EXTENSION OF OPEN POLICY AGENT FUNCTIONS USING FALCO
DOI:
https://doi.org/10.28925/2663-4023.2026.32.1188Keywords:
kubernetes; dynamic access; contextual security; OPA; Falco; information security, information protection.Abstract
The paper considers approaches to integrating the real-time threat detection system Falco with the Open Policy Agent (OPA) policy mechanism in the Kubernetes environment. Three main interaction models are analyzed: direct event sending via Falcosidekick to the OPA HTTP API, using OPA as an admission controller to block dangerous configurations at the resource creation stage, and using an intermediate service as a connecting link between Falco and OPA with the ability to process complex events. The study demonstrates that the combination of sensor control mechanisms and policy-oriented decision-making allows for a higher level of security, automated response, and compliance with Zero Trust principles. The combination of Falco and Open Policy Agent forms a multi-layered security model, where runtime threat detection is complemented by a flexible policy mechanism. The option of direct event sending from Falco via Falcosidekick to the OPA HTTP interface provides a prompt response and minimal delay between incident detection and decision-making, which makes it appropriate for clusters with increased response time requirements. Using OPA as an admission controller enhances proactive protection by blocking unwanted objects before they are deployed, but requires constant adjustment of Rego policies based on the knowledge provided by Falco. The scenario with an intermediate service combines the advantages of both approaches: it allows for complex business logic, enables limited isolation of suspicious workloads, and at the same time does not overload OPA with an excessive number of events. All three schemes confirm that the integration of sensor and policy-oriented components significantly increases the level of protection of containerized environments, contributes to the implementation of Zero Trust principles, and creates the prerequisites for a self-healing infrastructure with automated compliance control.
Downloads
References
Chen, G., Gao, X., Xu, W., Liu, J., & Xu, X. (2025). MAC-UAE: Multi-level access control based on updateable attribute encryption of secure data in mobile cloud center. Mobile Networks and Applications. https://doi.org/10.1007/s11036-025-02451-y
Chakraborty, S., & Sandhu, R. (2021). Formal analysis of ReBAC policy mining feasibility. In Proceedings of the 11th ACM Conference on Data and Application Security and Privacy (CODASPY ’21) (pp. 197–207). ACM. https://doi.org/10.1145/3422337.3447828
Cheng, Y., Bijon, K., & Sandhu, R. (2016). Extended ReBAC administrative models with cascading revocation and provenance support. In Proceedings of the 21st ACM Symposium on Access Control Models and Technologies (SACMAT 2016). ACM. https://doi.org/10.1145/2914642.2914655
Vijayaraghavan, S. K. J. (2025). Policy as code: A paradigm shift in infrastructure security and governance. World Journal of Advanced Research and Reviews, 26(1), 3399–3405. https://doi.org/10.30574/wjarr.2025.26.1.1441
Yaqub, N., Ullah, S., Jalil, A., & Khan, I. (2025). Blockchain-enabled policy-based access control mechanism to restrict unauthorized access to electronic health records. PeerJ Computer Science, 11, e2647. https://doi.org/10.7717/peerj-cs.2647
Merlec, M. M., & In, H. P. (2024). SC-CAAC: A smart contract-based context-aware access control scheme for blockchain-enabled IoT systems. IEEE Internet of Things Journal. https://doi.org/10.1109/JIOT.2024.3371504
Lee, B., Almutairi, A., & Barka, E. (2017). Situational awareness-based risk-adaptable access control in enterprise networks. In Proceedings of the 2nd International Conference on Internet of Things, Big Data and Security. https://doi.org/10.5220/0006363404000405
Kermabon-Bobinnec, H., et al. (2022). ProSPEC: Proactive security policy enforcement for containers. In Proceedings of the 12th ACM Conference on Data and Application Security and Privacy (CODASPY ’22). ACM. https://doi.org/10.1145/3508398.3511515
Vaarandi, R., et al. (2025). A systematic literature review of cyber security monitoring in maritime. IEEE Access. https://doi.org/10.1109/ACCESS.2025.3567385
Ebute, M. (2025). Continuous monitoring and assessment mechanisms in cybersecurity: Best practices for sustained protection of critical assets. SSRN. https://ssrn.com/abstract=4912624
Dempsey, K., et al. (2021). ISCMA: An information security continuous monitoring program assessment (NIST IR 8212). National Institute of Standards and Technology. https://doi.org/10.6028/NIST.IR.8212
Pitkar, H. (2025). Enhancing Kubernetes security with AI: Anomaly detection for cloud-based workloads. International Scientific Journal of Engineering and Management, 4(4), 1–9. https://doi.org/10.55041/isjem02746
Open Policy Agent. (n.d.). Overview & architecture. https://www.openpolicyagent.org/docs/latest/kubernetes-introduction/
Falco Project. (n.d.). Falco documentation. https://falco.org/docs/
Ali, A., et al. (2024). Implementation of new security features in CMSWEB Kubernetes cluster at CERN. EPJ Web of Conferences, 295, 07026. https://doi.org/10.1051/epjconf/202429507026
Open Policy Agent. (n.d.). REST API. https://www.openpolicyagent.org/docs/latest/rest-api/
Falco Project. (n.d.). Alerts forwarding. https://falco.org/docs/concepts/outputs/forwarding/
Kermabon-Bobinnec, H., et al. (2024). PerfSPEC: Performance profiling-based proactive security policy enforcement for containers. IEEE Transactions on Dependable and Secure Computing, 1–18. https://doi.org/10.1109/TDSC.2024.3420712
Falco Project. (n.d.). Falco performance testing. https://falco.org/blog/falco-performance-testing/
Zhang, R., et al. (2019). OPA Gatekeeper: Policy and governance for Kubernetes. Kubernetes Blog. https://kubernetes.io/blog/2019/08/06/opa-gatekeeper-policy-and-governance-for-kubernetes/
Published
How to Cite
Issue
Section
License
Copyright (c) 2026 Дмитро Дарієнко, Назарій Когут
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.
