SlideShare a Scribd company logo

Opa gatekeeper

Rita Zhang
Rita Zhang

Open Policy Agent Gatekeeper - Enforce policies and strengthen governance for Kubernetes

Technology
1 of 21
Download to read offline
OPA Gatekeeper Policy and Governance for Kubernetes Max Smythe (@maxsmythe, Google) Rita Zhang (@ritazzhang, Microsoft) Photo by Pedro Velasco on Unsplash
A customizable Kubernetes admission webhook that helps enforce policies and strengthen governance
Motivation Primary user needs: ● Customizable admission via configuration (not code) ● Awareness of current cluster state (not just the 1 operation user is performing)
How we got here December 2018 (KubeCon Seattle) December 2017 (KubeCon Austin) July 2017 May 2019 (KubeCon Barcelona) Styra releases v1 (kube-mgmt) v1 in production Microsoft releases v2 (kpc) and donates to OPA v3 released Intuit/CapitalOne describe using v1 in production
OPA + kube-mgmt (aka OPA Gatekeeper v1.0) apiserver Admission Controller OPAKube-Mgmt Policies in ConfigMap Pod Ingress Service Deploy Config CRD Watch Admission Control Request Replicate Kubernetes ● Validating and mutating admission control. ● Policies in raw Rego (OPA’s policy language) ● Policies stored in ConfigMaps with syntax-errors reported as annotations ● Donated by Styra ● Used by dozens of companies
K8s Policy Controller (aka OPA Gatekeeper v2.0) apiserver Admission Controller OPA Kube-Mgmt Policies in ConfigMap Pod Ingress Service Deploy Config CRD Watch Admission Review ReplicateKubernetes ● Validating and mutating admission control. Authorization. Audit. ● Policies in raw Rego (OPA’s policy language) ● Policies stored in ConfigMaps with syntax-errors reported as annotations ● Full architecture ● Donated by Microsoft to CNCF/OPA KPC AuthZ Webhook AuthZ Audit request Query
OPA Gatekeeper v3.0 apiserver Admission Controller Policy Template CRD Pod Ingress Service Deploy Config CRD Watch Admission Review Replicate Kubernetes ● Validating admission. Audit. CICD. ● Policy templates (Rego) and instances ● Policies stored in CRDs ● Audit results stored on policy CRDs ● Full architecture ● Google, Microsoft, Redhat, CBA, Styra ● “Gatekeeper” donated by Replicated ● Built with kubebuilder AuthZ Webhook AuthZ Query Policy Instance CRD OPA Audit results Gatekeeper
Example Policies ● All namespaces must have a label that lists a point-of-contact ● All pods must have an upper bound for resource usage ● All images must be from an approved repository ● Services must all have globally unique selectors
Constraint Properties ● AND-ed together ○ Adding can only constrain, removing can only loosen ○ One rejection => whole request rejection ● Schema validation ○ Less error-prone ● Selection semantics ○ Only constrain certain kinds ○ Only constrain resources in a certain namespace ○ Use a label selector
Constraints Define scope-of-enforcement Describe intent apiVersion: constraints.gatekeeper.sh/v1alpha1 kind: K8sRequiredLabels metadata: name: all-must-have-owner spec: match: kinds: - apiGroups: [""] kinds: ["Namespace"] parameters: message: "All namespaces must have an `owner` label that points to your company username" labels: - key: owner allowedRegex: "^[a-zA-Z]+.agilebank.demo$"
Data Replication ● Constraints that compare against other objects in the cluster ○ Require replication of existing objects in the cluster ● Replication is defined via the config resource apiVersion: config.gatekeeper.sh/v1alpha1 kind: Config metadata: name: config namespace: gatekeeper-system spec: sync: syncOnly: - kind: Service version: v1 - kind: Pod version: v1 - kind: Namespace version: v1
Audit ● Periodically evaluates resources against constraints ● Allows for ongoing monitoring of cluster state to aid in detection and remediation of pre-existing misconfigurations ● Objects to be audited must be replicated ● Exposes results via the status field of the constraint
apiVersion: constraints.gatekeeper.sh/v1alpha1 kind: K8sRequiredLabels metadata: name: all-must-have-owner spec: match: kinds: - apiGroups: - "" kinds: - Namespace parameters: labels: - allowedRegex: ^[a-zA-Z]+.agilebank.demo$ key: owner message: All namespaces must have an `owner` label that points to your company username status: auditTimestamp: "2019-05-11T01:46:13Z" enforced: true violations: - kind: Namespace message: All namespaces must have an `owner` label that points to your company username name: default - kind: Namespace message: All namespaces must have an `owner` label that points to your company username name: gatekeeper-system - kind: Namespace message: All namespaces must have an `owner` label that points to your company username name: kube-public - kind: Namespace message: All namespaces must have an `owner` label that points to your company username name: kube-system Violations Audit Results Time of Audit
Constraint Templates ● Rego rule signature ○ If the rule matches, the constraint is violated ● Schema for Constraint Parameters ● Matching semantics provided by the system ○ Currently we can select off of Group/Version/Kind, namespace, or labelSelector ○ As more ways of specifying scope are discovered, existing constraints get them for free
ConstraintTemplate Source Code Schema for input parameters deny[{"msg": msg}] rules are executed apiVersion: templates.gatekeeper.sh/v1alpha1 kind: ConstraintTemplate metadata: name: k8srequiredlabels spec: crd: spec: names: kind: K8sRequiredLabels listKind: K8sRequiredLabelsList plural: k8srequiredlabels singular: k8srequiredlabels validation: # Schema for the `parameters` field openAPIV3Schema: properties: message: type: string labels: type: array items: type: object properties: key: type: string allowedRegex: type: string targets: - target: admission.k8s.gatekeeper.sh rego: | package k8srequiredlabels # helper libraries and additional tests (e.g. regex match) not shown deny[{"msg": msg, "details": {"missing_labels":missing}}] { provided := {label | input.review.object.metadata.labels[label]} required := {label | label := input.constraint.spec.parameters.labels[_]} missing := required - provided count(missing) > 0 def_msg := sprintf("you must provide labels: %v", [missing]) msg := get_message(input.constraint, def_msg) }
Code Reuse! ● Gatekeeper provides the admission system ● Policies/Rules are implemented through constraints ● Constraints are parameterized and easily configurable by admins ● ConstraintTemplates provide the source code for constraints ○ Easily shared ○ Testable ○ Developed internally or sourced from the community ● Portable to other systems ○ e.g. CI/CD pipelines Photo by Judith Prins on Unsplash
Demo
Project Status ● Alpha ● Come help! ○ Issues ○ Feedback ○ User stories ○ Development Cooking... but tasty Photo by Tikkho Maciel on Unsplash
Potential Growth ● Mutation ● External Data ● Authorization? (likely separate project, same general semantics) ● More audit features ● Metrics ● Developer tooling ● Dry run
Thank You Open Policy Agent Community Andrew Block (Red Hat) Craig Hooper (Commonwealth Bank AU) Lachlan Evenson (Microsoft) Nikhil Bhatia (Confluent, ex-Microsoft) Marc Campbell (Replicated) Dexter Horthy (Replicated) Tim Hinrichs (Styra) Torin Sandall (Styra)
Join Us! OPA Gatekeeper github.com/open-policy-agent/gatekeeper Open Policy Agent openpolicyagent.org github.com/open-policy-agent/opa Community slack.openpolicyagent.org #kubernetes-policy Meetings Tue @2p Pacific

