<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Rego on Tarragon</title><link>https://tarrragon.github.io/blog/tags/rego/</link><description>Recent content in Rego on Tarragon</description><generator>Hugo -- gohugo.io</generator><language>zh-TW</language><copyright>Tarragon (CC BY 4.0)</copyright><lastBuildDate>Mon, 18 May 2026 00:00:00 +0000</lastBuildDate><atom:link href="https://tarrragon.github.io/blog/tags/rego/index.xml" rel="self" type="application/rss+xml"/><item><title>Open Policy Agent (OPA)</title><link>https://tarrragon.github.io/blog/backend/07-security-data-protection/vendors/opa/</link><pubDate>Mon, 18 May 2026 00:00:00 +0000</pubDate><guid>https://tarrragon.github.io/blog/backend/07-security-data-protection/vendors/opa/</guid><description>&lt;p>Open Policy Agent (OPA) 是 CNCF graduated 的 &lt;em>general-purpose policy engine&lt;/em>、設計目的是把「誰能做什麼、什麼 config 才合法」從 application code 抽到外部 policy decision layer。它跟 &lt;a href="https://tarrragon.github.io/blog/backend/07-security-data-protection/vendors/kyverno/" data-link-title="Kyverno" data-link-desc="K8s-native policy engine、YAML policy（非 Rego）、五類 rule（Validate / Mutate / Generate / Verify Images / Cleanup）、CNCF Incubating">Kyverno&lt;/a> / &lt;a href="https://tarrragon.github.io/blog/backend/07-security-data-protection/vendors/gatekeeper/" data-link-title="OPA Gatekeeper" data-link-desc="OPA 官方 K8s admission controller、ConstraintTemplate &amp;#43; Constraint 兩層、Rego policy &amp;#43; Audit &amp;#43; Mutation">Gatekeeper&lt;/a> 的差別是：後兩者鎖在 K8s admission controller 領域、OPA 是 &lt;em>跨 enforcement point&lt;/em> 的 unified policy framework — 同一份 policy 可以同時管 K8s admission、API authz、Terraform plan、SQL row-level filter。跟 &lt;a href="https://tarrragon.github.io/blog/backend/07-security-data-protection/vendors/conftest/" data-link-title="Conftest" data-link-desc="OPA CLI wrapper for static config policy check、Rego policy &amp;#43; 多 parser（Terraform / K8s / Dockerfile / JSON）、CI-time gate">Conftest&lt;/a> 的差別是：Conftest 是 OPA 的 &lt;em>CLI wrapper for static config&lt;/em>（在 CI 跑 Terraform / Dockerfile / K8s YAML 檢查）、OPA 本體是 &lt;em>runtime evaluation engine&lt;/em>（線上服務查詢決策）。&lt;/p>
&lt;h2 id="服務定位">服務定位&lt;/h2>
&lt;p>OPA 的核心抽象是 &lt;em>decoupled decision + enforcement&lt;/em> — OPA 只負責 &lt;em>decide&lt;/em>（&lt;code>input&lt;/code> 進來、&lt;code>allow&lt;/code> / &lt;code>deny&lt;/code> + decision metadata 出去）、application 負責 &lt;em>enforce&lt;/em>（拿到 decision 後實際 reject request / block deploy / mask data）。這個解耦讓同一份 policy 跨 K8s admission（透過 &lt;a href="https://tarrragon.github.io/blog/backend/07-security-data-protection/vendors/gatekeeper/" data-link-title="OPA Gatekeeper" data-link-desc="OPA 官方 K8s admission controller、ConstraintTemplate &amp;#43; Constraint 兩層、Rego policy &amp;#43; Audit &amp;#43; Mutation">Gatekeeper&lt;/a> 或 kube-mgmt sidecar）、Envoy authz filter、API gateway、Terraform pre-plan、SQL row-level filter、Kafka topic ACL 都能重用。&lt;/p>
&lt;p>OPA 的查詢語言是 &lt;em>Rego&lt;/em>、Datalog-like declarative language、設計上適合表達「給定一組 fact，這個動作合法嗎」。Rego 跟一般 imperative programming（Python / Go / YAML rules）差距大、team 要投入 1-2 週才能寫出 production-grade policy；換回的是 &lt;em>表達力 + 跨情境一致性&lt;/em> — Kyverno 的 YAML policy 易上手、但跨 K8s 邊界後沒辦法用。&lt;/p></description><content:encoded><![CDATA[<p>Open Policy Agent (OPA) 是 CNCF graduated 的 <em>general-purpose policy engine</em>、設計目的是把「誰能做什麼、什麼 config 才合法」從 application code 抽到外部 policy decision layer。