A Docker-inspired workflow for OPA policies

Now available at openpolicyregistry.io!

A brief history

When we first started using OPA, we were impressed with how flexible it is as a general-purpose decision engine. We were familiar with using it for infrastructure scenarios (like k8s admission control), but thought we could extend its use to application and API authorization scenarios.

One thing we missed, though, is the ability to interact with policy bundles in the same way that we interact with Docker images.

Enter the Policy CLI

We modeled the policy CLI on docker - a familiar pattern to most developers. With the policy CLI, you can build, tag, push, and pull policy images just like you do with docker. Check it out on GitHub!

opcr.io

By representing policy images as OCIv2 containers, you can push and pull them into any OCIv2-compatible registry. But we thought it would be useful to have a container registry that would focus exclusively on policies as a container image type.

We built opcr.io as a container registry for round-tripping policy image containers.

Bringing together three CNCF ecosystems

We believe that as a "meta-project", OPCR brings together three existing CNCF ecosystems, and makes them "better together":

• OPA: today, OPA’s packaging format is a tarball. Using the OCI container format to package OPA policies allows developers to tag, version, add metadata, and sign layers of a policy, much like they can any OCI container.
• Sigstore/cosign: using cosign to sign and verify signatures for OPCR container layers brings this value to the OPA ecosystem.
• OCI: formalizing a media type for OPA containers creates another valuable use-case for the OCIv2 image format.

We'd love your feedback

We'd love to hear from you! Tweet / DM us at @openpolicyreg or find us in our Slack community!

Happy hacking!