Recommended

Policy Enforcement on Kubernetes with Open Policy Agent
Policy Enforcement on Kubernetes with Open Policy AgentPolicy Enforcement on Kubernetes with Open Policy Agent
Policy Enforcement on Kubernetes with Open Policy AgentVMware Tanzu
 
OPA open policy agent
OPA open policy agentOPA open policy agent
OPA open policy agentKnoldus Inc.
 
Open Policy Agent
Open Policy AgentOpen Policy Agent
Open Policy AgentTorin Sandall
 
OPA: The Cloud Native Policy Engine
OPA: The Cloud Native Policy EngineOPA: The Cloud Native Policy Engine
OPA: The Cloud Native Policy EngineTorin Sandall
 
OPA APIs and Use Case Survey
OPA APIs and Use Case SurveyOPA APIs and Use Case Survey
OPA APIs and Use Case SurveyTorin Sandall
 
Kubernetes security
Kubernetes securityKubernetes security
Kubernetes securityThomas Fricke
 
An intro to Kubernetes operators
An intro to Kubernetes operatorsAn intro to Kubernetes operators
An intro to Kubernetes operatorsJ On The Beach
 
How Netflix Is Solving Authorization Across Their Cloud
How Netflix Is Solving Authorization Across Their CloudHow Netflix Is Solving Authorization Across Their Cloud
How Netflix Is Solving Authorization Across Their CloudTorin Sandall
 

Recommended

Policy Enforcement on Kubernetes with Open Policy Agent
Policy Enforcement on Kubernetes with Open Policy AgentPolicy Enforcement on Kubernetes with Open Policy Agent
Policy Enforcement on Kubernetes with Open Policy AgentVMware Tanzu
 
OPA open policy agent
OPA open policy agentOPA open policy agent
OPA open policy agentKnoldus Inc.
 
Open Policy Agent
Open Policy AgentOpen Policy Agent
Open Policy AgentTorin Sandall
 
OPA: The Cloud Native Policy Engine
OPA: The Cloud Native Policy EngineOPA: The Cloud Native Policy Engine
OPA: The Cloud Native Policy EngineTorin Sandall
 
OPA APIs and Use Case Survey
OPA APIs and Use Case SurveyOPA APIs and Use Case Survey
OPA APIs and Use Case SurveyTorin Sandall
 
Kubernetes security
Kubernetes securityKubernetes security
Kubernetes securityThomas Fricke
 
An intro to Kubernetes operators
An intro to Kubernetes operatorsAn intro to Kubernetes operators
An intro to Kubernetes operatorsJ On The Beach
 
How Netflix Is Solving Authorization Across Their Cloud
How Netflix Is Solving Authorization Across Their CloudHow Netflix Is Solving Authorization Across Their Cloud
How Netflix Is Solving Authorization Across Their CloudTorin Sandall
 
Kubernetes networking
Kubernetes networkingKubernetes networking
Kubernetes networkingSim Janghoon
 
