Designed as an open source general-purpose policy engine, the Open Policy Agent (OPA) is used to program, provision, enforce and monitor context-related policies. The team behind the open source project managed by the Cloud Native Computing Foundation (CNCF) has now presented OPA 0.30.0 – immediately followed by the bug fix release 0.30.1, which contains an error in the behavior of
The new version of the policy engine primarily contains improvements that serve security – for example with regard to Transport Layer Security (TLS) or the use of certificates from a CA in conjunction with the REST plug-in.
Updated TLS configuration and CA certificates
Since TLS versions 1.0 and 1.1 are officially classified as outdated and their use has already been largely dispensed with for security reasons, the TLS configuration of OPA 0.30 provides TLS 1.2 as the minimum version by default. If necessary, the OPA server can still be used with the old TLS versions, or preferably set to the latest 1.3 standard.
Another security improvement concerns the REST plug-in. OPA users can now integrate certificates from a Certificate Authority (CA) for remote services that implement one of the management APIs (bundles, status, decision logs or discovery).
In addition, Open Policy Agent now also offers the possibility of listening to abstract Unix domain sockets. Since abstract sockets do not create any nodes in the path space and their name automatically disappears as soon as the socket is closed, delinking is no longer necessary.
Fewer downloads at the edge
A change in the cached floor should contribute in particular to the smoother use in edge applications with bundle downloads. In the case of download or activation errors, it has always been completely reset so far. In order to avoid unnecessary bundle downloads that may be triggered, Etag will in future only be reset to the status of the last successful activation.
The other new features in OPA 0.30 include some bug fixes and improvements in Rego, the project-specific declarative language that Open Policy Agent uses to describe policies as code. A complete overview of all changes can be found in the release notes on GitHub. If you want to deal in detail with the Styra project, which has had the CNCF graduate status since the beginning of the year, you should take a look throw on the OPA website.