Justin Cormack at QCon San Francisco 2022


To QC in San Francisco 2022, Justin Cormacthe CTO of Docker, presented on Programming your policies. The conference is part of one of the editorial tracks called “Infra languages: beyond YAML.”

Cormack began his presentation by explaining what a policy is. For example, who can run this program or make this API call? Or a more complex case, who can perform this database query and display the result? Who can be a person or another computer program? It’s all about access control at the end.

After completing a landmark article on access control and security, Cormack concluded that access control issues are still relevant, looking at the top 10 Web Application Security Risks.

He continued with policies written in imperative code that were difficult to maintain in his experience. Policies have moved more towards declarative code frameworks. With logic programming from a set of facts, conclusions can be drawn. An example is Data Log, a declarative logic programming language derived from the formalization of database logic, roughly SQL plus recursion. It helps in creating policy queries.

Then Cormack discussed Open Policy Agent based on extended Datalog with json support; a CNCF graduate project. It is one of the most commonly used projects for policy management in the cloud-native world. He demonstrated how it works using the Rego Playground. And after the demo, he explained why Open Policy Agent is so favored by sharing a tweet from Kelsey High Tower:

Due to the ease of integration into existing applications.

It can be integrated into an ecosystem. Json and YAML use the same data model to make policy decisions. It also comes with a range of integrations from Kubernetes to SSH.

Source: https://www.openpolicyagent.org/

Another thing, it allows to share policies that have been created. And it helps if the data model is standardized. Cormack thinks this will take off first in the Kubernetes world, where there is a standard configuration pattern (easy-to-write rules about it).

Cormack continued with the grand vision for the future.

Software will eat compliance. One day, every organizational policy will be expressed as a declarative code and checked against commitments on an ongoing basis.

To get there, Cormack points out that we need to work on observability, because making policies work without knowing the context is a challenge. In addition, work needs to be done on standardization and reusability. And tests:

One way to think of security controls is to think of them as tests, which is a fruitful way to approach them.

Once policies are available as code in a reusable and portable form, they can be tested and run anywhere. Plus, the policies are easy to review and update individually. And Cormack explained that you can also reverse the direction of testing where you promote (policy-responsive) code, for example, to the next stage of a pipeline instead of blocking things.

Cormack ended up pointing the finger at frameworks other than Open Policy Agent, such as the Google Zanzibar project, which inspired several recent systems, including OpenFGAfrom Auth0 who recently joined the CNCF, and Ory Keto. In addition, there is another CNCF project Kyverno for Kubernetes policies.

He ended the presentation by emphasizing that:

We take YAML and go beyond just seeing YAML as something we have in return for what we can do with all that YAML. So how to generate all this YAML with configuration documents and still process them through these pretty powerful declarative policy systems is an exciting decision.


Comments are closed.