Deep Dive on Container Networking at Scale on Amazon EKS, Amazon ECS, & Amazo...
Deep Dive on Container Networking at Scale on Amazon EKS, Amazon ECS, & Amazo...Deep Dive on Container Networking at Scale on Amazon EKS, Amazon ECS, & Amazo...
Deep Dive on Container Networking at Scale on Amazon EKS, Amazon ECS, & Amazo...Amazon Web Services
 
Kubernetes a comprehensive overview
Kubernetes a comprehensive overviewKubernetes a comprehensive overview
Kubernetes a comprehensive overviewGabriel Carro
 
Open Policy Agent Deep Dive Seattle 2018
Open Policy Agent Deep Dive Seattle 2018Open Policy Agent Deep Dive Seattle 2018
Open Policy Agent Deep Dive Seattle 2018Torin Sandall
 
Kubernetes Architecture and Introduction
Kubernetes Architecture and IntroductionKubernetes Architecture and Introduction
Kubernetes Architecture and IntroductionStefan Schimanski
 
Kubernetes - introduction
Kubernetes - introductionKubernetes - introduction
Kubernetes - introductionSparkbit
 
Kubernetes - Security Journey
Kubernetes - Security JourneyKubernetes - Security Journey
Kubernetes - Security JourneyJerry Jalava
 
Autoscaling Kubernetes
Autoscaling KubernetesAutoscaling Kubernetes
Autoscaling Kubernetescraigbox
 
Kubernetes #4 volume & stateful set
Kubernetes #4 volume & stateful setKubernetes #4 volume & stateful set
Kubernetes #4 volume & stateful setTerry Cho
 
Kubernetes extensibility: CRDs & Operators
Kubernetes extensibility: CRDs & OperatorsKubernetes extensibility: CRDs & Operators
Kubernetes extensibility: CRDs & OperatorsSIGHUP
 
CNCF opa
CNCF opaCNCF opa
CNCF opaJuraj Hantak
 
Exploring the power of OpenTelemetry on Kubernetes
Exploring the power of OpenTelemetry on KubernetesExploring the power of OpenTelemetry on Kubernetes
Exploring the power of OpenTelemetry on KubernetesRed Hat Developers
 
Introduction to Kubernetes RBAC
Introduction to Kubernetes RBACIntroduction to Kubernetes RBAC
Introduction to Kubernetes RBACKublr
 
Introduction to Kubernetes Workshop
Introduction to Kubernetes WorkshopIntroduction to Kubernetes Workshop
Introduction to Kubernetes WorkshopBob Killen
 
[KubeCon EU 2022] Running containerd and k3s on macOS
[KubeCon EU 2022] Running containerd and k3s on macOS[KubeCon EU 2022] Running containerd and k3s on macOS
[KubeCon EU 2022] Running containerd and k3s on macOSAkihiro Suda
 
Containers and workload security an overview
Containers and workload security an overview Containers and workload security an overview
Containers and workload security an overview Krishna-Kumar
 
Monitoring Microservices
Monitoring MicroservicesMonitoring Microservices
Monitoring MicroservicesWeaveworks
 
Introduction to kubernetes
Introduction to kubernetesIntroduction to kubernetes
Introduction to kubernetesGabriel Carro
 
Introduction to helm
Introduction to helmIntroduction to helm
Introduction to helmJeeva Chelladhurai
 
Introduction to OPA
Introduction to OPAIntroduction to OPA
Introduction to OPAKnoldus Inc.
 
Kubecon US 2019: Kubernetes Multitenancy WG Deep Dive
Kubecon US 2019: Kubernetes Multitenancy WG Deep DiveKubecon US 2019: Kubernetes Multitenancy WG Deep Dive
Kubecon US 2019: Kubernetes Multitenancy WG Deep DiveSanjeev Rampal
 
KubeCon EU 2016: Templatized Application Configuration on OpenShift and Kuber...
KubeCon EU 2016: Templatized Application Configuration on OpenShift and Kuber...KubeCon EU 2016: Templatized Application Configuration on OpenShift and Kuber...
KubeCon EU 2016: Templatized Application Configuration on OpenShift and Kuber...KubeAcademy
 

More Related Content

What's hot

Kubernetes networking
Kubernetes networkingKubernetes networking
Kubernetes networkingSim Janghoon
 
Deep Dive on Container Networking at Scale on Amazon EKS, Amazon ECS, & Amazo...
Deep Dive on Container Networking at Scale on Amazon EKS, Amazon ECS, & Amazo...Deep Dive on Container Networking at Scale on Amazon EKS, Amazon ECS, & Amazo...
Deep Dive on Container Networking at Scale on Amazon EKS, Amazon ECS, & Amazo...Amazon Web Services
 
Kubernetes a comprehensive overview
Kubernetes a comprehensive overviewKubernetes a comprehensive overview
Kubernetes a comprehensive overviewGabriel Carro
 
Open Policy Agent Deep Dive Seattle 2018
Open Policy Agent Deep Dive Seattle 2018Open Policy Agent Deep Dive Seattle 2018
Open Policy Agent Deep Dive Seattle 2018Torin Sandall
 
