kntrl integrates Open Policy Agent

Cenk Kalpakoğlu09 May 2024
kntrlDevSecOpsSupply Chain Security

Addressing the security intricacies of sophisticated automation frameworks, in our case the Continuous Integration/Continuous Deployment (CI/CD) environments, is always challenging.

The inherent complexity of such environments, characterized by the multitude of components that are each performing distinct tasks, necessitates a dynamic and adaptable rule engine to ensure the security of our pipelines.

In an effort to bolster the security of the supply chain within CI/CD pipelines, our exploration led us to seek out an adaptable, robust, and proven rule engine. As we are big believers in open-source, we naturally looked for an open-source solution first. We are happy to announce that we found one that will power kntrl going forward: The Apache 2.0 licensed Open Policy Agent (OPA).

The decision to go with OPA and its Software Development Kits (SDKs) is a strategic one. It has significantly streamlined our process and allowed us to take advantage of an established, effective solution to achieve great reliability and operational efficiency. The employment of OPA as a strong policy engine equips our platform with the capability to craft and implement policies rather than entangle ourselves in the complexities of coding bespoke logics.

Leveraging OPA, which is rigorously tested and supported by an expansive community, considerably reduces the potential risks involved in developing a custom-built solution from scratch. It presents us, a small team right now, with the invaluable advantage of concentrating on the development and integration of innovative features and sensors for our supply chain security framework.

A powerful rule engine

The Cloud Native Computing Foundation (CNCF) accepted OPA as an incubation-level project in April 2019 and it successfully graduated from that status in 2021. OPA is a flexible, open-source policy enforcement engine. It enables organizations to define and enforce policies across various complex software systems and services consistently. It provides a unified framework for policy decision-making, allowing developers to embed policies directly into their applications (“policy-as-code”).

In the development of kntrl, having the ability to embed native SDKs worked out great for us. Instead of developing policies for each event or probe, we were able to put more focus on the development work of our detection engine.

Rego is a declarative query language from the makers of the Open Policy Agent (OPA) framework. The available functions in OPA’s Rego language increase the speed of writing policies.

In our first example we use is_local_ip_addr.rego to check whether a destination address of a given event is within local IP ranges or not:

Screenshot of a code editor showing a code snippet that exemplifies how to use kntrl and OPA Rego for a local network only policyWith the power of the Rego language, we can write declarative queries to support complex logic in our policies.

This is particularly useful in the policy-as-code approach, so platform engineers can write custom enforcement rules to ensure that certain tasks can only reach desired outbound locations.

In a second example we allow wget only for destination addresses that are either “artifact.foo.com” or “artifact.bar.com”:

Screenshot of a code snippet showing a simple kntrl policy using OPA Rego to filter network traffic by destination domain.These 2 simple examples show how easy it is to write queries and policies with Rego and kntrl.

This is particularly useful in the policy-as-code approach, so platform engineers can write custom enforcement rules to ensure that certain tasks can only reach desired outbound locations.

What’s next

Our journey with kntrl begins at the network layer. It is here where we are planning to augment our platform's capabilities with capturing DNS queries and scanning HTTP/HTTPS traffic.

In regard of the integration with OPA and Rego, as we continue to work on adding new sensors to kntrl, the ability to customize policies will naturally make the integration much more powerful over time. We are designing our roadmap not just with the expansion of the capabilities of the kntrl platform in mind, but also to strengthen the collective security posture of the CI/CD ecosystem.

Suggestions, contributions and questions are always welcomed. Join the kntrl Slack channel and feel free to check out the codebase.

Get A Demo