Contributing to Meshery Policies

Background

Meshery has a built-in policy engine, based on Open Policy Agent (OPA). Meshery uses the Rego query language to create these policies.

Prerequisites

To start contributing to Meshery Policy Engine, make sure you have OPA CLI installed on your system. You will also need to clone the Meshery Server project from Github.

Components of Meshery Policy Engine

Rego policies are the declarative logic behind the policy engine. These policies define how the underlying engine understands relationships within Meshery Designs. Rego policies can be found here in the Meshery Github repository.

Currently the Rego policies are invoked from the Go code in Meshery Server. This requires configuring the OPA context as seen here.

The Meshery Policy Engine is invoked by calling the evaluation endpoint. This endpoint is passed a Meshery Design in JSON which it passes to the Meshery Policy Engine for validation.

Working with Meshery Policy Engine

Working with the Meshery Policy Engine can feel complex because of the large number of different relationships a Meshery Design might contain. Contributors must then be careful to test any changes thoroughly to avoid unexpected results. When working with the Rego policies themselves it makes testing and development easier to be able to test the policies directly without running the entire Meshery Server. When working on the policies keep the following in mind:

• Since we will be running these policies using the OPA CLI directly without the Go bootstrap code we need to provide the necessary context for the policy engine. This means providing a data structure containing the valid Meshery Relationships the policy engine will evaluate against.
• The input to the policy engine is a Meshery Design as a JSON data structure. When testing the Meshery Policy Engine you will need to provide this design as input. If you are working on a bug you will need to get the design from the issue or directly from the individual who reported the bug.

Executing OPA

You can evaluate the Rego policies against test data stored in the policies/test folder:

make rego-eval

Suggested Reading

• Build & Release (CI) - Details of Meshery's build and release strategy.
• Contributing to Meshery Adapters - How to contribute to Meshery Adapters
• Contributing to Meshery CLI - How to contribute to Meshery Command Line Interface.
• Contributing to Meshery's End-to-End Tests using Cypress - How to contribute to End-to-End Tests using Cypress.
• Contributing to Meshery Docker Extension - How to contribute to Meshery Docker Extension
• Contributing to Meshery Docs - How to contribute to Meshery Docs.
• How to write MeshKit compatible errors - How to declare errors in Meshery components.
• Contributing to Meshery using git - How to contribute to Meshery using git
• Meshery CLI Contributing Guidelines - Design principles and code conventions.
• Contributing to Model Components - How to contribute to Meshery Model Components
• Contributing to Model Relationships - How to contribute to Meshery Models Relationships, Policies...
• Contributing to Models Quick Start - A no-fluff guide to creating your own Meshery Models quickly.
• Contributing to Models - How to contribute to Meshery Models, Components, Relationships, Policies...
• Contributing to Meshery Server Events - Guide is to help backend contributors send server events using Golang.
• Contributing to Meshery UI - Notification Center - How to contribute to the Notification Center in Meshery's web-based UI.
• Contributing to Meshery UI - Sistent - How to contribute to the Meshery's web-based UI using sistent design system.
• Contributing to Meshery's End-to-End Tests - How to contribute to End-to-End Tests using Playwright.
• Contributing to Meshery UI - How to contribute to Meshery UI (web-based user interface).
• Contributing to Meshery Server - How to contribute to Meshery Server
• Setting up Meshery Development Environment on Windows - How to set up Meshery Development Environment on Windows