Kubernetes Architecture and Introduction
Kubernetes Architecture and IntroductionKubernetes Architecture and Introduction
Kubernetes Architecture and IntroductionStefan Schimanski
 
Kubernetes - introduction
Kubernetes - introductionKubernetes - introduction
Kubernetes - introductionSparkbit
 
Kubernetes - Security Journey
Kubernetes - Security JourneyKubernetes - Security Journey
Kubernetes - Security JourneyJerry Jalava
 
Autoscaling Kubernetes
Autoscaling KubernetesAutoscaling Kubernetes
Autoscaling Kubernetescraigbox
 
Kubernetes #4 volume & stateful set
Kubernetes #4 volume & stateful setKubernetes #4 volume & stateful set
Kubernetes #4 volume & stateful setTerry Cho
 
Kubernetes extensibility: CRDs & Operators
Kubernetes extensibility: CRDs & OperatorsKubernetes extensibility: CRDs & Operators
Kubernetes extensibility: CRDs & OperatorsSIGHUP
 
Exploring the power of OpenTelemetry on Kubernetes
Exploring the power of OpenTelemetry on KubernetesExploring the power of OpenTelemetry on Kubernetes
Exploring the power of OpenTelemetry on KubernetesRed Hat Developers
 
Introduction to Kubernetes RBAC
Introduction to Kubernetes RBACIntroduction to Kubernetes RBAC
Introduction to Kubernetes RBACKublr
 
Introduction to Kubernetes Workshop
Introduction to Kubernetes WorkshopIntroduction to Kubernetes Workshop
Introduction to Kubernetes WorkshopBob Killen
 
[KubeCon EU 2022] Running containerd and k3s on macOS
[KubeCon EU 2022] Running containerd and k3s on macOS[KubeCon EU 2022] Running containerd and k3s on macOS
[KubeCon EU 2022] Running containerd and k3s on macOSAkihiro Suda
 
Containers and workload security an overview
Containers and workload security an overview Containers and workload security an overview
Containers and workload security an overview Krishna-Kumar
 
Monitoring Microservices
Monitoring MicroservicesMonitoring Microservices
Monitoring MicroservicesWeaveworks
 
Introduction to kubernetes
Introduction to kubernetesIntroduction to kubernetes
Introduction to kubernetesGabriel Carro
 
Introduction to OPA
Introduction to OPAIntroduction to OPA
Introduction to OPAKnoldus Inc.
 

What's hot (20)

Kubernetes networking
Kubernetes networkingKubernetes networking
Kubernetes networking
 
Deep Dive on Container Networking at Scale on Amazon EKS, Amazon ECS, & Amazo...
Deep Dive on Container Networking at Scale on Amazon EKS, Amazon ECS, & Amazo...Deep Dive on Container Networking at Scale on Amazon EKS, Amazon ECS, & Amazo...
Deep Dive on Container Networking at Scale on Amazon EKS, Amazon ECS, & Amazo...
 
Kubernetes a comprehensive overview
Kubernetes a comprehensive overviewKubernetes a comprehensive overview
Kubernetes a comprehensive overview
 
Open Policy Agent Deep Dive Seattle 2018
Open Policy Agent Deep Dive Seattle 2018Open Policy Agent Deep Dive Seattle 2018
Open Policy Agent Deep Dive Seattle 2018
 
Kubernetes Architecture and Introduction
Kubernetes Architecture and IntroductionKubernetes Architecture and Introduction
Kubernetes Architecture and Introduction
 
Kubernetes - introduction
Kubernetes - introductionKubernetes - introduction
Kubernetes - introduction
 
Kubernetes - Security Journey
Kubernetes - Security JourneyKubernetes - Security Journey
Kubernetes - Security Journey
 
Autoscaling Kubernetes
Autoscaling KubernetesAutoscaling Kubernetes
Autoscaling Kubernetes
 
Kubernetes #4 volume & stateful set
Kubernetes #4 volume & stateful setKubernetes #4 volume & stateful set
Kubernetes #4 volume & stateful set
 
Kubernetes extensibility: CRDs & Operators
Kubernetes extensibility: CRDs & OperatorsKubernetes extensibility: CRDs & Operators
Kubernetes extensibility: CRDs & Operators
 
CNCF opa
CNCF opaCNCF opa
CNCF opa
 
Exploring the power of OpenTelemetry on Kubernetes
Exploring the power of OpenTelemetry on KubernetesExploring the power of OpenTelemetry on Kubernetes
Exploring the power of OpenTelemetry on Kubernetes
 
Introduction to Kubernetes RBAC
Introduction to Kubernetes RBACIntroduction to Kubernetes RBAC
Introduction to Kubernetes RBAC
 
Introduction to Kubernetes Workshop
Introduction to Kubernetes WorkshopIntroduction to Kubernetes Workshop
Introduction to Kubernetes Workshop
 
[KubeCon EU 2022] Running containerd and k3s on macOS
[KubeCon EU 2022] Running containerd and k3s on macOS[KubeCon EU 2022] Running containerd and k3s on macOS
[KubeCon EU 2022] Running containerd and k3s on macOS
 
Containers and workload security an overview
Containers and workload security an overview Containers and workload security an overview
Containers and workload security an overview
 
