Policy Evaluation Engine: User-Supplied or Predefined Policies?

I have a question regarding the policy evaluation engine in Meshery. I’m curious to know whether it will support user-supplied policies or exclusively utilize the predefined policies available on https://github.com/meshery/meshery/tree/master/server/meshmodel/policies as indicated in the current code.

Above slide shows that all Rego policies will be sourced from a directory, but another image below it suggests that user-supplied policies will be supported.

Additionally, I would appreciate any insights on the next steps for the development of the evaluation engine and any relevant references or resources I can explore.

Relevant pull requests:

@Piyush It will be supporting the user-defined policies which is in the roadmap.

Currently, you’re true that it is just using the pre-defined policies because it is 1st iteration and there is a long way to spread the support for customizability.

Here is the meshkit helper function, which you can look and maybe modify to help with your use-case. PRs are welcome😍

Here is the list of TODOs identified while the last review on OPA was in progress.

The need to provide the custom/dynamic query with custom/dynamic policy is what we’re aiming for as a part of some future iterations, before that we’re also looking to strengthen the library of our pre-defined policy.

The rego cheat sheet is a great way to familiarise yourself with some rego: Rego Cheat Sheet. Contributors: Shubhi Agarwal & Ravi… | by Shubhi Agarwal | Medium



Could you please provide some examples of the pre-defined policies that are being planned for the initial iterations?

There is a new dynamic network policy, [WASM] Add schema information extraction Wasm binary and policy files by Abhishek-kumar09 · Pull Request #7691 · meshery/meshery · GitHub

Some other that we would be getting in is:

  1. Hierarchy policy (Namespace, Node, Pod, Replicaset, etc)
  2. Role and role-binding policy
  3. PV and PVC policy

to name a few.