github.com/rajeev159/opa@v0.45.0/ADOPTERS.md (about) 1 # Adopters 2 3 <!-- Hello! If you are using OPA and contributing to this file, thank you! --> 4 <!-- Please keep lines shorter than 80 characters (or so.) Links can go long. --> 5 6 This is a list of organizations that have spoken publicly about their adoption or 7 production users that have added themselves (in alphabetical order): 8 9 * [Appsflyer](https://www.appsflyer.com/) uses OPA to make consistent 10 authorization decisions by hundreds of microservices for UI and API data 11 access. All authorization decisions are delegated to OPA that is deployed as a 12 central service. The decisions are driven by flexible policy rules that take 13 into consideration data privacy regulations and policies, data consents and 14 application level access permissions. For more information, see the [Appsflyer 15 Engineering Blog post](https://medium.com/appsflyer/authorization-solution-for-microservices-architecture-a2ac0c3c510b). 16 17 * [Atlassian](https://www.atlassian.com/) uses OPA in a heterogeneous cloud 18 environment for microservice API authorization. OPA is deployed per-host and 19 inside of their Slauth (AAA) system. Policies are tagged and categorized 20 (e.g., platform, service, etc.) and distributed via S3. Custom log infrastructure 21 consumes decision logs. For more information see this talk from [OPA Summit 2019](https://www.youtube.com/watch?v=nvRTO8xjmrg). 22 23 * [Bisnode](https://www.bisnode.com) uses OPA for a wide range of use cases, 24 including microservice authorization, fine grained kubernetes authorization, 25 validating and mutating admission control and CI/CD pipeline testing. Built 26 and maintains some OPA related tools and libraries, primarily to help 27 integrate OPA in the Java/JVM ecosystem, [see `github.com/Bisnode`](https://github.com/Bisnode). 28 29 * [bol.com](https://www.bol.com/) uses OPA for a mix of 30 validating and mutating admission control use cases in their 31 Kubernetes clusters. Use cases include patching image pull secrets, 32 load balancer properties, and tolerations based on contextual 33 information stored on namespaces. OPA is deployed on multiple 34 clusters with ~100 nodes and ~300 namespaces total. 35 36 * [BNY Mellon](https://www.bnymellon.com/) uses OPA as a sidecar to enforce access 37 control over applications based on external context coming from AD and other 38 internal services. For more information see this talk from [QCon 2019](https://www.infoq.com/presentations/opa-spring-boot-hocon/). 39 40 * [Capital One](https://www.capitalone.com/) uses OPA to enforce a variety of 41 admission control policies across their Kubernetes clusters including image 42 registry allowlisting, label requirements, resource requirements, container 43 privileges, etc. For more information see this talk from [KubeCon US 2018](https://www.youtube.com/watch?v=CDDsjMOtJ-c&t=6m35s) 44 and this talk from [OPA Summit 2019](https://www.youtube.com/watch?v=vkvWZuqSk5M). 45 46 * [Chef](https://www.chef.io/) integrates OPA to implement IAM-style 47 access control and enumerate user->resource permissions in Chef 48 Automate V2. The integration utilizes OPA's Partial Evaluation 49 feature to reduce evaluation time (in exchange for higher update 50 latency.) A high-level description can be found [in this blog 51 post](https://blog.chef.io/2019/01/24/introducing-the-chef-automate-identity-access-management-version-two-iam-v2-beta/), 52 and the code is Open Source, [see 53 `github.com/chef/automate`](https://github.com/chef/automate/tree/master/components/authz-service). 54 55 * [cluetec.de](https://cluetec.de) primarily uses OPA to enforce fine-grained authorization 56 and data-filtering policies in its Spring-based microservices and multi-tenant SaaS. Policies 57 are mapped to tenant-specific domains and used to enrich the database queries without any code 58 modifications. OPA is also used to enforce admission control policies and RBAC in multi-tenant 59 Kubernetes clusters. 60 61 * [Cloudflare](https://www.cloudflare.com/) uses OPA as a validating 62 admission controller to prevent conflicting Ingresses in their 63 Kubernetes clusters that host a mix of production and test 64 workloads. 65 66 * [ControlPlane](https://control-plane.io) uses OPA to enforce enterprise-friendly 67 policy for safe adoption of Kubernetes, Istio, and cloud services. OPA policies 68 are validated and tested individually and en masse with unit tests and conftest. 