在 Skipper Ingress 中使用 Open Policy Agent
At Zalando, we continuously strive to enhance our platform capabilities to provide robust, scalable, and developer-friendly solutions. One such initiative is the integration of Open Policy Agent (OPA) into Skipper, our open-source ingress controller and reverse proxy, to deliver Authorization as a Service. This integration not only allows externalising authorization policies but also aligns with our goals of solving security concerns on the infrastructure with efficiency and developer experience in mind. It simplifies developer experience by embedding OPA as a library within Skipper and allows multiple virtual OPA instances to coexist within a single Skipper process. Enabling OPA for a specific application is as easy as just stating “application X should be protected” without touching multiple YAML files, adding monitoring, and inheriting many more responsibilities to be compliant.
在 Zalando,我们不断努力提升平台能力,以提供强大、可扩展且对开发者友好的解决方案。一个这样的举措是将Open Policy Agent (OPA) 集成到我们的开源入口控制器和反向代理Skipper中,以提供授权即服务。这一集成不仅允许外部化授权策略,还符合我们在基础设施上高效解决安全问题并考虑开发者体验的目标。通过将 OPA 作为库嵌入 Skipper,并允许多个虚拟 OPA 实例在单个 Skipper 进程中共存,它简化了开发者体验。为特定应用启用 OPA 只需声明“应用 X 应该受到保护”,而无需修改多个 YAML 文件、添加监控以及承担更多合规责任。
Goals
目标
Our primary goals for integrating OPA into Skipper include:
我们将OPA集成到Skipper中的主要目标包括:
- Externalised Authorization: Embedding OPA into Skipper provides a powerful and flexible policy engine as a platform feature. This enables our engineering teams to leverage externalised authorization policies without additional overhead.
- 外部化授权:将 OPA 嵌入 Skipper 提供了一个强大且灵活的策略引擎作为平台功能。这使我们的工程团队能够利用外部化的授权策略而无需额外的开销。
- Clear Responsibility Split: The integration allows a clear delineation of responsibilities: platform teams manage the core authorization infrastructure while application teams focus on application-specific policies, ensuring efficiency and security.
- 明确的责任划分:集成允许明确划分责任:平台团队管理核心授权基础设施,而应用团队专注于特定应用的策略,确保效率和安全性。
- Scalability: The implementation is designed to handle millions of policy decisions per second, scaling with the demands of our extensive applica...