Open Policy Agent (OPA) is an open source, general-purpose policy engine.
This release contains a mix of features, performance improvements, and bugfixes.
--timeout
flag to opa exec
to prevent infinite hangs. (#6613) authored by @philipaconradcrypto.x509.parse_and_verify_certificates_with_options
built-in function. (#5882) authored by @yogisinha reported by @IxDayDebugging OPA
(#6637) authored by @setchyThis is a security fix release for the fixes published in Go 1.22.1.
OPA servers using --authentication=tls
would be affected: crafted malicious client certificates could cause a panic in the server.
Also, crafted server certificates could panic OPA's HTTP clients, in bundle plugin, status and decision logs; and http.send
calls that verify TLS.
This is CVE-2024-24783 (https://pkg.go.dev/vuln/GO-2024-2598).
Note that there are other security fixes in this Golang release, but whether or not OPA is affected is harder to assess. An update is advised.
NOTES:
- The minimum version of Go required to build the OPA module is 1.20
This release contains a mix of improvements and bugfixes.
WithBundleParserOpts
method to OCI downloader (#6571) authored by @slonka%!F(MISSING)
in logs by skipping calls to the {Debug,Info,Warn,Error}f
functions when there are no arguments (#6555) authored by @srenatusraise_error
flag during input validation (#6553) authored by @ashutosh-narkarapplication/yaml
instead of application/x-yaml
as the former is now a recognized content type (#6565) authored by @anderseknertThis release contains a mix of new features and bugfixes.
--v1-compatible
flag to all previously unsupported command line commands (#6520) authored by @johanfyllingsize_limit_bytes
(#6514) authored by @anderseknert reported by @dolevfhttp.send
cache entries periodically (#5320) authored by @rudrakhp reported by @lukyerv0.60.0
--v1-compatible
flag. When this mode is enabled, the current release of OPA will behave as OPA v1.0
will eventually behave by default. This flag is currently supported on the build
, check
, fmt
, eval
and test
commands (#6478) authored by @johanfyllingopa fmt
where the assignment operator and term in the rule head of chain rules are removed from the re-written rule head (#6467) authored by @anderseknertdiff
tool with an external golang library function (#6284) authored by @colinjlacyproviders.aws.sign_req
builtin command (#6456) authored by @c2zwdjnlcgsprintf
builtin command when used with the %T
marker (#6487) authored by @lcarvaMakefile
to allow custom GOFLAGS
to be provided to the golang executable (#6458) authored by @cova-fev0.59.0
This release adds tooling to help prepare existing policies for the upcoming OPA 1.0 release. It also contains a mix of improvements, bugfixes and security fixes for third-party libraries.
NOTES:
- All published OPA images now run with a non-root uid/gid. The
uid:gid
is set to1000:1000
for all images. As a result there is no longer a need for the-rootless
image variant and hence it will not be published as part of future releases. This change is in line with container security best practices. OPA can still be run with root privileges by explicitly setting the user, either with the--user
argument fordocker run
, or by specifying thesecurityContext
in the Kubernetes Pod specification.
The upcoming release of OPA 1.0, which will be released at a future date, will introduce breaking changes to the Rego language. Most notably:
import future.keywords
into a module before use will be part of the Rego language by default, without the need to first import them.if
keyword will be required before the body of a rule.contains
keyword will be required when declaring a multi-value rule (partial set rule).This current release (0.59.0
) introduces a new --rego-v1
flag to the opa fmt
and opa check
commands to facilitate the transition of existing policies to be compatible with the 1.0 syntax.
When used with opa fmt
, the --rego-v1
flag will format the module(s) according to the new Rego syntax in OPA 1.0.
Formatted modules are compatible with both the current version of OPA and 1.0.
Modules using deprecated built-ins will terminate formatting with an error. Future versions of OPA will support rewriting applicable function calls with equivalent Rego compatible with 1.0.
When used with opa check
, the --rego-v1
flag will check that the modules are compatible with both the current version of OPA and 1.0.
