🖊️
Notes
  • Notes
  • aws
    • CloudWatch
    • EKS
    • IAM
    • Key Management Service (KMS)
    • security
      • Attacks against AWS infrastructure
    • vpc
      • AWS Transit Gateway
  • azure
    • Azure AD
    • Azure CDN
    • DNS in Azure
    • Hub-spoke network topology
    • Identity and access management
    • Azure Landing zones
    • Storage
  • certifications
    • aws-sa-pro
    • Certified Kubernetes Administrator
  • containers
    • Examples
    • Linux Container Primitives
  • databases
    • Relational databases
  • gcp
    • IAM
  • git
    • Git
  • golang
    • Building Go projects
    • Concurrency
    • Project structure
  • infosec
    • SSH
    • SSL
  • Kubernetes
    • Admission Controllers
    • Autoscaling
    • Debugging
    • Multi-tenancy
    • Network Policies
    • Pod Priority
    • Pod Security Policies
    • Secrets
    • StatefulSet
    • additional-services
      • Debugging ArgoCD RBAC
      • open-policy-agent
  • misc
    • FFmpeg
    • PDFs
  • programming
    • Learning resources
    • concepts
      • Serialization
  • rabbitmq
    • Clustering and HA
    • Shovel plugin
  • shells
    • Bash
  • terraform
    • Moving resources between remote states
  • vim
    • Fzf (plugin)
    • Registers
    • Spell Check
  • linux
    • arch
      • Arch Linux installation
Powered by GitBook
On this page
  • Open Policy Agent (OPA)
  • Gatekeeper
  • Conftest
  • Use Conftest and OPA for Dockerfile checks
  • Use conftest to validate Terraform code
  • Resources
  1. Kubernetes
  2. additional-services

open-policy-agent

Open Policy Agent (OPA)

Policy-based control for cloud native environments

  • Can be used generally with structured data, not only with Kubernetes

  • Uses Rego DSL for its policies

  • Rego is for data queries, it's not general purpose language

  • Can be used to validate manifests, for example "Container must provide app label for pod selectors"

  • Output JSON can passed to external systems, like Gatekeeper

    • Or just respond with AdmissionReview Kubernetes object, so OPA can be plugged to Admission Controller

Gatekeeper

  • Provides more "Kubernetes-native" abstraction and functionalities over OPA

  • Policies are stored as CRDs

  • Constraint Templates

    • Enables you to provide a policy and pass variables during the valuation

  • Gatekeeper provides a library for couple of policy types like PSPs

    • https://github.com/open-policy-agent/gatekeeper/tree/master/library

  • Validating PSPs with web hooks might provide better UX, because apiserver rejects the object instantly, not only then when pod starts

  • Above-mentioned functionality does not use PSPs in the backend, but OPA implements PSP-like behavior

Conftest

Write tests against structured configuration data using the Open Policy Agent Rego query language

  • Policies can be bundled and pushed to registry (like Harbor)

  • Can be run in CI for getting feedback before applying manifests to cluster

  • For example can be used to check Kubernetes API deprecations (https://github.com/swade1987/deprek8ion)

Use Conftest and OPA for Dockerfile checks

  • Conftest and OPA can be used to write for example security checks for Dockerfiles

  • For example, check in CI that latest that tag is not used

  • See https://blog.madhuakula.com/dockerfile-security-checks-using-opa-rego-policies-with-conftest-32ab2316172f for more information

Use conftest to validate Terraform code

  • Conftest and OPA can be used to validate Terraform and create assertions

  • See https://marcyoung.us/post/atlantis-opa

Resources

  • TGI Kubernetes 119: Gatekeeper and OPA - https://www.youtube.com/watch?v=ZJgaGJm9NJE&

  • https://www.openpolicyagent.org/

  • https://play.openpolicyagent.org/

  • https://github.com/open-policy-agent/gatekeeper

  • https://github.com/open-policy-agent/opa

  • https://github.com/open-policy-agent/conftest

  • https://www.conftest.dev/

PreviousDebugging ArgoCD RBACNextmisc

Last updated 4 years ago