Monitoring Microservices
Monitoring MicroservicesMonitoring Microservices
Monitoring Microservices
 
Introduction to kubernetes
Introduction to kubernetesIntroduction to kubernetes
Introduction to kubernetes
 
Introduction to helm
Introduction to helmIntroduction to helm
Introduction to helm
 
Introduction to OPA
Introduction to OPAIntroduction to OPA
Introduction to OPA
 

Similar to Opa gatekeeper

Kubecon US 2019: Kubernetes Multitenancy WG Deep Dive
Kubecon US 2019: Kubernetes Multitenancy WG Deep DiveKubecon US 2019: Kubernetes Multitenancy WG Deep Dive
Kubecon US 2019: Kubernetes Multitenancy WG Deep DiveSanjeev Rampal
 
KubeCon EU 2016: Templatized Application Configuration on OpenShift and Kuber...
KubeCon EU 2016: Templatized Application Configuration on OpenShift and Kuber...KubeCon EU 2016: Templatized Application Configuration on OpenShift and Kuber...
KubeCon EU 2016: Templatized Application Configuration on OpenShift and Kuber...KubeAcademy
 
ОЛЕГ МАЦЬКІВ «Crash course on Operator Framework» Lviv DevOps Conference 2019
ОЛЕГ МАЦЬКІВ «Crash course on Operator Framework» Lviv DevOps Conference 2019ОЛЕГ МАЦЬКІВ «Crash course on Operator Framework» Lviv DevOps Conference 2019
ОЛЕГ МАЦЬКІВ «Crash course on Operator Framework» Lviv DevOps Conference 2019UA DevOps Conference
 
Evolution of security strategies in K8s environments- All day devops
Evolution of security strategies in K8s environments- All day devops Evolution of security strategies in K8s environments- All day devops
Evolution of security strategies in K8s environments- All day devops Jose Manuel Ortega Candel
 
Operator SDK for K8s using Go
Operator SDK for K8s using GoOperator SDK for K8s using Go
Operator SDK for K8s using GoCloudOps2005
 
Anthos Security: modernize your security posture for cloud native applications
Anthos Security: modernize your security posture for cloud native applicationsAnthos Security: modernize your security posture for cloud native applications
Anthos Security: modernize your security posture for cloud native applicationsGreg Castle
 
Meetup 12-12-2017 - Application Isolation on Kubernetes
Meetup 12-12-2017 - Application Isolation on KubernetesMeetup 12-12-2017 - Application Isolation on Kubernetes
Meetup 12-12-2017 - Application Isolation on Kubernetesdtoledo67
 
Introduction to kubernetes
Introduction to kubernetesIntroduction to kubernetes
Introduction to kubernetesRishabh Indoria
 
stackconf 2021 | Embracing change: Policy-as-code for Kubernetes with OPA and...
stackconf 2021 | Embracing change: Policy-as-code for Kubernetes with OPA and...stackconf 2021 | Embracing change: Policy-as-code for Kubernetes with OPA and...
stackconf 2021 | Embracing change: Policy-as-code for Kubernetes with OPA and...NETWAYS
 
Kubernetes @ Squarespace: Kubernetes in the Datacenter
Kubernetes @ Squarespace: Kubernetes in the DatacenterKubernetes @ Squarespace: Kubernetes in the Datacenter
Kubernetes @ Squarespace: Kubernetes in the DatacenterKevin Lynch
 
Kubernetes: Beyond Baby Steps
Kubernetes: Beyond Baby StepsKubernetes: Beyond Baby Steps
Kubernetes: Beyond Baby StepsDigitalOcean
 
Kubernetes Security with Calico and Open Policy Agent
Kubernetes Security with Calico and Open Policy AgentKubernetes Security with Calico and Open Policy Agent
Kubernetes Security with Calico and Open Policy AgentCloudOps2005
 
Kubernetes on AWS
Kubernetes on AWSKubernetes on AWS
Kubernetes on AWSGrant Ellis
 
Kubernetes on AWS
Kubernetes on AWSKubernetes on AWS
Kubernetes on AWSGrant Ellis
 
Secure Kafka at scale in true multi-tenant environment ( Vishnu Balusu & Asho...
Secure Kafka at scale in true multi-tenant environment ( Vishnu Balusu & Asho...Secure Kafka at scale in true multi-tenant environment ( Vishnu Balusu & Asho...
Secure Kafka at scale in true multi-tenant environment ( Vishnu Balusu & Asho...confluent
 
Introduction to Container Storage Interface (CSI)
Introduction to Container Storage Interface (CSI)Introduction to Container Storage Interface (CSI)
Introduction to Container Storage Interface (CSI)Idan Atias
 
Securing Kubernetes Workloads
Securing Kubernetes WorkloadsSecuring Kubernetes Workloads
Securing Kubernetes WorkloadsJim Bugwadia
 
Securing & Monitoring Your K8s Cluster with RBAC and Prometheus”.
Securing & Monitoring Your K8s Cluster with RBAC and Prometheus”.Securing & Monitoring Your K8s Cluster with RBAC and Prometheus”.
Securing & Monitoring Your K8s Cluster with RBAC and Prometheus”.Opcito Technologies
 

Similar to Opa gatekeeper (20)

Kubecon US 2019: Kubernetes Multitenancy WG Deep Dive
Kubecon US 2019: Kubernetes Multitenancy WG Deep DiveKubecon US 2019: Kubernetes Multitenancy WG Deep Dive
Kubecon US 2019: Kubernetes Multitenancy WG Deep Dive
 
KubeCon EU 2016: Templatized Application Configuration on OpenShift and Kuber...
KubeCon EU 2016: Templatized Application Configuration on OpenShift and Kuber...KubeCon EU 2016: Templatized Application Configuration on OpenShift and Kuber...
KubeCon EU 2016: Templatized Application Configuration on OpenShift and Kuber...
 
