3. @tlhinrichs openpolicyagent.org@tlhinrichs openpolicyagent.org
Compute
● Run arbitrary binaries from the internet
● Deploy code with known vulnerabilities
Networking
● App A can steal traffic from App B
(unintentionally or otherwise)
● Open egress traffic to 0.0.0.0
Storage
● Mission-critical data can be automatically
deleted when workloads move to new
nodes
Security
● 3rdparty software runs with root
privileges
● Data at-rest and in-transit not encrypted
Dangers Desired State
kubectl create -f nginx.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: nginx-deployment
spec:
replicas: 2
selector:
matchLabels:
app: nginx
template:
metadata:
labels:
app: nginx
spec:
containers:
- name: nginx
image: nginx:1.7.9
nginx.yaml
4. @tlhinrichs openpolicyagent.org@tlhinrichs openpolicyagent.org
Compute
● Images may only be pulled from internal
registry
● Only scanned images may be deployed in
namespaces A, B, and C
● QA team must sign-off on image before
deployed to production
Networking
● Ingresses across namespaces should not
conflict
● Developers must not modify selectors or
labels referred to by selectors after creation
Storage
● Stateful deployments must use
‘RollingUpdate’ update strategy
Security
● Containers cannot run with privileged
security context
● Services in namespace X should have
AWS SSL annotation added
Guardrails Desired State
Open
Policy
Agent
kubectl create -f nginx.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: nginx-deployment
spec:
replicas: 2
selector:
matchLabels:
app: nginx
template:
metadata:
labels:
app: nginx
spec:
containers:
- name: nginx
image: nginx:1.7.9
nginx.yaml
5. @tlhinrichs openpolicyagent.org@tlhinrichs openpolicyagent.org
Desired State Runtime State
Server Node
Server Node
Kubernetes implements
Kubernetes
API Server
Validating
Webhook
Open
Policy
Agent
kubectl create -f nginx.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: nginx-deployment
spec:
replicas: 2
selector:
matchLabels:
app: nginx
template:
metadata:
labels:
app: nginx
spec:
containers:
- name: nginx
image: nginx:1.7.9
nginx.yaml
12. @tlhinrichs openpolicyagent.org@tlhinrichs openpolicyagent.org
Open Policy Agent: Features
● Declarative Policy Language (Rego)
○ Can user X do operation Y on resource Z?
○ What invariants does workload W violate?
○ Which records should bob be allowed to see?
● Library, sidecar, host-level daemon
○ Policy and data are kept in-memory
○ Zero decision-time dependencies
● Management APIs for control & observability
○ Bundle service API for sending policy & data to OPA
○ Status service API for receiving status from OPA
○ Log service API for receiving audit log from OPA
● Tooling to build, test, and debug policy
○ opa run, opa test, opa fmt, opa deps, opa check, etc.
○ VS Code plugin, Tracing, Profiling, etc.
Open
Policy
Agent
13. @tlhinrichs openpolicyagent.org@tlhinrichs openpolicyagent.org
Open Policy Agent: Community
Inception
Project started in 2016 at
Styra.
Goal
Unify policy enforcement
across the stack.
Use Cases
Admission control
Authorization
ACLs
RBAC
IAM
ABAC
Risk management
Data Protection
Data Filtering
Users
Netflix
Chef
Medallia
Cloudflare
State Street
Pinterest
Intuit
Capital One
...and many more.
Today
CNCF project
(Incubation)
36 contributors
700 slack members
1.7K stars
20+ integrations