preloader
Episodes

Episode 04 Opa

By The K Files Team 12 February 2020
Episode 04 Opa

We dig down into what OPA is, how it works with Kubernetes. We focus on how to start consuming it, and some of the things that you discover about your security posture after you start creating declarative OPA policies.

package kubernetes.admission 

deny[msg] {

   #Calling kind twice because the pod is nested in the AdmissionReview object
    input.request.kind.kind == "Pod"
    c := input.request.object.spec.containers[i]
    c.securityContext.privileged
    msg := sprintf("Privileged container is not allowed: %v, securityContext: %v", [c.name, c.securityContext])

}

{
  "kind": "AdmissionReview",
  "request": {
    "kind": {
      "kind": "Pod",
      "version": "v1"
    },
    "object": {
      "metadata": {
        "name": "kfiles-app"
      },
      "spec": {
        "containers": [
          {
            "name": "pause",
            "image": "k8s.gcr.io/pause",
            "securityContext": {
              "privileged": false
            }
          }
        ]
      }
    }
  }
}

  • Provisioning problem (i.e. creating NetworkPolicy, Quotas, PVs, etc when a namespace is created), Goldman Sachs created a custom controller to enforce OPA policies for this purpose
  • How Yelp leverages OPA
  • Enforcing service mesh structure using Gatekeeper
comments powered by Disqus