69 This enables developers to validate local changes against production policies, 70 minimise engineering feedback loops, and reduce CI cycle time. Policies are 71 tested as "SDLC guardrails", then re-validated at deployment time by a range of 72 OPA-based admission controllers, covering single-tenant environments and hard 73 multi-tenancy configurations. 74 75 * [Fugue](https://fugue.co) is a cloud security SaaS that uses OPA to 76 classify compliance violations and security risks in AWS and Azure 77 accounts and generate compliance reports and notifications. 78 79 * [Goldman Sachs](https://www.goldmansachs.com/) uses OPA to enforce admission control 80 policies in their multi-tenant Kubernetes clusters as well as for _provisioning_ 81 RBAC, PV, and Quota resources that are central to the security and operation of 82 these clusters. For more information see this talk from [KubeCon US 2019](https://www.youtube.com/watch?v=lYHr_UaHsYQ). 83 84 * [Infracost](https://www.infracost.io/) shows cloud cost estimates for Terraform. 85 It uses OPA to enable users to create cost policies, and setup guardrails such 86 as "this change puts the monthly costs above $10K, which is the budget for this 87 product. Consider asking the team lead to review it". See [the docs](https://www.infracost.io/docs/features/cost_policies/) for details. 88 89 * [Intuit](https://www.intuit.com/company/) uses OPA as a validating 90 and mutating admission controller to implement various security, 91 multi-tenancy, and risk management policies across approximately 50 92 clusters and 1,000 namespaces. For more information on how Intuit 93 uses OPA see [this talk from KubeCon Seattle 2018](https://youtu.be/CDDsjMOtJ-c?t=980). 94 95 * [Jetstack](https://www.jetstack.io) uses OPA on customer projects to validate 96 resources deployed to Kubernetes environments are conformant with 97 organization rules. This has involved both validating and mutating resources 98 as well as the following related projects: conftest, konstraint, and 99 Gatekeeper. Jetstack also uses OPA via the Golang API in _Jetstack Secure_ to 100 automate the checking of resources against our best practice recommendations. 101 102 * [Medallia](https://www.medallia.com/) uses OPA to audit AWS 103 resources for compliance violations. The policies search across 104 state from Terraform and AWS APIs to identify security violations 105 and identify high-risk configurations. The policies ingest 1,000s of 106 AWS resources to generate the final report. 107 108 * [Mercari](https://www.mercari.com/) uses OPA to enforce admission control 109 policies in their multi-tenant Kubernetes clusters. It helps maintain 110 the governance of the cluster, checking that developers are following 111 the best practices in the admission controller. They also use [confest](https://github.com/open-policy-agent/conftest) to 112 enforce policies in their CI/CD pipeline. 113 114 * [Netflix](https://www.netflix.com) uses OPA as a method of enforcing 115 access control in microservices across a variety of languages and 116 frameworks for thousands of instances in their cloud 117 infrastructure. Netflix takes advantage of OPA's ability to bring in 118 contextual information and data from remote resources in order to 119 evaluate policies in a flexible and consistent manner. For a 120 description of how Netflix has architected access control with OPA 121 check out [this talk from KubeCon Austin 2017](https://www.youtube.com/watch?v=R6tUNpRpdnY). 122 123 * [Pinterest](https://www.pinterest.com/) uses OPA to solve multiple policy-related use cases 124 including access control in Kafka, Envoy, and Jenkins! At peak, their Kafka-OPA 125 integration handles ~400K QPS without caching. With caching the system 126 handles ~8.5M QPS. For more information see this talk from [OPA Summit 2019](https://www.youtube.com/watch?v=LhgxFICWsA8). 127 128 * [Plex Systems](https://www.plex.com) uses OPA to enforce policy throughout 129 their entire release process; from local development to continuous production 130 audits. The CI/CD pipelines at Plex leverage [conftest](https://github.com/instrumenta/conftest), 131 a policy enforcement tool that relies on OPA, to automatically reject changes that do not adhere 132 to defined policies. Plex also uses 133 [Gatekeeper](https://github.com/open-policy-agent/gatekeeper), a Kubernetes policy controller, as 134 a means to enforce policies within their Kubernetes clusters. The general-purpose nature of OPA 135 has enabled Plex to have a consistent means of policy enforcement, 136 no matter the environment. 