5. Infrastructure as Code
▪ The Process of Managing And Provisioning
Computer Data Centers Through
Machine-Readable Definition Files
5
6. IaC First Generation
~$ apt-get update
~$ apt-get install -y
tar=1.16.1
package 'tar' do
version '1.16.1'
action :install
end
👉 Record Your Provision Procedure with CM
Tool, Not Document !
6
13. More Security and Compliance Testing
▪ Perform Vulnerability Scanning
▫ SAST, RASP, DAST, IAST
▪ Ensure Compliance, Security Follow the Policy
▫ Traditional Auditing
▪ Have You Ever Been Audited?
13
14. 14
Excel Engineer
▪ Lots of Spreadsheets
▪ Lots of Manual Process
▪ Takes Weeks to Months to
Complete Review and Fix
▪ Policy Document Not Ready
Yet
▪ But The Most Terrible ...
21. What is Policy?
▪ Compliance Policies: Ensure Compliance with
External Standards (PCI-DSS, SOC, or GDPR)
▪ Security Policies: Adopted Internally Protect Data
Privacy and Infrastructure Integrity
▪ Operational Excellence: Prevent Service Outages
or Degradation
Ref
21
22. Some Policy as Code Tools
▪ ModSecurity: Only Focus on Web Application
Firewall (Capital One Event)
▪ Sentinel: Only Support Terraform, Vault, Nomad and
Consul Enterprise (HashiCorp)
▪ Inspec: High-Quality Shared Content, Only For
Programmer (Chef)
▪ Open Policy Agent: Solve Different Problems,
Limited Shared Content
22
25. What is Open Policy Agent?
OPA
Service
Policy
(Rego)
Data
(JSON)
Request,
Event, etc
Query
Decision
25
26. OPA Features
▪ Declarative Policy Language (Rego)
▪ Library, Sidecar, Host-Level Daemon
▪ Management API for Control & Observability
▪ Tooling to Build, Test and Debug Policy
26
40. A Normal Day In The Cloud World
▪ AAA Company’s ElasticSearch Leak Customer Data
▪ BBB Company’s Kubernetes Admin Console Can Be
Accessed Publicly
▪ CCC Company’s MongoDB Leak Customer Data
▪ ...
40
44. Benefits
▪ Help Individual Developers Sanity Check Their
Terraform Changes
▪ Auto-Approve Run-Of-The-Mill Infrastructure
Changes And Reduce The Burden of Peer-Review
▪ Help Catch Problems That Arise When Applying
Terraform To Production After Applying It To Staging
44
46. How to Audit K8S Cluster?
▪ Require Specific Labels On All Resources
▪ Require Container Images Come The Corporate Image
Registry
▪ Require All Pods Specify Resource Requests
And Limits.
▪ ...
46
47. How OPA Audit K8S
API Server OPA
kubectl
CI/CD Pipelines
controllers
AdmissionReview
(Request)
AdmissionReview
(Response)
47
48. One application was
OOM, it causes Pods in
the same node also
were affected 🍯
What the root cause
of the K8S incident
happened before
dawn 🤔
48
50. More Use Cases
Cloud
Host sshd
Container
HTTP API
APP
Host
DB
orchestrator
Admission Control
Container Execution, SSH, sudo
Microservice APIs
Risk Management
Data Protection & Filtering
50
51. Takeaways
▪ IaC History
▪ Shift-Left Testing IaC by Automation PaC
▪ OPA Introduction & Features
▪ Demo How OPA Integrate with Terraform & K8S
51