Open Policy Agent
Sysdig Secure extends Open Policy Agent to strengthen cloud and Kubernetes security with policy as code.
The Open Policy Agent (OPA) is an open-source policy engine that unifies policy enforcement for cloud-native environments. It is a Cloud Native Computing Foundation® (CNCF®) graduate project.
Sysdig Secure uses OPA to manage compliance and governance policies as code for Kubernetes.
Why OPA?
Open source
Be part of the vibrant community that continuously improves the depth and breadth of innovative use cases.
Flexible deployment
Deploy OPA as an independent daemon, import an OPA-enabled library, or use a network proxy integrated with OPA.
Policy as code
Decouple policies from business-logic with context-aware policy rules based in Rego, and unify policy enforcement across the stack.
Sysdig Secure Extends OPA
Sysdig Secure leverages OPA to enforce consistent policies across multiple IaC (Terraform, Helm, Kustomize) and Kubernetes environments, using policy as code framework. It allows DevOps teams to shift security further left by scanning infrastructure as code source files before deployment. Sysdig Secure also detects runtime drift, prioritizes based on application context, and fixes issues directly at the source with a pull-request.
Apply Policy as Code based on OPA
Leverage the Open Policy Agent and apply policy as code controls across your Kubernetes workloads.
Enforce compliance and governance from source to production
Automate compliance and governance across the application lifecycle by applying out-of-the-box policies. Easily customize policies and enforce them via a Kubernetes admission controller.
Stop drift directly at the source
Avoid the use of ad-hoc commands (i.e. via `kubectl`) to perform changes on a cluster. Leverage out-of-the-box playbooks to remediate risk and policy violations with a simple Git Pull Request (PR).
Get involved
Find out more about OPA
Contribute
Jump over to the project GitHub repository to contribute to OPA.
Project website
Learn more at the project's website