137 138 * [Splash]([https://splashthat.com) uses OPA to handle fine-grained authorization 139 across its entire platform, implemented as both a sidecar in Kubernetes and a separate 140 container on bare instances. Policies and datasets are recompiled and updated based 141 on changes to users' roles and permissions. 142 143 * [SAP/InfraBox](https://github.com/SAP/Infrabox) integrates OPA to 144 implement authorization over HTTP API resources. OPA policies 145 evaluate user and permission data replicated from Postgres to make 146 access control decisions over projects, collaborators, jobs, 147 etc. SAP/Infrabox is used in production within SAP and has several 148 external users. 149 150 * [Terminus Software](https://terminus.com/) uses OPA for microservice authorization. 151 152 * [T-Mobile](https://www.t-mobile.com) uses OPA as a core component for their 153 [MagTape](https://github.com/tmobile/magtape/) project that enforces best 154 practices and secure configurations across their fleet of Kubernetes 155 clusters (more info in [this blog post](https://opensource.t-mobile.com/blog/posts/rolling-out-the-magenta-tape/)). 156 T-Mobile also leverages OPA to enforce authorization workflows within their 157 Corporate Delivery Platform (CI/CD). 158 159 * [Tremolo Security](https://www.tremolosecurity.com/) uses OPA at a 160 London-based financial services company to inject annotations and 161 volume mount parameters into Kubernetes Pods so that workloads can 162 connect to off-cluster CIFS drives and SQL Server 163 instances. Policies are based on external context sourced from 164 OpenUnison. Ability to validate policies offline is a huge win 165 because the clusters are air-gapped. For more information on how 166 Tremolo Security uses OPA see [this blog post](https://www.tremolosecurity.com/beyond-rbac-in-openshift-open-policy-agent/). 167 168 * [Tripadvisor](http://tripadvisor.com/) uses OPA to enforce 169 admission control policies in Kubernetes. In the process of rolling out OPA, 170 they created an integration testing framework that verifies clusters are accepting 171 and rejecting the right objects when OPA is deployed. For more information see 172 this talk from [OPA Summit 2019](https://www.youtube.com/watch?v=X09c1eXvCFM). 173 174 * [Very Good Security (VGS)](https://www.vgs.io/) integrates OPA to 175 implement a fine-grained permission system and enumerate 176 user->resource permissions in their product. The backend is 177 architected as a collection of (polyglot) microservices running on 178 Kubernetes that offload policy decisions to OPA sidecars. VGS has 179 implemented a synchronization protocol on top of the Bundle and 180 Status APIs so that the system can determine when permission updates 181 have propagated. For more details on the VGS use case see these blog posts: 182 [part 1](https://blog.verygoodsecurity.com/posts/building-a-fine-grained-permission-system-in-a-distributed-environment), 183 [part 2](https://blog.verygoodsecurity.com/posts/building-a-fine-grained-permissions-system-in-a-distributed-environment). 184 185 * [Wiz](https://www.wiz.io/) helps every organization rapidly remove the most critical 186 risks in their cloud estate. It simply connects in minutes, requires zero agents, and 187 automatically correlates the entire security stack to uncover the most pressing issues. 188 Wiz policies leverage Open Policy Agent (OPA) for a unified framework across the 189 cloud-native stack. Whether for configurations, compliance, IaC, and more, OPA enables 190 teams to move faster in the cloud. For more information on how Wiz uses OPA, [contact Wiz](https://www.wiz.io/contact/). 191 192 * [Xenit AB](https://www.xenit.se/) uses OPA to implement fine-grained control 193 over resource formulation in its managed Kubernetes service as well as several 194 customer-specific implementations. For more information, see the Kubernetes Terraform library [OPA Gatekeeper module](https://github.com/XenitAB/terraform-modules/tree/main/modules/kubernetes/opa-gatekeeper) and 195 [OPA Gatekeeper policy library](https://github.com/XenitAB/gatekeeper-library). 196 197 * [Yelp](https://www.yelp.com/) use OPA and Envoy to enforce authorization policies 198 across a fleet of microservices that evolved out of a monolithic architecture. 