widely used tools and technologies and its broad adoption reflects its versatility across a wide variety of use cases.”

The project has been adopted widely in production by organizations like Goldman Sachs, Netflix, Pinterest, T-Mobile, and many others. According to a recent OPA user survey of more than 150 organizations, 91% indicated they use OPA in some stage of OPA adoption from QA to production. More than half indicated they use OPA for at least two use cases. The most common use cases for OPA are configuration authorization (such as Kubernetes admission control) and API authorization. The project has successfully integrated with several CNCF projects, including Kubernetes, Envoy, CoreDNS, Helm, SPIFFE/SPIRE, and more. It also integrates with Gatekeeper to provide a Kubernetes-native experience for admission policy enforcement and auditing.

“When we started OPA, we knew that policy and authorization were going to become more critical than ever, due to heterogeneous and complex app deployments,” said Torin Sandall, OPA co-founder and VP of Open Source at Styra. “We also knew we’d need the support of the community for integrations, performance, and knowledge-sharing. It’s thanks to this amazing group of folks that OPA today has become a graduated project and the de facto toolset and framework for expressing authorization policy across the stack.”

During its time in the CNCF incubator, OPA underwent two external security audits, the results of which can be found here and here, and OPA completed the SIG-Security assessment process. The team has defined a security vulnerability disclosure process and a security response team, which includes individuals from three current maintainer organizations.

“Thanks to OPA’s streamlined policy language, I can take policies that would otherwise require dozens of lines of code, and instead write them in just five or six lines. This means I was able to—literally overnight—take all of our existing policies and transition them to OPA,” said Joe Searcy, Member of Technical Staff, Distributed Systems at T-Mobile. “OPA policies are significantly faster to create, easier to maintain, and can be applied throughout our stack. We’ve reached the point that anytime, and with any new project, when we think about policy we automatically turn to Open Policy Agent.”

“Extensibility is really important to us, because we knew from the start that we’d be using OPA as part of a larger ecosystem, built into other code,” said Chris Stivers, Principle Engineer, PaaS, at Atlassian. “The community, the integrations, and the performance were what reassured us that OPA would meet our needs at Atlassian.”

To officially graduate from incubating status, the project was certified for CII Best Practices Badge, completed security audits and addressed vulnerabilities, defined its own governance, and adopted the CNCF Code of Conduct.

To learn more about OPA, visit https://www.openpolicyagent.org.

Additional Resources

About Cloud Native Computing Foundation

Cloud native computing empowers organizations to build and run scalable applications with an open source software stack in public, private, and hybrid clouds. The Cloud Native Computing Foundation (CNCF) hosts critical components of the global technology infrastructure, including Kubernetes, Prometheus, and Envoy. CNCF brings together the industry’s top developers, end users, and vendors, and runs the largest open source developer conferences in the world. Supported by more than 500 members, including the world’s largest cloud computing and software companies, as well as over 200 innovative startups, CNCF is part of the nonprofit Linux Foundation. For more information, please visit www.cncf.io.