Getting Started with Kong Mesh and Open Policy Agent

What is Open Policy Agent?


Our Service Mesh Environment
I'm running Kong Mesh in an Amazon Elastic Kubernetes Service (EKS) environment for this walk-through. We're running a single zone deployment (all in the same cluster). The application we're working with an application I threw together for various learning scenarios. It's a 4-tier application with a Frontend, an API tier, a Redis database, and a PostgreSQL database.
Getting Started with OPA Policies
Using OPA's Envoy filters, we can start to apply policies to the interactions between our Frontend service and the API tier at a more "context" sensitive level. We can look at the content of the actual request, and make decisions based on that content. Let's create a simple policy and dissect it.
- We're creating a policy named "opa-1" using Kong Mesh's new OPAPolicy CRD. This allows us to store these policies alongside your application code.
- We've applied this policy to all services in the environment. We could filter this down so that it only applied to our frontend if needed.
- We're adding a configuration for the agent that outputs the decision log to the pod's console.
- We're importing a package to help us evaluate the request. In this case we're bringing in input.attributes.request.http which lets us look at details of the http request.
- We're adding a policy inline. This policy could be added as a secret, especially since many policies might include secrets for JWT's for example, that you would want to secure.
- We're creating a policy that sets the traffic to "allow", based on an evaluation of the "action_allowed" policy that will return true if the request coming through is a "GET".

Enhancing the OPA Policy with JWT Support
The application I'm using supports issuing a JSON Web Token (JWT) to help with authorization across the application. In order to receive a valid JWT we need to issue a POST request to the loginEndpoint API. Once we've enabled the ability to POST - we'll also want to configure OPA to be able to decode our issued JWT token to provide us the authorization details for the request. We’ll inspect the decoded JWT token to determine if the user who submitted the login is authorized to make POST request.Let’s update our OPA policy to support this. We’ll update our OPA policy to be the following:
