We dig down into what OPA is, how it works with Kubernetes. We focus on how to start consuming it, and some of the things that you discover about your security posture after you start creating declarative OPA policies.

Transcript

Links and notes from this episode

• The OPA homepage
• The Rego Playground and an example to get started with

package kubernetes.admission 

deny[msg] {

   #Calling kind twice because the pod is nested in the AdmissionReview object
    input.request.kind.kind == "Pod"
    c := input.request.object.spec.containers[i]
    c.securityContext.privileged
    msg := sprintf("Privileged container is not allowed: %v, securityContext: %v", [c.name, c.securityContext])

}

{
  "kind": "AdmissionReview",
  "request": {
    "kind": {
      "kind": "Pod",
      "version": "v1"
    },
    "object": {
      "metadata": {
        "name": "kfiles-app"
      },
      "spec": {
        "containers": [
          {
            "name": "pause",
            "image": "k8s.gcr.io/pause",
            "securityContext": {
              "privileged": false
            }
          }
        ]
      }
    }
  }
}

• Provisioning problem (i.e. creating NetworkPolicy, Quotas, PVs, etc when a namespace is created), Goldman Sachs created a custom controller to enforce OPA policies for this purpose

• Pod Security policies re-written as OPA policies
• Kubesec is a security risk analysis tool for Kubernetes
• Istio policies in Rego
• OPA policies embedded into WebAssembly
• OPA community update from KubeCon

• How Yelp leverages OPA

• Enforcing service mesh structure using Gatekeeper