ОЛЕГ МАЦЬКІВ «Crash course on Operator Framework» Lviv DevOps Conference 2019
ОЛЕГ МАЦЬКІВ «Crash course on Operator Framework» Lviv DevOps Conference 2019ОЛЕГ МАЦЬКІВ «Crash course on Operator Framework» Lviv DevOps Conference 2019
ОЛЕГ МАЦЬКІВ «Crash course on Operator Framework» Lviv DevOps Conference 2019
 
Evolution of security strategies in K8s environments- All day devops
Evolution of security strategies in K8s environments- All day devops Evolution of security strategies in K8s environments- All day devops
Evolution of security strategies in K8s environments- All day devops
 
Kubernetes basics and hands on exercise
Kubernetes basics and hands on exerciseKubernetes basics and hands on exercise
Kubernetes basics and hands on exercise
 
Operator SDK for K8s using Go
Operator SDK for K8s using GoOperator SDK for K8s using Go
Operator SDK for K8s using Go
 
Anthos Security: modernize your security posture for cloud native applications
Anthos Security: modernize your security posture for cloud native applicationsAnthos Security: modernize your security posture for cloud native applications
Anthos Security: modernize your security posture for cloud native applications
 
Meetup 12-12-2017 - Application Isolation on Kubernetes
Meetup 12-12-2017 - Application Isolation on KubernetesMeetup 12-12-2017 - Application Isolation on Kubernetes
Meetup 12-12-2017 - Application Isolation on Kubernetes
 
Introduction to kubernetes
Introduction to kubernetesIntroduction to kubernetes
Introduction to kubernetes
 
stackconf 2021 | Embracing change: Policy-as-code for Kubernetes with OPA and...
stackconf 2021 | Embracing change: Policy-as-code for Kubernetes with OPA and...stackconf 2021 | Embracing change: Policy-as-code for Kubernetes with OPA and...
stackconf 2021 | Embracing change: Policy-as-code for Kubernetes with OPA and...
 
Kubernetes @ Squarespace: Kubernetes in the Datacenter
Kubernetes @ Squarespace: Kubernetes in the DatacenterKubernetes @ Squarespace: Kubernetes in the Datacenter
Kubernetes @ Squarespace: Kubernetes in the Datacenter
 
Kubernetes: Beyond Baby Steps
Kubernetes: Beyond Baby StepsKubernetes: Beyond Baby Steps
Kubernetes: Beyond Baby Steps
 
Kubernetes Security with Calico and Open Policy Agent
Kubernetes Security with Calico and Open Policy AgentKubernetes Security with Calico and Open Policy Agent
Kubernetes Security with Calico and Open Policy Agent
 
Kubernetes on AWS
Kubernetes on AWSKubernetes on AWS
Kubernetes on AWS
 
Kubernetes on AWS
Kubernetes on AWSKubernetes on AWS
Kubernetes on AWS
 
Secure Kafka at scale in true multi-tenant environment ( Vishnu Balusu & Asho...
Secure Kafka at scale in true multi-tenant environment ( Vishnu Balusu & Asho...Secure Kafka at scale in true multi-tenant environment ( Vishnu Balusu & Asho...
Secure Kafka at scale in true multi-tenant environment ( Vishnu Balusu & Asho...
 
K8s vs Cloud Foundry
K8s vs Cloud FoundryK8s vs Cloud Foundry
K8s vs Cloud Foundry
 
Introduction to Container Storage Interface (CSI)
Introduction to Container Storage Interface (CSI)Introduction to Container Storage Interface (CSI)
Introduction to Container Storage Interface (CSI)
 
Securing Kubernetes Workloads
Securing Kubernetes WorkloadsSecuring Kubernetes Workloads
Securing Kubernetes Workloads
 
Securing & Monitoring Your K8s Cluster with RBAC and Prometheus”.
Securing & Monitoring Your K8s Cluster with RBAC and Prometheus”.Securing & Monitoring Your K8s Cluster with RBAC and Prometheus”.
Securing & Monitoring Your K8s Cluster with RBAC and Prometheus”.
 