199 For more information see this talk from [KubeCon US 2019](https://www.youtube.com/watch?v=Z6aN3Smt-9M). 200 201 In addition, there are several production adopters that prefer to 202 remain anonymous. 203 204 * **A Fortune 100 company** uses OPA to implement validating admission 205 control and fine-grained authorization policies on ~10 Kubernetes 206 clusters with ~1,000 nodes. They also integrate OPA into their PKI 207 as part of a Certificate RA that serves these clusters. 208 209 This is a list of adopters in early stages of production or 210 pre-production (in alphabetical order): 211 212 * [Aserto](https://www.aserto.com/) is a venture-backed developer API company 213 that helps developers easily build permissions and roles into their SaaS 214 applications. Aserto uses OPA as its core engine, and has contributed projects 215 such as [Open Policy Registry](https://openpolicyregistry.io) and 216 [OPA Runtime](https://github.com/aserto-dev/runtime) that make it easier for 217 developers to incorporate OPA policies and the OPA engine into their applications. 218 219 * [Cyral](https://www.cyral.com/) is a venture-funded data security 220 company. Still in stealth mode but using OPA to manage and enforce 221 fine-grained authorization policies. 222 223 * [build.security](https://build.security/) is a venture-funded cyber security 224 company, making it easy for developers to build role-based and attribute-based 225 access controls to their applications and services. build.security is leveraging 226 OPA and rego at their core technology. 227 228 * [ORY Keto](https://github.com/ory/keto) replaced their internal 229 decision engine with OPA. By leveraging OPA, ORY Keto was able to 230 simplify their access control server implementation while retaining 231 the ability to easily add high-level models like ACLs and RBAC. In 232 December 2018, ~850 ORY Keto instances were running in a mix of 233 pre-production and production environments. 234 235 * [Permit.io](https://permit.io) Uses a combination of OPA and OPAL 236 to power fine-grained authorization policies at the core of the Permit.io platform. 237 Permit.io leverages the power of OPA's Rego language, 238 generating new Rego code on the fly from its UI policy editor. 239 The team behind Permit.io contributes to the OPA ecosystem - creating opens-source projects like 240 [OPAL- making OPA event-driven)](https://github.com/permitio/opal) 241 and [OPToggles - sync Frontend with open-policy](https://github.com/permitio/OPToggles). 242 243 * [Scalr](https://scalr.com/) is a remote operations backend for Terraform 244 that helps users scale their Terraform usage through automation and collaboration. 245 [Scalr uses OPA](https://docs.scalr.com/en/latest/opa.html) to validate Terraform 246 code against organization standards and allows for approvals prior to a Terraform apply. 247 248 * [Spacelift](https://spacelift.io) is a specialized CI/CD platform 249 for infrastructure-as-code. Spacelift is [using OPA](https://docs.spacelift.io/concepts/policy) to provide flexible, 250 fine-grained controls at various application decision points, including 251 automated code review, defining access levels or blocking execution of 252 unwanted code. 253 254 * [Wealthsimple](https://www.wealthsimple.com/) is using OPA to power all authorization checks their microservice ecosystem by leveraging their existing authorization library make the transition to OPA as simple as possible for development teams. 255 256 * [Magda](https://github.com/magda-io/magda) is a federated, Kubernetes-based, open-source data catalog system. Working as Magda's central authorisation policy engine, OPA helps not only the API endpoint authorisation. Magda also uses its partial evaluation feature to translate datasets authorisation decisions to other database-specific DSLs (e.g. SQL or Elasticsearch DSL) and use them for dataset authorisation enforcement in different databases. 257 258 Other adopters that have gone into production or various stages of 259 testing include: 260 261 * [Cisco](https://www.cisco.com/) 262 * [Nefeli Networks](https://nefeli.io) 263 * [SolarWinds](https://www.solarwinds.com/) via [Lee Calcote](https://github.com/leecalcote) 264 * [State Street Corporation](http://www.statestreet.com/) 265 266 If you have adopted OPA and would like to be included in this list, 267 feel free to submit a PR.