Skip to content

Fast, templated, policy evaluation for networking, access, and admission control

License

Notifications You must be signed in to change notification settings

google/cel-policy-templates-go

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

81 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

CEL Policy Templates

CEL Policy Templates provide a framework for defining new policy types and evaluating policy instances against many different requests.

There are many more policy admins, people who know the details of the data used to configure policy, than there are policy architects, people who know how the data is evaluated under the covers. This project, much like OPA Gatekeeper is aimed at making it easier for both the architect and admin to create new policy types and policies to match their business needs.

Core Concepts

There are three key components: templates, instances, and evaluators.

Templates

Templates define the shape of the policy. Templates are written in YAML and use Open API Schema v3 terminology. Templates are the interface between policy architects and policy admins.

Instances

Instances are written by policy admins. Instances are collectively applied to and enforced against inputs. The instance content is validated against the template definition.

Evaluators

Evaluators are written by policy architects. An evaluator refers to a template and is written as though it will evaluate a single instance of the template against a single evaluation context. The expressions within the evaluator are written in CEL and are checked for syntactic correctness, cycles, and type-agreement.

Environments

Environments specify an Engine's configuration, and are critical to Evaluator validation. An environment declares the variables and functions available to an Evaluator.

Why CEL Policy Templates?

CEL Policy Templates are based on the Common Expression Language (CEL). CEL is fast, portable, and supports both extension and subsetting. The flexibility of CEL makes it possible to limit the compute and memory impact of a given expression. CEL is non-Turing complete and its performance makes it a suitable choice for all kinds of policies such as admission control, access control, and networking policies. Individual CEL expressions evaluate on the order of nanos to microseconds.

OPA Gatekeeper is another alternative to consider which offers rich audit and analysis tools, but at the expense of performance, typically on the order of milliseconds. OPA offers support for Kubernetes, Istio, and Envoy as plugins. This is a great choice for admission control. CEL on the other hand is a core component of the Google Cloud IAM, Istio Mixer, and Envoy security policies where it is used in latency critical, high throughput operations.

Disclaimer: This is not an officially supported Google product

About

Fast, templated, policy evaluation for networking, access, and admission control

Resources

License

Code of conduct

Security policy

Stars

Watchers

Forks

Packages

No packages published

Languages