它跟 <a href="/blog/backend/07-security-data-protection/vendors/kyverno/" data-link-title="Kyverno" data-link-desc="K8s-native policy engine、YAML policy（非 Rego）、五類 rule（Validate / Mutate / Generate / Verify Images / Cleanup）、CNCF Incubating">Kyverno</a> / <a href="/blog/backend/07-security-data-protection/vendors/gatekeeper/" data-link-title="OPA Gatekeeper" data-link-desc="OPA 官方 K8s admission controller、ConstraintTemplate &#43; Constraint 兩層、Rego policy &#43; Audit &#43; Mutation">Gatekeeper</a> 的差別是：後兩者鎖在 K8s admission controller 領域、OPA 是 <em>跨 enforcement point</em> 的 unified policy framework — 同一份 policy 可以同時管 K8s admission、API authz、Terraform plan、SQL row-level filter。跟 <a href="/blog/backend/07-security-data-protection/vendors/conftest/" data-link-title="Conftest" data-link-desc="OPA CLI wrapper for static config policy check、Rego policy &#43; 多 parser（Terraform / K8s / Dockerfile / JSON）、CI-time gate">Conftest</a> 的差別是：Conftest 是 OPA 的 <em>CLI wrapper for static config</em>（在 CI 跑 Terraform / Dockerfile / K8s YAML 檢查）、OPA 本體是 <em>runtime evaluation engine</em>（線上服務查詢決策）。</p>
<h2 id="服務定位">服務定位</h2>
<p>OPA 的核心抽象是 <em>decoupled decision + enforcement</em> — OPA 只負責 <em>decide</em>（<code>input</code> 進來、<code>allow</code> / <code>deny</code> + decision metadata 出去）、application 負責 <em>enforce</em>（拿到 decision 後實際 reject request / block deploy / mask data）。這個解耦讓同一份 policy 跨 K8s admission（透過 <a href="/blog/backend/07-security-data-protection/vendors/gatekeeper/" data-link-title="OPA Gatekeeper" data-link-desc="OPA 官方 K8s admission controller、ConstraintTemplate &#43; Constraint 兩層、Rego policy &#43; Audit &#43; Mutation">Gatekeeper</a> 或 kube-mgmt sidecar）、Envoy authz filter、API gateway、Terraform pre-plan、SQL row-level filter、Kafka topic ACL 都能重用。</p>
<p>OPA 的查詢語言是 <em>Rego</em>、Datalog-like declarative language、設計上適合表達「給定一組 fact，這個動作合法嗎」。Rego 跟一般 imperative programming（Python / Go / YAML rules）差距大、team 要投入 1-2 週才能寫出 production-grade policy；換回的是 <em>表達力 + 跨情境一致性</em> — Kyverno 的 YAML policy 易上手、但跨 K8s 邊界後沒辦法用。</p>
<p>關鍵張力：<em>Rego 學習曲線</em> ↔ <em>unified policy 的長期價值</em>。只跑 K8s 的團隊用 Kyverno YAML 更直覺；只跑 CI policy 的用 Conftest 更輕；要在 K8s + API + Terraform + DB 跨層統一 policy、或要 audit-grade decision log、或預期 policy 會長期累積成資產的、才值得投資 OPA + Rego。</p>
<p>商業模型：核心 OPA 是 Apache 2.0 OSS、免費。Styra DAS（OPA 創辦人公司）是 enterprise SKU、提供 policy library + impact analysis + multi-cluster management + audit dashboard、適合大型團隊。OPAL（Permit.io 維護的 OSS）是 GitOps-style policy distribution layer、補 OSS OPA 缺的 bundle server。</p>
<h2 id="本章目標">本章目標</h2>
<p>讀完本頁、讀者能判斷：</p>
<ol>
<li>OPA 在 policy stack 中承擔哪一段（decision engine） vs enforcement point 各自的 ownership</li>
<li>Rego 投資門檻是否值得（K8s-only vs 跨 enforcement point）</li>
<li>Policy bundle / Decision log / Partial evaluation 三個 first-class concept 在 production 的設計形狀</li>
<li>何時用 OPA、何時走 <a href="/blog/backend/07-security-data-protection/vendors/kyverno/" data-link-title="Kyverno" data-link-desc="K8s-native policy engine、YAML policy（非 Rego）、五類 rule（Validate / Mutate / Generate / Verify Images / Cleanup）、CNCF Incubating">Kyverno</a> / <a href="/blog/backend/07-security-data-protection/vendors/gatekeeper/" data-link-title="OPA Gatekeeper" data-link-desc="OPA 官方 K8s admission controller、ConstraintTemplate &#43; Constraint 兩層、Rego policy &#43; Audit &#43; Mutation">Gatekeeper</a> / <a href="/blog/backend/07-security-data-protection/vendors/conftest/" data-link-title="Conftest" data-link-desc="OPA CLI wrapper for static config policy check、Rego policy &#43; 多 parser（Terraform / K8s / Dockerfile / JSON）、CI-time gate">Conftest</a> 的取捨</li>
</ol>
<h2 id="最短判讀路徑">最短判讀路徑</h2>
<p>判斷 OPA deployment 是否健康、最少看四件事：</p>
<ul>
<li><strong>Policy ownership</strong>：誰能寫 / 改 Rego policy（platform team / security team / SRE）、policy 是否進 Git、change 是否經 PR review + staging tenant 跑 24-48hr 觀察</li>
<li><strong>Bundle distribution</strong>：policy 是否 build 成 bundle（tar.gz）、是否簽章、OPA agent 是否定期 pull、bundle server 在哪（自管 nginx / S3 / OPAL / Styra DAS）</li>
