A brief history
When we first started using OPA, we were impressed with how flexible it is as a general-purpose decision engine. We were familiar with using it for infrastructure scenarios (like k8s admission control), but thought we could extend its use to application and API authorization scenarios.
One thing we missed, though, is the ability to interact with policy bundles in the same way that we interact with docker images.
Enter the policy CLI
We modeled the
policy CLI on
docker - a familiar pattern to most developers. With the
CLI, you can build, tag, push, and pull policy images just like you do with
Open Policy Registry
By representing policy images as OCIv2 containers, you can push and pull them into any OCIv2-compatible registry.
And indeed, you can use any OCI-compliant container registry with the
policy CLI - GitHub Container Registry, Google Container Registry, Docker Hub, AWS ECR, etc.
In addition we thought it would be useful to have a container registry that would focus exclusively on policies as a container image type.
We built Open Policy Registry as a container registry for round-tripping policy image containers.
Bringing together three CNCF ecosystems
We believe that as a "meta-project", OPCR brings together three existing CNCF ecosystems, and makes them "better together":
- OPA: Today, OPA’s packaging format is a tarball. Using the OCI container format to package OPA policies allows developers to tag, version, add metadata, and sign layers of a policy, much like they can any OCI container.
- Sigstore/cosign: Using cosign to sign and verify signatures for OPCR container layers brings this value to the OPA ecosystem.
- OCI: formalizing a media type for OPA containers creates another valuable use-case for the OCIv2 image format.
We'd love your feedback
We'd love to hear from you! Tweet / DM us at @openpolicyreg or find us in our Slack!