In the world of policy enforcement and management, the Open Policy Agent (OPA) has emerged as a pivotal tool to help organizations implement a consistent policy enforcement layer across various components in their stacks. And, underpinning the workings of OPA is a powerful, high-level declarative language known as REGO.
Here, we'll give you a beginner-friendly introduction to REGO where we'll provide an understanding of its foundational concepts and show how it can be effectively employed to define and enforce policies.
REGO is the policy language used by the Open Policy Agent (OPA) for policy definition. It's a high-level declarative language, meaning you describe your desired state or outcome, and REGO figures out the steps to achieve it. This abstraction removes the necessity for users to specify how to reach a goal, focusing instead on what the goal is.
A REGO policy file is typically composed of three main components:
At its core, a REGO policy defines a desired state or behavior. When you query OPA with some input, the REGO policy evaluates that input and returns a decision.
Consider a simple policy that dictates, "all Kubernetes deployments should run with a non-root user". The input to this policy might be the configuration data of a proposed deployment. The REGO policy evaluates this data against its rules, and returns a decision: either the deployment is compliant (it uses a non-root user), or it's non-compliant (it uses a root user).
Below, we'll break down exactly how REGO works step-by-step:
Rego policies are composed of:
In the above example:
Rego can make decisions based on the input data you pass to it. The data is usually JSON, and Rego can evaluate this data against the policies you define.
Passing the following input would trigger the second rule:
Rego includes numerous built-in functions for operations such as string manipulation, arithmetic, aggregation, and more. This adds to the expressiveness and power of the language.
Rego allows for the declaration of variables within rules. This can be helpful for creating more readable and modular policies.
OPA evaluates Rego policies to make decisions. This usually involves checking if certain conditions are met (expressed in the body of rules), and returning corresponding values or actions defined in the head of the rule.
Rego policies can be composed by importing rules from different namespaces. This allows for reusability and modularization of policy logic.
Rego is designed with safety in mind. A policy query will never have undefined behavior, and policies will always produce complete and defined results.
Rego's high-level, declarative nature allows for the concise expression of complex logic in policies. Its ability to handle JSON input, use built-in functions, and compose policies makes it a powerful tool in the Open Policy Agent for policy definition and enforcement across various systems and applications.
Monokle helps you achieve high-quality Kubernetes configurations throughout the entire application lifecycle – from code to cluster. It defines Kubernetes configuration policies for your teams to ensure consistent, secure and compliant application deployments every time. In addition to policy enforcement, Monokle’s ecosystem of tools make your teams daily YAML configuration workflows easier. Get started with Monokle for free.