<li><strong>Decision log governance</strong>：每個 decision 是否進 audit log（input + output + policy version + timestamp）、log 是否進 SIEM（<a href="/blog/backend/07-security-data-protection/vendors/splunk/" data-link-title="Splunk" data-link-desc="業界 SIEM 標準、forwarder &#43; indexer &#43; search head 架構、SPL 為核心查詢語言、ingestion-based 計費跟偵測覆蓋率的 trade-off">Splunk</a> / Elastic）、retention 多久</li>
<li><strong>Enforcement coverage</strong>：哪些 enforcement point 接 OPA（K8s admission / API / Envoy / Terraform）、policy 是否 share 還是各 point 各寫一份、跨 point 的一致性怎麼驗</li>
</ul>
<p>四件事任一缺失、就是 <a href="/blog/backend/07-security-data-protection/security-as-risk-routing-system/" data-link-title="7.15 資安作為風險路由系統" data-link-desc="建立資安作為風險路由系統的導讀大綱，串接問題節點、控制面與跨模組交接">Policy as Code Foundations</a> 的待補項目。</p>
<h2 id="日常操作與決策形狀">日常操作與決策形狀</h2>
<p><strong>Rego policy 形狀</strong>：Rego 是 Datalog-like declarative language、policy 寫成 <code>allow { ... }</code> rule、所有條件成立才 evaluate 為 true。實務 idiom：底層寫 <em>base policy</em>（如 <code>policies/k8s/required_labels.rego</code>）、上層寫 <em>policy library</em>（共用 helper 如 <code>policies/lib/registry.rego</code>）、application 端傳 <code>input</code>（K8s admission request / API request / Terraform plan JSON）查詢。Rego 鼓勵 <em>small composable rule</em>、不寫長 imperative function。</p>
<p><strong>Policy bundle</strong>：OPA 不從 Git 直接讀 policy、而是讀 <em>bundle</em>（tar.gz、含 <code>.rego</code> + data JSON、optional 簽章）。Bundle 從 <em>bundle server</em> pull（自管 nginx / S3 / OPAL / Styra DAS）、OPA agent 定期 polling（預設 60s）。Bundle 的核心價值是 <em>versioned + signed + atomically swap</em> — policy 更新不會 partial apply、簽章確保中間沒被改、版本 metadata 讓 decision log 可追到當時用哪版 policy。</p>
<p><strong>Decision log</strong>：每個 OPA query 都可開 decision logging、log entry 含 <code>input</code> + <code>result</code> + <code>policy_version</code> + <code>timestamp</code> + <code>decision_id</code>。意義是 <em>audit-grade reconstruction</em> — 事後可以重跑 <code>opa eval --bundle &lt;version&gt; --input &lt;log_input&gt;</code> 驗證當時 decision 是否正確。Decision log 進 SIEM 後可做 <em>over-permission analysis</em>（哪些 user 拿到 allow 但實際從不該被 allow）跟 <em>policy coverage check</em>（哪些 rule 從沒被觸發過、可能是 dead code）。</p>
<p><strong>Integration pattern</strong>：production OPA 主要四種 enforcement integration — <em>K8s admission</em>（走 <a href="/blog/backend/07-security-data-protection/vendors/gatekeeper/" data-link-title="OPA Gatekeeper" data-link-desc="OPA 官方 K8s admission controller、ConstraintTemplate &#43; Constraint 兩層、Rego policy &#43; Audit &#43; Mutation">Gatekeeper</a> 是 OPA 官方 K8s integration、或 kube-mgmt 把 OPA 當 sidecar 跑、admission webhook 把 request 送進 OPA decide）；<em>API authz</em>（application 在 request handler 開頭 query OPA、拿 allow/deny 後 enforce）；<em>Envoy / service mesh</em>（Envoy 的 ext_authz filter 接 OPA、L7 authz decision）；<em>Infrastructure as Code</em>（CI 跑 <a href="/blog/backend/07-security-data-protection/vendors/conftest/" data-link-title="Conftest" data-link-desc="OPA CLI wrapper for static config policy check、Rego policy &#43; 多 parser（Terraform / K8s / Dockerfile / JSON）、CI-time gate">Conftest</a> 對 Terraform plan / K8s YAML 做 OPA 評估）。</p>
<p><strong>Partial evaluation</strong>：OPA 進階 feature、把一份 policy 對某個 <em>partial input</em>（如 <code>user=&quot;alice&quot;</code>）pre-evaluate、產出 <em>殘餘 query</em>（如 SQL <code>WHERE tenant_id IN (...)</code> 或 regex），下發給 enforcement point 直接用。意義是 <em>把 policy decision 推到 enforcement point 內部</em>、減少每次 query 都要過 OPA 的 latency；常用於 row-level data filter（policy 寫一次、partial eval 出 SQL WHERE clause、application 直接拼進 query）。</p>
<p><strong>OPAL（GitOps for OPA）</strong>：OSS、Permit.io 維護、解決「policy 從 Git push 到所有 OPA agent」的 distribution 問題。Git → OPAL Server → OPA Agent 的 push model、policy commit 到 main branch 後幾秒內所有 OPA 更新。對應 OSS-only 的 production setup；Styra DAS 提供同等功能 + 管理 UI。</p>
