&color=rgb(100%2C100%2C100)&link=https%3A%2F%2Fgithub.com%2Faserto-dev%2Ftopaz)
Goodbye Open Policy Registry, Hello Open Policy Containers!
Dec 30th, 2022
Omri Gazitt
Open Policy Agent |
Engineering
tl;dr: Open Policy Containers (OPCR) is now a CNCF Sandbox project, and it’s time to sunset the Open Policy Registry!
Context
A little over a year ago, we created the OPCR project to bridge the gap between Open Policy Agent and the Open Container Initiative. We wanted to be able to build OPA policies into immutable images, which can be tagged, versioned, and signed just like any OCI image.
OPCR consisted of three initiatives:
- policy, an open source CLI modeled after docker, that can build, tag, push, and pull policy images
- Open Policy Registry, a container registry which could function as the “reference implementation” of a policy registry
- Upstream work in the OPA project which allows OPA to consume policy images from any OCI-compliant registry (including the Open Policy Registry)
Progress
We’re excited to report that in December 2022, the CNCF has accepted OPCR, and specifically the policy CLI, as a Sandbox project! ✅
Back in May 2022, the OPA project accepted our contribution of (3), and now OPA can natively consume images built with the policy CLI! ✅ ✅
Finally, as more registries have added support for OCI v2 artifacts, including AWS ECR, Docker Hub, GitHub Container Registry, and Google Container Registry, we decided that maintaining a purpose-built registry for policy images is no longer necessary.
Therefore, we’re planning on retiring the Open Policy Registry (currently hosted at opcr.io) on January 31, 2023.
Migration plan
The opcr.io domain, as well as the github opcr-io organization, will transfer to the CNCF, and will host the Open Policy Containers project (now focused entirely on the policy CLI).
Moving from opcr.io to gcr.io, ghcr.io, or any other OCI v2-compliant container registry is straightforward - please reach out to us in the community slack if you need any help!
For example, to move your content from opcr.io to ghcr.io:
echo $PAT | policy login -s ghcr.io -u <username> -–password-stdin
policy pull opcr.io/<account>/<policy-name>:<tag>
policy tag opcr.io/<account>/<policy-name>:<tag> ghcr.io/<account>/<policy-name>:<tag>
policy push ghcr.io/<account>/<policy-name>:<tag>For Aserto users, we will continue to maintain the Aserto Policy Registry (registry.prod.aserto.com), and you can continue to use the policy CLI with that registry.
Conclusion
We're excited how far we've come over the last year in getting OPA to natively consume policies packaged as OCI images. If you have any feedback or requests, don't hesitate to open an issue!
Omri Gazitt
CEO, Aserto
Related Content
RBAC vs ABAC: pros, cons, and example policies
RBAC and ABAC are two popular models for securing access to resources. Both models have their merits and both have limitations. Learn all about role-based and attribute-based access control and see example policies in this post.
Jan 11th, 2023
ABAC vs. ReBAC: comparing fine-grained access control models
ABAC and ReBAC are two forms of fine-grained access controls. ABAC simplifies access management governance, but has a heavier initial lift. ReBAC is extremely flexible, allowing for resource-level authorization, but adds operational overhead as you scale.
Feb 1st, 2023
A secure software supply chain for OPA policies
OPA policies are important artifacts in the application lifecycle and need to be secured. You can do this by using the policy CLI from the OPCR project to build, tag, push, and pull OPA policies as OCI images, and the cosign CLI from the Sigstore project to sign and verify signatures over these images.
Feb 22nd, 2023