--rego-v1
flag to check
cmd (#6429) authored by @johanfyllingopa fmt
(#6297) authored by @johanfyllingrego.v1
import (#6375) (authored by @johanfylling)rego.v1
) (#6356) authored by @ashutosh-narkarrego.v1
import (#6247) introduced in OPA 0.58.0, authored by @johanfyllingrule_head_refs
capabilities feature flag (#6334) authored by @johanfyllingstrings.render_template
to render templated strings (#6371) authored by @RDVasavadaNOTES:
- All published OPA images now run with a non-root uid/gid. The
uid:gid
is set to1000:1000
for all images. As a result there is no longer a need for the-rootless
image variant and hence it will not be published as part of future releases. This change is in line with container security best practices. OPA can still be run with root privileges by explicitly setting the user, either with the--user
argument fordocker run
, or by specifying thesecurityContext
in the Kubernetes Pod specification.
This release contains a mix of performance improvements, bugfixes and security fixes for third-party libraries.
= true
as it is implied (#6323) authored by @anderseknertv0.23.0
(#2266) authored by @ashutosh-narkarhttp_request_duration_seconds
metric (#6238) authored by @AdrianArnautuwalk
-ing (#6267) authored by @anderseknert/
) or other special characters (#6264) authored by @dennisghub
tool in GitHub workflows in favor of GitHub CLI tool (#6326) authored by @ashutosh-narkarThis is a bug fix release addressing the following security issues:
A malicious HTTP/2 client which rapidly creates requests and immediately resets them can cause excessive server resource consumption.
Denial of service in otelhttp due to unbound cardinality metrics.
This release contains an updated Rego syntax to allow general references in rule heads, and a mix of new features and bugfixes.
In OPA 0.56.0
, we introduced support for general references in rule heads as an experimental feature.
It has now graduated to a fully supported feature, and is no longer experimental.
A general reference is a reference with variables at arbitrary locations. In Rego, partial rules are used for generating sets and objects. In previous versions of OPA, variables were only allowed in the very last position in the rule's reference. Now, Rego has been expanded to allow rules to be declared with general references in their head, with variables at arbitrary locations. This allows for generating nested dynamic object structures:
package example
import future.keywords
# Converting a flat list of users to a mapping by "role" and then "id".
users_by_role[role][id] := user if {
some user in data.users
id := user.id
role := user.role
}
# Explicit "admin" key override to the above mapping.
users_by_role.admin[id] := user if {
some user in data.admins
id := user.id
}
# Leaf entries can be multi-value.
users_by_country[country] contains user.id if {
some user in data.users
country := user.country
}
See the documentation for more information.
Authored by @johanfylling.
GO SDK: the ast.JSONOptions
struct has changed location to ast.json.Options
.
This release contains a mix of new features, bugfixes and a new builtin function.
A new experimental feature in OPA is support for general refs in rule heads. Where a general ref is a reference with variables at arbitrary locations.
package example
import future.keywords
# Converting a flat list of users to a mapping by "role" and then "id".
users_by_role[role][id] := user if {
some user in data.users
id := user.id
role := user.role
}
# Explicit "admin" key override to the above mapping.
users_by_role.admin[id] := user if {
some user in data.admins
id := user.id
}
# Leaf entries can be multi-value.
users_by_country[country] contains user.id if {
some user in data.users
country := user.country
}
General refs are currently not supported by the OPA planner, making this feature unsupported for Wasm and IR.
Note: this feature is disabled by default, and needs to be enabled by setting the EXPERIMENTAL_GENERAL_RULE_REFS
environment variable (once the feature is complete - supports Wasm and IR - this requirement will be dropped).
Authored by @johanfylling.
numbers.range_step
Similar to the numbers.range
built-in function, numbers.range_step
returns an array of numbers in a given range. The new built-in function also allows you to control the step between each entry.
See the documentation on the new built-in for all the details.
Authored by @sspaink.
The OPA Ecosystem of related integrations has been refreshed and moved to a more prominent location on the website.
If you're interested to add any new integrations you've been working on, please see the docs here (updates to existing integrations are very welcome too!).
opa test -z
fail with failing tests (#6126) authored by @fdaguinopa test
--ignore
when used together with --bundle
(#6185) authored by @joaobrandt--fail-non-empty
flag to opa exec
(#6153) authored by @Ronnie-personalopa_no_oci
flag to build without containerd (#6159) authored by @slonkaSince its introduction in 0.34.0, the --exit-zero-on-skipped
option always made the opa test
command return an exit code 0. When used, it now returns the exit code 0 only if no failed tests were found.
Test runs on existing projects using --exit-zero-on-skipped
will fail if any failed tests were inhibited by this behavior.