<p><strong>Styra DAS（商業 management）</strong>：Styra 是 OPA 創辦人公司、DAS 是 enterprise SKU。核心價值：<em>policy library</em>（pre-built policy for K8s / Terraform / Kafka）、<em>impact analysis</em>（policy 上 production 前 dry-run 看會 deny 多少現有 resource）、<em>multi-cluster policy distribution</em>、<em>audit dashboard</em>。OSS-only 自己拼 OPAL + decision log + SIEM 也能做、但團隊 &gt; 50 個 cluster / 多 BU 時 DAS 划算。</p>
<p><strong>Constraint Framework</strong>：<a href="/blog/backend/07-security-data-protection/vendors/gatekeeper/" data-link-title="OPA Gatekeeper" data-link-desc="OPA 官方 K8s admission controller、ConstraintTemplate &#43; Constraint 兩層、Rego policy &#43; Audit &#43; Mutation">Gatekeeper</a> 在 OPA 之上加的 K8s-specific 抽象、用 <code>ConstraintTemplate</code>（Rego policy 模板）+ <code>Constraint</code>（K8s CRD instance、實際 enforce）。對純 K8s 場景比直接寫 Rego 更 K8s-native；但這個抽象只在 K8s 領域有意義、不會跨到 API / Terraform。</p>
<h2 id="核心取捨表">核心取捨表</h2>
<table>
  <thead>
      <tr>
          <th>取捨維度</th>
          <th>OPA</th>
          <th>Kyverno</th>
          <th>Gatekeeper</th>
          <th>Conftest</th>
      </tr>
  </thead>
  <tbody>
      <tr>
          <td>定位</td>
          <td>General-purpose policy engine</td>
          <td>K8s-native admission controller</td>
          <td>OPA 的 K8s admission integration（官方）</td>
          <td>OPA 的 CLI wrapper for static config</td>
      </tr>
      <tr>
          <td>語言</td>
          <td>Rego（Datalog-like declarative）</td>
          <td>YAML（K8s-native）</td>
          <td>Rego（透過 ConstraintTemplate）</td>
          <td>Rego</td>
      </tr>
      <tr>
          <td>Enforcement</td>
          <td>K8s / API / Envoy / Terraform / SQL / Kafka 跨層</td>
          <td>K8s admission only</td>
          <td>K8s admission only</td>
          <td>CI / pre-commit（不在 runtime）</td>
      </tr>
      <tr>
          <td>學習曲線</td>
          <td>陡 — Rego 1-2 週</td>
          <td>緩 — YAML 1-2 天</td>
          <td>中 — ConstraintTemplate 抽象 + Rego</td>
          <td>中 — Rego 1-2 週、但 scope 小</td>
      </tr>
      <tr>
          <td>部署模型</td>
          <td>OPA agent（sidecar / daemon / library embed）</td>
          <td>K8s controller + webhook</td>
          <td>K8s controller + webhook</td>
          <td>CLI（CI / 本地）</td>
      </tr>
      <tr>
          <td>Mutation</td>
          <td>透過 Gatekeeper Mutation 或 application enforce 補上</td>
          <td>原生 mutate webhook（強項）</td>
          <td>Mutation 是 v3.10+ beta、功能不及 Kyverno</td>
          <td>無（static check only）</td>
      </tr>
      <tr>
          <td>Bundle / 分發</td>
          <td>Bundle server + sign + OPA agent pull / OPAL push</td>
          <td>K8s CRD apply（kubectl）</td>
          <td>K8s CRD apply</td>
          <td>Git repo（CI 直接 clone）</td>
      </tr>
      <tr>
          <td>Decision log</td>
          <td>First-class、audit-grade</td>
          <td>K8s event + audit log</td>
          <td>K8s event + audit log</td>
          <td>CI build log</td>
      </tr>
      <tr>
          <td>商業 SKU</td>
          <td>Styra DAS（management + impact analysis）</td>
          <td>Nirmata Kyverno Enterprise</td>
          <td>無（純 OSS）</td>
          <td>無（純 OSS）</td>
      </tr>
      <tr>
          <td>適合場景</td>
          <td>跨 enforcement point + long-term policy investment</td>
          <td>K8s-only + 快速上手 + YAML-friendly team</td>
          <td>K8s-only + 已用 OPA / Rego、要 OPA 官方整合</td>
          <td>CI pre-deploy check + Terraform / K8s YAML / Dockerfile</td>
      </tr>
      <tr>
          <td>退場成本</td>
          <td>中 — Rego policy 可移到其他 OPA-compatible engine</td>
          <td>高 — YAML policy 僅 Kyverno 認</td>
          <td>中 — Rego 可重用、Constraint 抽象要重寫</td>
          <td>低 — CLI tool、policy 可移到 OPA runtime</td>
