Whether you want to get started with Governance or improve your current process, this talk will show you how to improve your compliance by implementing policy-based CI/CD (Continuous Integration / Continuous Delivery) with GitLab CI and Open Policy Agent.
Philippe and Nico will tell you all the details about Open Policy Agent and how you can easily integrate it into your existing CI/CD pipelines. Join our session to learn how to improve compliance, from gating your dependencies to controlling your infrastructure.
4. 4
#GitLabCommit
Agenda
● Why do we need compliance and governance in CI/CD?
● What is Open Policy Agent and how does it work?
● How to get started – some examples
7. 7
#GitLabCommit
Types of Software compliance
● Statutory/Regulatory compliance: comply with
relevant laws, policies, and regulations.
● Standards: adhere to established and standard
requirements
● Contractual obligations: Vendor agreements,
customers contracts, ...
● Corporate: Set of rules and policies defined by the
company to comply with the needs of HR, Security,
Communication, ...
9. 9
#GitLabCommit
The way to Compliance
You can do all of these without
Compliance, but doing
Compliance without them will
turn out to be extremely hard.
They are intimately tied together.
Automation
Testing
Quality
Compliance
10. 10
#GitLabCommit
Compliance and Governance in CI/CD?
- Define the “how” around the “what” of the pipelines
- Security and Compliance gates
- Ensure the requirements are always met, during all
the lifecycle of the project
- Iteration is key (start small!)
- OPA to the rescue
12. 12
#GitLabCommit
Open Policy Agent (OPA)
“policy-based control for cloud native environments”
● general-purpose policy engine across your stack
● graduated CNCF project introduced by styra
● declarative policy language
● decoupled the application logic from policy decisions
○ REST API with sidecar or daemon
○ golang library
○ Wasm module
● provides APIs for easy management
14. 14
#GitLabCommit
Ecosystem
● API and service authorization with Envoy, Kong, Traefik and others
● authorization policies for SQL, Kafka and others
● container network authorization with Istio and Linkerd
● test policies for Terraform infrastructure changes
● policies for SSH and sudo
● policy and Governance for Kubernetes
● and many more
○ https://www.openpolicyagent.org/docs/latest/ecosystem