More from Rita Zhang

Kubecon 2019_eu-k8s-secrets-csi
Kubecon 2019_eu-k8s-secrets-csiKubecon 2019_eu-k8s-secrets-csi
Kubecon 2019_eu-k8s-secrets-csiRita Zhang
 
Training TensorFlow Models at Scale with Kubernetes on Azure
Training TensorFlow Models at Scale with Kubernetes on AzureTraining TensorFlow Models at Scale with Kubernetes on Azure
Training TensorFlow Models at Scale with Kubernetes on AzureRita Zhang
 
Training TensorFlow Models at Scale with Kubernetes on Azure
Training TensorFlow Models at Scale with Kubernetes on AzureTraining TensorFlow Models at Scale with Kubernetes on Azure
Training TensorFlow Models at Scale with Kubernetes on AzureRita Zhang
 
Build Your Own Face Detection Bot
Build Your Own Face Detection BotBuild Your Own Face Detection Bot
Build Your Own Face Detection BotRita Zhang
 
Managing Your Infrastructure on Azure using SaltStack
Managing Your Infrastructure on Azure using SaltStackManaging Your Infrastructure on Azure using SaltStack
Managing Your Infrastructure on Azure using SaltStackRita Zhang
 
Building blocks for building bots
Building blocks for building botsBuilding blocks for building bots
Building blocks for building botsRita Zhang
 

More from Rita Zhang (6)

Kubecon 2019_eu-k8s-secrets-csi
Kubecon 2019_eu-k8s-secrets-csiKubecon 2019_eu-k8s-secrets-csi
Kubecon 2019_eu-k8s-secrets-csi
 
Training TensorFlow Models at Scale with Kubernetes on Azure
Training TensorFlow Models at Scale with Kubernetes on AzureTraining TensorFlow Models at Scale with Kubernetes on Azure
Training TensorFlow Models at Scale with Kubernetes on Azure
 
Training TensorFlow Models at Scale with Kubernetes on Azure
Training TensorFlow Models at Scale with Kubernetes on AzureTraining TensorFlow Models at Scale with Kubernetes on Azure
Training TensorFlow Models at Scale with Kubernetes on Azure
 
Build Your Own Face Detection Bot
Build Your Own Face Detection BotBuild Your Own Face Detection Bot
Build Your Own Face Detection Bot
 
Managing Your Infrastructure on Azure using SaltStack
Managing Your Infrastructure on Azure using SaltStackManaging Your Infrastructure on Azure using SaltStack
Managing Your Infrastructure on Azure using SaltStack
 
Building blocks for building bots
Building blocks for building botsBuilding blocks for building bots
Building blocks for building bots
 

Recently uploaded

Artificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraArtificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraDeakin University
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxMaking_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxnull - The Open Security Community
 
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your Budget
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your BudgetHyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your Budget
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your BudgetEnjoy Anytime
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhisoniya singh
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
Azure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAzure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAndikSusilo4
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksSoftradix Technologies
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxLBM Solutions
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersThousandEyes
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...HostedbyConfluent
 

Recently uploaded (20)

Artificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraArtificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning era
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxMaking_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
 
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your Budget
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your BudgetHyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your Budget
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your Budget
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptxVulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
Azure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAzure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & Application
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping Elbows
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other Frameworks
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptx
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
 