      </tr>
  </tbody>
</table>
<p>選 OPA 的核心訴求：<em>跨 enforcement point 的 unified policy</em> + <em>long-term policy 資產化</em> + <em>audit-grade decision log</em> + 團隊願意投資 Rego。純 K8s + 想快速上手用 <a href="/blog/backend/07-security-data-protection/vendors/kyverno/" data-link-title="Kyverno" data-link-desc="K8s-native policy engine、YAML policy（非 Rego）、五類 rule（Validate / Mutate / Generate / Verify Images / Cleanup）、CNCF Incubating">Kyverno</a>；K8s + 已決定走 OPA 生態用 <a href="/blog/backend/07-security-data-protection/vendors/gatekeeper/" data-link-title="OPA Gatekeeper" data-link-desc="OPA 官方 K8s admission controller、ConstraintTemplate &#43; Constraint 兩層、Rego policy &#43; Audit &#43; Mutation">Gatekeeper</a>；只跑 CI 不跑 runtime 用 <a href="/blog/backend/07-security-data-protection/vendors/conftest/" data-link-title="Conftest" data-link-desc="OPA CLI wrapper for static config policy check、Rego policy &#43; 多 parser（Terraform / K8s / Dockerfile / JSON）、CI-time gate">Conftest</a>。</p>
<h2 id="進階主題">進階主題</h2>
<p><strong>Rego idioms（policy library + base policy）</strong>：production Rego 走分層結構 — <code>lib/</code>（utility function、registry whitelist、CIDR check）、<code>base/</code>（concrete policy、引用 lib）、<code>tests/</code>（用 <code>opa test</code> 跑 unit test）。Policy 也是 code、走 PR review + CI test + staging tenant、不是 console 直改。</p>
<p><strong>Partial evaluation for SQL row-level filter</strong>：把 policy 寫成「user 能看哪些 row」、用 <code>opa eval --partial</code> 把 <code>user=&quot;alice&quot;</code> 部分 pre-evaluate、output 殘餘 query 變 SQL <code>WHERE tenant_id IN ('a', 'b', 'c')</code>、application 拼進 query。意義是 <em>policy 不在 query path latency 上</em>、policy 規則仍是 SSoT。對應 RLS（row-level security）的工程化作法。</p>
<p><strong>跟 <a href="/blog/backend/07-security-data-protection/vendors/spire/" data-link-title="SPIRE" data-link-desc="SPIFFE Runtime Environment、attested workload identity、short-lived SVID &#43; Trust Bundle、跨組織 federation">SPIRE</a> workload identity 整合 authz</strong>：service-to-service authz 場景、SPIRE 簽 SVID（SPIFFE ID + mTLS cert）證明 caller 身份、OPA 拿到 SPIFFE ID 後 decide「這個 service 能呼叫這個 API 嗎」。SPIRE 解 <em>who</em>、OPA 解 <em>can they do this</em>、職責清楚分離。</p>
<p><strong>跟 <a href="/blog/backend/07-security-data-protection/vendors/hashicorp-vault/" data-link-title="HashiCorp Vault" data-link-desc="Self-hosted secret management 與 dynamic credential / encryption-as-a-service / PKI engine、跨雲跨環境的 secret 控制面">Vault</a> 整合 dynamic credential policy</strong>：Vault 簽 dynamic credential（DB password / cloud STS token）的 issue 決定可以走 OPA — Vault 收到 issue request、轉 OPA decide「這個 caller 在這個 context 能不能拿這個 scope 的 token」。對應 <a href="/blog/backend/07-security-data-protection/cases/failure-credential-rotation-without-scope/" data-link-title="7.C9 反例：憑證輪替未分 Scope" data-link-desc="憑證輪替若未分域分批，容易造成跨系統連鎖中斷。">Failure: Credential Rotation Without Scope</a> 的 lesson：scope 判斷不分散在應用層、集中到 policy engine。</p>
<p><strong>Decision log 進 SIEM</strong>：OPA decision log 設成 push 到 <a href="/blog/backend/07-security-data-protection/vendors/splunk/" data-link-title="Splunk" data-link-desc="業界 SIEM 標準、forwarder &#43; indexer &#43; search head 架構、SPL 為核心查詢語言、ingestion-based 計費跟偵測覆蓋率的 trade-off">Splunk</a> HEC / Elastic / Datadog、進 SIEM 後可做三件事 — over-permission analysis（哪些 allow 從沒被合法理由觸發）、dead policy detection（哪些 rule 從沒被 evaluate）、anomalous decision pattern（某 service 突然大量 allow 不在 baseline）。</p>
<p><strong>跟 K8s admission 的兩條路</strong>：純 K8s admission 場景、走 <a href="/blog/backend/07-security-data-protection/vendors/gatekeeper/" data-link-title="OPA Gatekeeper" data-link-desc="OPA 官方 K8s admission controller、ConstraintTemplate &#43; Constraint 兩層、Rego policy &#43; Audit &#43; Mutation">Gatekeeper</a>（OPA 官方 K8s integration、有 Constraint Framework 抽象、社群活躍）比直接跑 OPA + kube-mgmt sidecar 更 production-ready。kube-mgmt 路線適合 already-running OPA 想加 K8s admission 而不引入 Gatekeeper 抽象。</p>
