🖊️
Notes
  • Notes
  • aws
    • CloudWatch
    • EKS
    • IAM
    • Key Management Service (KMS)
    • security
      • Attacks against AWS infrastructure
    • vpc
      • AWS Transit Gateway
  • azure
    • Azure AD
    • Azure CDN
    • DNS in Azure
    • Hub-spoke network topology
    • Identity and access management
    • Azure Landing zones
    • Storage
  • certifications
    • aws-sa-pro
    • Certified Kubernetes Administrator
  • containers
    • Examples
    • Linux Container Primitives
  • databases
    • Relational databases
  • gcp
    • IAM
  • git
    • Git
  • golang
    • Building Go projects
    • Concurrency
    • Project structure
  • infosec
    • SSH
    • SSL
  • Kubernetes
    • Admission Controllers
    • Autoscaling
    • Debugging
    • Multi-tenancy
    • Network Policies
    • Pod Priority
    • Pod Security Policies
    • Secrets
    • StatefulSet
    • additional-services
      • Debugging ArgoCD RBAC
      • open-policy-agent
  • misc
    • FFmpeg
    • PDFs
  • programming
    • Learning resources
    • concepts
      • Serialization
  • rabbitmq
    • Clustering and HA
    • Shovel plugin
  • shells
    • Bash
  • terraform
    • Moving resources between remote states
  • vim
    • Fzf (plugin)
    • Registers
    • Spell Check
  • linux
    • arch
      • Arch Linux installation
Powered by GitBook
On this page
  • Open Policy Agent (OPA)
  • Gatekeeper
  • Conftest
  • Use Conftest and OPA for Dockerfile checks
  • Use conftest to validate Terraform code
  • Resources
  1. Kubernetes
  2. additional-services

open-policy-agent

PreviousDebugging ArgoCD RBACNextmisc

Last updated 4 years ago

Open Policy Agent (OPA)

Policy-based control for cloud native environments

  • Can be used generally with structured data, not only with Kubernetes

  • Uses Rego DSL for its policies

  • Rego is for data queries, it's not general purpose language

  • Can be used to validate manifests, for example "Container must provide app label for pod selectors"

  • Output JSON can passed to external systems, like Gatekeeper

    • Or just respond with AdmissionReview Kubernetes object, so OPA can be plugged to Admission Controller

Gatekeeper

  • Provides more "Kubernetes-native" abstraction and functionalities over OPA

  • Policies are stored as CRDs

  • Constraint Templates

    • Enables you to provide a policy and pass variables during the valuation

  • Gatekeeper provides a library for couple of policy types like PSPs

  • Validating PSPs with web hooks might provide better UX, because apiserver rejects the object instantly, not only then when pod starts

  • Above-mentioned functionality does not use PSPs in the backend, but OPA implements PSP-like behavior

Conftest

Write tests against structured configuration data using the Open Policy Agent Rego query language

  • Policies can be bundled and pushed to registry (like Harbor)

  • Can be run in CI for getting feedback before applying manifests to cluster

Use Conftest and OPA for Dockerfile checks

  • Conftest and OPA can be used to write for example security checks for Dockerfiles

  • For example, check in CI that latest that tag is not used

Use conftest to validate Terraform code

  • Conftest and OPA can be used to validate Terraform and create assertions

Resources

For example can be used to check Kubernetes API deprecations ()

See for more information

See

TGI Kubernetes 119: Gatekeeper and OPA -

https://github.com/open-policy-agent/gatekeeper/tree/master/library
https://github.com/swade1987/deprek8ion
https://blog.madhuakula.com/dockerfile-security-checks-using-opa-rego-policies-with-conftest-32ab2316172f
https://marcyoung.us/post/atlantis-opa
https://www.youtube.com/watch?v=ZJgaGJm9NJE&
https://www.openpolicyagent.org/
https://play.openpolicyagent.org/
https://github.com/open-policy-agent/gatekeeper
https://github.com/open-policy-agent/opa
https://github.com/open-policy-agent/conftest
https://www.conftest.dev/