Opa gatekeeper

  • 1. OPA Gatekeeper Policy and Governance for Kubernetes Max Smythe (@maxsmythe, Google) Rita Zhang (@ritazzhang, Microsoft) Photo by Pedro Velasco on Unsplash
  • 2. A customizable Kubernetes admission webhook that helps enforce policies and strengthen governance
  • 3. Motivation Primary user needs: ● Customizable admission via configuration (not code) ● Awareness of current cluster state (not just the 1 operation user is performing)
  • 4. How we got here December 2018 (KubeCon Seattle) December 2017 (KubeCon Austin) July 2017 May 2019 (KubeCon Barcelona) Styra releases v1 (kube-mgmt) v1 in production Microsoft releases v2 (kpc) and donates to OPA v3 released Intuit/CapitalOne describe using v1 in production
  • 5. OPA + kube-mgmt (aka OPA Gatekeeper v1.0) apiserver Admission Controller OPAKube-Mgmt Policies in ConfigMap Pod Ingress Service Deploy Config CRD Watch Admission Control Request Replicate Kubernetes ● Validating and mutating admission control. ● Policies in raw Rego (OPA’s policy language) ● Policies stored in ConfigMaps with syntax-errors reported as annotations ● Donated by Styra ● Used by dozens of companies
  • 6. K8s Policy Controller (aka OPA Gatekeeper v2.0) apiserver Admission Controller OPA Kube-Mgmt Policies in ConfigMap Pod Ingress Service Deploy Config CRD Watch Admission Review ReplicateKubernetes ● Validating and mutating admission control. Authorization. Audit. ● Policies in raw Rego (OPA’s policy language) ● Policies stored in ConfigMaps with syntax-errors reported as annotations ● Full architecture ● Donated by Microsoft to CNCF/OPA KPC AuthZ Webhook AuthZ Audit request Query
  • 7. OPA Gatekeeper v3.0 apiserver Admission Controller Policy Template CRD Pod Ingress Service Deploy Config CRD Watch Admission Review Replicate Kubernetes ● Validating admission. Audit. CICD. ● Policy templates (Rego) and instances ● Policies stored in CRDs ● Audit results stored on policy CRDs ● Full architecture ● Google, Microsoft, Redhat, CBA, Styra ● “Gatekeeper” donated by Replicated ● Built with kubebuilder AuthZ Webhook AuthZ Query Policy Instance CRD OPA Audit results Gatekeeper
  • 8. Example Policies ● All namespaces must have a label that lists a point-of-contact ● All pods must have an upper bound for resource usage ● All images must be from an approved repository ● Services must all have globally unique selectors
  • 9. Constraint Properties ● AND-ed together ○ Adding can only constrain, removing can only loosen ○ One rejection => whole request rejection ● Schema validation ○ Less error-prone ● Selection semantics ○ Only constrain certain kinds ○ Only constrain resources in a certain namespace ○ Use a label selector
  • 10. Constraints Define scope-of-enforcement Describe intent apiVersion: constraints.gatekeeper.sh/v1alpha1 kind: K8sRequiredLabels metadata: name: all-must-have-owner spec: match: kinds: - apiGroups: [""] kinds: ["Namespace"] parameters: message: "All namespaces must have an `owner` label that points to your company username" labels: - key: owner allowedRegex: "^[a-zA-Z]+.agilebank.demo$"
  • 11. Data Replication ● Constraints that compare against other objects in the cluster ○ Require replication of existing objects in the cluster ● Replication is defined via the config resource apiVersion: config.gatekeeper.sh/v1alpha1 kind: Config metadata: name: config namespace: gatekeeper-system spec: sync: syncOnly: - kind: Service version: v1 - kind: Pod version: v1 - kind: Namespace version: v1
  • 12. Audit ● Periodically evaluates resources against constraints ● Allows for ongoing monitoring of cluster state to aid in detection and remediation of pre-existing misconfigurations ● Objects to be audited must be replicated ● Exposes results via the status field of the constraint
  • 13. apiVersion: constraints.gatekeeper.sh/v1alpha1 kind: K8sRequiredLabels metadata: name: all-must-have-owner spec: match: kinds: - apiGroups: - "" kinds: - Namespace parameters: labels: - allowedRegex: ^[a-zA-Z]+.agilebank.demo$ key: owner message: All namespaces must have an `owner` label that points to your company username status: auditTimestamp: "2019-05-11T01:46:13Z" enforced: true violations: - kind: Namespace message: All namespaces must have an `owner` label that points to your company username name: default - kind: Namespace message: All namespaces must have an `owner` label that points to your company username name: gatekeeper-system - kind: Namespace message: All namespaces must have an `owner` label that points to your company username name: kube-public - kind: Namespace message: All namespaces must have an `owner` label that points to your company username name: kube-system Violations Audit Results Time of Audit
  • 14. Constraint Templates ● Rego rule signature ○ If the rule matches, the constraint is violated ● Schema for Constraint Parameters ● Matching semantics provided by the system ○ Currently we can select off of Group/Version/Kind, namespace, or labelSelector ○ As more ways of specifying scope are discovered, existing constraints get them for free
  • 15. ConstraintTemplate Source Code Schema for input parameters deny[{"msg": msg}] rules are executed apiVersion: templates.gatekeeper.sh/v1alpha1 kind: ConstraintTemplate metadata: name: k8srequiredlabels spec: crd: spec: names: kind: K8sRequiredLabels listKind: K8sRequiredLabelsList plural: k8srequiredlabels singular: k8srequiredlabels validation: # Schema for the `parameters` field openAPIV3Schema: properties: message: type: string labels: type: array items: type: object properties: key: type: string allowedRegex: type: string targets: - target: admission.k8s.gatekeeper.sh rego: | package k8srequiredlabels # helper libraries and additional tests (e.g. regex match) not shown deny[{"msg": msg, "details": {"missing_labels":missing}}] { provided := {label | input.review.object.metadata.labels[label]} required := {label | label := input.constraint.spec.parameters.labels[_]} missing := required - provided count(missing) > 0 def_msg := sprintf("you must provide labels: %v", [missing]) msg := get_message(input.constraint, def_msg) }
  • 16. Code Reuse! ● Gatekeeper provides the admission system ● Policies/Rules are implemented through constraints ● Constraints are parameterized and easily configurable by admins ● ConstraintTemplates provide the source code for constraints ○ Easily shared ○ Testable ○ Developed internally or sourced from the community ● Portable to other systems ○ e.g. CI/CD pipelines Photo by Judith Prins on Unsplash
  • 17. Demo
  • 18. Project Status ● Alpha ● Come help! ○ Issues ○ Feedback ○ User stories ○ Development Cooking... but tasty Photo by Tikkho Maciel on Unsplash
  • 19. Potential Growth ● Mutation ● External Data ● Authorization? (likely separate project, same general semantics) ● More audit features ● Metrics ● Developer tooling ● Dry run
  • 20. Thank You Open Policy Agent Community Andrew Block (Red Hat) Craig Hooper (Commonwealth Bank AU) Lachlan Evenson (Microsoft) Nikhil Bhatia (Confluent, ex-Microsoft) Marc Campbell (Replicated) Dexter Horthy (Replicated) Tim Hinrichs (Styra) Torin Sandall (Styra)
  • 21. Join Us! OPA Gatekeeper github.com/open-policy-agent/gatekeeper Open Policy Agent openpolicyagent.org github.com/open-policy-agent/opa Community slack.openpolicyagent.org #kubernetes-policy Meetings Tue @2p Pacific