<h2 id="排錯與失敗快速判讀">排錯與失敗快速判讀</h2>
<ul>
<li><strong>Rego policy review 卡 SRE</strong>：policy 都得 SRE 寫、security team 看不懂 — 拆 <code>lib/</code> 給 SRE 維護、<code>base/</code> 給 security review、用 <code>opa test</code> unit test 保持迭代速度</li>
<li><strong>Bundle distribution 慢 / policy 不一致</strong>：自管 nginx bundle server 沒高可用、agent pull 失敗 fallback 用舊版 — 換 OPAL push model 或 S3 + CloudFront、bundle pull 失敗時 OPA <code>--set status.console=true</code> 直接 alert</li>
<li><strong>Decision log 沒進 SIEM</strong>：OPA 開了 decision log 但只進本地 file、沒人看 — 設 decision log plugin push 到 <a href="/blog/backend/07-security-data-protection/vendors/splunk/" data-link-title="Splunk" data-link-desc="業界 SIEM 標準、forwarder &#43; indexer &#43; search head 架構、SPL 為核心查詢語言、ingestion-based 計費跟偵測覆蓋率的 trade-off">Splunk</a> HEC / Kafka、不是寫本地 disk</li>
<li><strong>Policy 改完 production 大量 deny</strong>：新 policy 沒在 staging dry-run、上 production 後合法 traffic 被擋 — Styra DAS 的 impact analysis 或自己跑 <code>opa eval --partial</code> 對歷史 decision log replay、看 deny 數量再 promote</li>
<li><strong>OPA latency 高 / API 卡</strong>：每個 request 都 round-trip OPA、policy 複雜 evaluation 慢 — embed OPA as library（Go SDK / WASM）跑 in-process、或用 partial evaluation 把 policy compile 進 SQL / regex</li>
<li><strong>Rego policy bug 線上才發現</strong>：沒 unit test、staging 沒 cover edge case — 強制 PR 要含 <code>opa test</code> case、staging 跑 shadow mode（log only 不 enforce）24hr 再切 enforce</li>
<li><strong>跨 cluster policy drift</strong>：多 cluster 各自 apply、版本不同步 — OPAL 或 Styra DAS multi-cluster sync、不靠 kubectl apply 人工同步</li>
</ul>
<h2 id="何時改走其他服務">何時改走其他服務</h2>
<table>
  <thead>
      <tr>
          <th>需求形狀</th>
          <th>改走</th>
      </tr>
  </thead>
  <tbody>
      <tr>
          <td>K8s admission only + YAML-friendly</td>
          <td><a href="/blog/backend/07-security-data-protection/vendors/kyverno/" data-link-title="Kyverno" data-link-desc="K8s-native policy engine、YAML policy（非 Rego）、五類 rule（Validate / Mutate / Generate / Verify Images / Cleanup）、CNCF Incubating">Kyverno</a></td>
      </tr>
      <tr>
          <td>K8s admission + 已選 OPA 生態</td>
          <td><a href="/blog/backend/07-security-data-protection/vendors/gatekeeper/" data-link-title="OPA Gatekeeper" data-link-desc="OPA 官方 K8s admission controller、ConstraintTemplate &#43; Constraint 兩層、Rego policy &#43; Audit &#43; Mutation">Gatekeeper</a></td>
      </tr>
      <tr>
          <td>CI pre-deploy check（Terraform / K8s YAML / Dockerfile）</td>
          <td><a href="/blog/backend/07-security-data-protection/vendors/conftest/" data-link-title="Conftest" data-link-desc="OPA CLI wrapper for static config policy check、Rego policy &#43; 多 parser（Terraform / K8s / Dockerfile / JSON）、CI-time gate">Conftest</a></td>
      </tr>
      <tr>
          <td>Runtime container behavior（不是 admission）</td>
          <td><a href="/blog/backend/07-security-data-protection/vendors/" data-link-title="資安與資料保護 Vendor 清單" data-link-desc="規劃身份、秘密、金鑰、入口防護、供應鏈與偵測工具的服務頁撰寫順序與教學大綱">Falco</a></td>
      </tr>
      <tr>
          <td>Image scan + vulnerability policy</td>
          <td><a href="/blog/backend/07-security-data-protection/vendors/trivy/" data-link-title="Trivy" data-link-desc="Aqua Security 開源 all-in-one scanner：Container / Filesystem / K8s / IaC &#43; Secret &#43; License &#43; SBOM、Apache 2.0、CI 友善">Trivy</a>（scan）+ OPA（gate）</td>
      </tr>
      <tr>
          <td>Workload identity / mTLS</td>
          <td><a href="/blog/backend/07-security-data-protection/vendors/spire/" data-link-title="SPIRE" data-link-desc="SPIFFE Runtime Environment、attested workload identity、short-lived SVID &#43; Trust Bundle、跨組織 federation">SPIRE</a> + OPA（identity → authz 分工）</td>
