Successfully reported this slideshow.
Your SlideShare is downloading. ×

GitLab Commit: Enhance your Compliance with Policy-Based CI/CD

Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad

Check these out next

1 of 24 Ad

GitLab Commit: Enhance your Compliance with Policy-Based CI/CD

Download to read offline

Whether you want to get started with Governance or improve your current process, this talk will show you how to improve your compliance by implementing policy-based CI/CD (Continuous Integration / Continuous Delivery) with GitLab CI and Open Policy Agent.

Philippe and Nico will tell you all the details about Open Policy Agent and how you can easily integrate it into your existing CI/CD pipelines. Join our session to learn how to improve compliance, from gating your dependencies to controlling your infrastructure.

Whether you want to get started with Governance or improve your current process, this talk will show you how to improve your compliance by implementing policy-based CI/CD (Continuous Integration / Continuous Delivery) with GitLab CI and Open Policy Agent.

Philippe and Nico will tell you all the details about Open Policy Agent and how you can easily integrate it into your existing CI/CD pipelines. Join our session to learn how to improve compliance, from gating your dependencies to controlling your infrastructure.

Advertisement
Advertisement

More Related Content

Slideshows for you (20)

Similar to GitLab Commit: Enhance your Compliance with Policy-Based CI/CD (20)

Advertisement

More from Nico Meisenzahl (14)

Recently uploaded (20)

Advertisement

GitLab Commit: Enhance your Compliance with Policy-Based CI/CD

  1. 1. 1 #GitLabCommit Enhance Your Compliance and Governance With Policy-Based CI/CD
  2. 2. 2 #GitLabCommit Philippe Lafoucrière Nico Meisenzahl Senior Cloud & DevOps Consultant white duck @nico-meisenzahl @nmeisenzahl Distinguished Security Engineer GitLab @plafoucriere @plafoucriere
  3. 3. 3 #GitLabCommit Agenda
  4. 4. 4 #GitLabCommit Agenda ● Why do we need compliance and governance in CI/CD? ● What is Open Policy Agent and how does it work? ● How to get started – some examples
  5. 5. 5 #GitLabCommit Why do we need compliance and governance in CI/CD?
  6. 6. 6 #GitLabCommit What is Compliance? “Adherence to standards, regulations, and other requirements” (wikipedia)
  7. 7. 7 #GitLabCommit Types of Software compliance ● Statutory/Regulatory compliance: comply with relevant laws, policies, and regulations. ● Standards: adhere to established and standard requirements ● Contractual obligations: Vendor agreements, customers contracts, ... ● Corporate: Set of rules and policies defined by the company to comply with the needs of HR, Security, Communication, ...
  8. 8. 8 #GitLabCommit Compliance frameworks Regulatory Compliance Frameworks are mandatory for some industries. Source: GitLab current Security Certifications and Attestations
  9. 9. 9 #GitLabCommit The way to Compliance You can do all of these without Compliance, but doing Compliance without them will turn out to be extremely hard. They are intimately tied together. Automation Testing Quality Compliance
  10. 10. 10 #GitLabCommit Compliance and Governance in CI/CD? - Define the “how” around the “what” of the pipelines - Security and Compliance gates - Ensure the requirements are always met, during all the lifecycle of the project - Iteration is key (start small!) - OPA to the rescue
  11. 11. 11 #GitLabCommit What is Open Policy Agent and how does it work?
  12. 12. 12 #GitLabCommit Open Policy Agent (OPA) “policy-based control for cloud native environments” ● general-purpose policy engine across your stack ● graduated CNCF project introduced by styra ● declarative policy language ● decoupled the application logic from policy decisions ○ REST API with sidecar or daemon ○ golang library ○ Wasm module ● provides APIs for easy management
  13. 13. 13 #GitLabCommit
  14. 14. 14 #GitLabCommit Ecosystem ● API and service authorization with Envoy, Kong, Traefik and others ● authorization policies for SQL, Kafka and others ● container network authorization with Istio and Linkerd ● test policies for Terraform infrastructure changes ● policies for SSH and sudo ● policy and Governance for Kubernetes ● and many more ○ https://www.openpolicyagent.org/docs/latest/ecosystem
  15. 15. 15 #GitLabCommit How OPA works
  16. 16. 16 #GitLabCommit How OPA works
  17. 17. 17 #GitLabCommit Rego ● “ray-go” ● declarative Policy Language ○ ”is Nico allowed to POST a payload to /api” ● rules commonly return true/false ○ but may return any ● 140+ build-in functions ○ date/time, string, ... ○ Regex ○ JWT validation ○ ...
  18. 18. 18 #GitLabCommit How OPA works
  19. 19. 19 #GitLabCommit How to get started? ● OPA playground ○ https://play.openpolicyagent.org ● docs ○ https://www.openpolicyagent.org/docs ● OPA CLI ○ opa run ○ opa test ○ opa eval
  20. 20. 20 #GitLabCommit How to get started – some examples
  21. 21. 21 #GitLabCommit Demo: Policy-Based CI/CD with OPA ● Infrastructure-As-Code change validation (Terraform) ○ https://gitlab.com/nico-meisenzahl/terraform-opa-policy-demo ● GitLab project validation ○ https://gitlab.com/gitlab-com/gl-security/engineering-and-rese arch/inventory-example/-/merge_requests/7
  22. 22. 22 #GitLabCommit Further examples ● Kubernetes manifest validation ● Allow/Deny Lists for library dependencies ● Docker Authorization ● Envoy Authorization ● And more
  23. 23. 23 #GitLabCommit Philippe Lafoucrière Nico Meisenzahl Senior Cloud & DevOps Consultant white duck @nico-meisenzahl @nmeisenzahl Distinguished Security Engineer GitLab @plafoucriere @plafoucriere
  24. 24. 24 #GitLabCommit Thank You!

×