      </tr>
      <tr>
          <td>Cloud IAM policy（AWS / GCP / Azure 本體）</td>
          <td><a href="/blog/backend/07-security-data-protection/vendors/aws-iam/" data-link-title="AWS IAM" data-link-desc="AWS cloud resource permission engine、Role / Policy / STS、跨帳號信任邊界與 OIDC federation 的核心">AWS IAM</a> / <a href="/blog/backend/07-security-data-protection/vendors/google-cloud-iam/" data-link-title="Google Cloud IAM" data-link-desc="GCP cloud resource permission engine、Role Binding / Service Account / Workload Identity Federation、resource hierarchy 為核心的權限治理">Google Cloud IAM</a></td>
      </tr>
      <tr>
          <td>Decision log → SIEM</td>
          <td><a href="/blog/backend/07-security-data-protection/vendors/splunk/" data-link-title="Splunk" data-link-desc="業界 SIEM 標準、forwarder &#43; indexer &#43; search head 架構、SPL 為核心查詢語言、ingestion-based 計費跟偵測覆蓋率的 trade-off">Splunk</a> / <a href="/blog/backend/07-security-data-protection/vendors/elastic-security/" data-link-title="Elastic Security" data-link-desc="Elastic Stack 上的 SIEM &#43; EDR &#43; Cloud Security 套件、OSS 起源、KQL/EQL/Lucene/ES|QL 多查詢語言、resource-based pricing">Elastic Security</a></td>
      </tr>
  </tbody>
</table>
<h2 id="不在本頁內的主題">不在本頁內的主題</h2>
<ul>
<li>Rego 完整語法 reference（rule / function / built-in / <code>with</code> / <code>some</code>）</li>
<li>Gatekeeper Constraint Framework 的 ConstraintTemplate / Constraint CRD 設計細節（屬 Gatekeeper 頁）</li>
<li>Conftest CLI 用法跟 <code>conftest test</code> / <code>conftest verify</code> 流程（屬 Conftest 頁）</li>
<li>Kyverno YAML policy 語法跟 mutate / generate / verifyImages（屬 Kyverno 頁）</li>
<li>Styra DAS 商業 license / SKU 對照、Nirmata Enterprise 對照</li>
<li>WASM-compiled Rego policy 的 edge deployment 細節</li>
</ul>
<h2 id="案例回寫">案例回寫</h2>
<table>
  <thead>
      <tr>
          <th>案例</th>
          <th>跟 OPA 的關係（對照啟示）</th>
      </tr>
  </thead>
  <tbody>
      <tr>
          <td><a href="/blog/backend/07-security-data-protection/red-team/cases/supply-chain/solarwinds-2020-sunburst/" data-link-title="7.R7.2.1 SolarWinds 2020：更新鏈被濫用" data-link-desc="合法更新流程遭植入後，攻擊者如何長期潛伏與橫向擴散">SolarWinds 2020 Sunburst</a></td>
          <td>OPA admission policy 在 K8s 擋住未簽章 image deploy、配合 cosign signature verify 補 supply chain 信任鏈、policy 集中不分散到各 deployment</td>
      </tr>
      <tr>
          <td><a href="/blog/backend/07-security-data-protection/red-team/cases/supply-chain/log4shell-cve-2021-44228-component-chain/" data-link-title="7.R7.2.7 Log4Shell 2021：共用元件風險與修補鏈" data-link-desc="共用元件漏洞如何同步影響多服務，並迫使團隊建立依賴治理 workflow">Log4Shell CVE-2021-44228</a></td>
          <td>OPA admission 配合 <a href="/blog/backend/07-security-data-protection/vendors/trivy/" data-link-title="Trivy" data-link-desc="Aqua Security 開源 all-in-one scanner：Container / Filesystem / K8s / IaC &#43; Secret &#43; License &#43; SBOM、Apache 2.0、CI 友善">Trivy</a> scan result 擋住已知 vulnerable image deploy、policy 走「critical CVE = deny」</td>
      </tr>
      <tr>
          <td><a href="/blog/backend/07-security-data-protection/cases/failure-credential-rotation-without-scope/" data-link-title="7.C9 反例：憑證輪替未分 Scope" data-link-desc="憑證輪替若未分域分批，容易造成跨系統連鎖中斷。">Failure: Credential Rotation Without Scope</a></td>
          <td>OPA 控制 <a href="/blog/backend/07-security-data-protection/vendors/hashicorp-vault/" data-link-title="HashiCorp Vault" data-link-desc="Self-hosted secret management 與 dynamic credential / encryption-as-a-service / PKI engine、跨雲跨環境的 secret 控制面">Vault</a> dynamic credential issuance policy、scope 判斷集中不分散到應用層各自 if-else</td>
      </tr>
      <tr>
          <td><a href="/blog/backend/07-security-data-protection/supply-chain-integrity-and-artifact-trust/" data-link-title="7.12 供應鏈完整性與 Artifact 信任" data-link-desc="定義 build provenance、artifact 信任與交付鏈風險問題">7.12 供應鏈完整性 (section)</a></td>
          <td>OPA 是 admission gate 的核心工具、跟 SLSA provenance / cosign signature 組合做 policy enforcement、不是看一兩個欄位放行</td>
      </tr>
      <tr>
          <td><a href="/blog/backend/07-security-data-protection/security-as-risk-routing-system/" data-link-title="7.15 資安作為風險路由系統" data-link-desc="建立資安作為風險路由系統的導讀大綱，串接問題節點、控制面與跨模組交接">Policy as Code Foundations (section)</a></td>
          <td>OPA 對應 policy-as-code 的 <em>decoupled decision + enforcement</em>、跨 enforcement point 共用 policy 是設計核心、不是「再寫一份 K8s policy」</td>
      </tr>
  </tbody>
</table>
<h2 id="下一步路由">下一步路由</h2>
<ul>
<li>上游：<a href="/blog/backend/07-security-data-protection/security-as-risk-routing-system/" data-link-title="7.15 資安作為風險路由系統" data-link-desc="建立資安作為風險路由系統的導讀大綱，串接問題節點、控制面與跨模組交接">7 章 policy-as-code foundations</a>、<a href="/blog/backend/07-security-data-protection/supply-chain-integrity-and-artifact-trust/" data-link-title="7.12 供應鏈完整性與 Artifact 信任" data-link-desc="定義 build provenance、artifact 信任與交付鏈風險問題">7.12 供應鏈完整性</a></li>
<li>平行（Policy-as-Code 批次）：<a href="/blog/backend/07-security-data-protection/vendors/conftest/" data-link-title="Conftest" data-link-desc="OPA CLI wrapper for static config policy check、Rego policy &#43; 多 parser（Terraform / K8s / Dockerfile / JSON）、CI-time gate">Conftest</a>（CI static check）、<a href="/blog/backend/07-security-data-protection/vendors/kyverno/" data-link-title="Kyverno" data-link-desc="K8s-native policy engine、YAML policy（非 Rego）、五類 rule（Validate / Mutate / Generate / Verify Images / Cleanup）、CNCF Incubating">Kyverno</a>（K8s YAML-native）、<a href="/blog/backend/07-security-data-protection/vendors/gatekeeper/" data-link-title="OPA Gatekeeper" data-link-desc="OPA 官方 K8s admission controller、ConstraintTemplate &#43; Constraint 兩層、Rego policy &#43; Audit &#43; Mutation">Gatekeeper</a>（OPA K8s integration）</li>
<li>跨類：<a href="/blog/backend/07-security-data-protection/vendors/spire/" data-link-title="SPIRE" data-link-desc="SPIFFE Runtime Environment、attested workload identity、short-lived SVID &#43; Trust Bundle、跨組織 federation">SPIRE</a>（workload identity → OPA authz）、<a href="/blog/backend/07-security-data-protection/vendors/hashicorp-vault/" data-link-title="HashiCorp Vault" data-link-desc="Self-hosted secret management 與 dynamic credential / encryption-as-a-service / PKI engine、跨雲跨環境的 secret 控制面">Vault</a>（dynamic credential policy）、<a href="/blog/backend/07-security-data-protection/vendors/trivy/" data-link-title="Trivy" data-link-desc="Aqua Security 開源 all-in-one scanner：Container / Filesystem / K8s / IaC &#43; Secret &#43; License &#43; SBOM、Apache 2.0、CI 友善">Trivy</a>（scan → OPA gate）、<a href="/blog/backend/07-security-data-protection/vendors/splunk/" data-link-title="Splunk" data-link-desc="業界 SIEM 標準、forwarder &#43; indexer &#43; search head 架構、SPL 為核心查詢語言、ingestion-based 計費跟偵測覆蓋率的 trade-off">Splunk</a>（decision log → SIEM）</li>
<li>跨模組：<a href="/blog/backend/06-reliability/" data-link-title="模組六：可靠性驗證流程" data-link-desc="用 SRE 領域詞彙建問題節點、以服務級案例庫累積驗證脈絡，先建概念與案例庫再進實作交接">6 reliability</a>（CI pre-deploy gate 接 Conftest）、<a href="/blog/backend/08-incident-response/" data-link-title="模組八：事故處理與復盤" data-link-desc="用 IR 領域詞彙建問題節點、以服務級案例庫累積事故脈絡，先建概念與案例庫再進實作交接">8 incident response</a>（policy violation alert → IR routing）</li>
<li>官方：<a href="https://www.openpolicyagent.org/">Open Policy Agent</a>、<a href="https://www.openpolicyagent.org/docs/latest/policy-language/">Rego Policy Language</a>、<a href="https://www.styra.com/">Styra DAS</a>、<a href="https://github.com/permitio/opal">OPAL</a></li>
</ul>
]]></content:encoded></item></channel></rss>