SlideShare una empresa de Scribd logo

Policy Enforcement on Kubernetes with OPA

Descargar como PPTX, PDF
VMware Tanzu
VMware Tanzu

SpringOne Platform 2019 Title: Policy Enforcement on Kubernetes with Open Policy Agent Speakers: Aleks Saul, Senior Platform Architect, Pivotal; Jaime Gonzalez Aguilar, Advisory Platform Architect, Pivotal Youtube: https://youtu.be/UN0su8fdGcs

Software
1 de 19
Policy Enforcement on Kubernetes with OPA October 7–10, 2019 Austin Convention Center Aleks Saul & Jaime Gonzalez Aguilar
Unless otherwise indicated, these slides are © 2013-2019 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Who we are Aleks Saul Sr. Platform Architect, Pivotal Inc. @alekssaul 2 Jaime Gonzalez Aguilar Advisory Platform Architect, Pivotal Inc. @jaimegag
Unless otherwise indicated, these slides are © 2013-2019 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Agenda ● The Why, What and How of OPA ● OPA Use Cases ● Kubernetes Use Case ● Demo ● Q & A 3
Unless otherwise indicated, these slides are © 2013-2019 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ What is OPA? 4
Unless otherwise indicated, these slides are © 2013-2019 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ 5 POLICIES GET /salary/{id} #1 AuthZ App Dev #2 AuthZ #3 AuthZ Compliance ??? ???
Unless otherwise indicated, these slides are © 2013-2019 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Unify policy enforcement across the stack Manage Policy - as - Code Decouple policy from software Why OPA? 6
Unless otherwise indicated, these slides are © 2013-2019 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ OPA: General-purpose Policy Engine 7 GET /salary/bob HTTP/1.1 Authorization: alice true or false { “method”: “GET”, “path”: [“salary”, “bob”], “User”: “alice” }
Unless otherwise indicated, these slides are © 2013-2019 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ OPA: General-purpose Policy Engine 8 “Service” refers to any of: ● API Gateway ● Kubernetes API Service ● Custom Service ● CI/CD pipeline script ● etc Output can be any JSON valueInput can be any JSON value:
Unless otherwise indicated, these slides are © 2013-2019 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ ● Easy to read and write ● Declarative ● Handles complex data Rego: OPA’s policy language 9 package kubernetes.admission deny[msg] { input.request.kind.kind == "Pod" image := input.request.object.spec.containers[_].image not startswith(image, "hooli.com/") msg := sprintf("image fails to come from trusted registry: %v", [image]) }
Unless otherwise indicated, these slides are © 2013-2019 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ 10
Unless otherwise indicated, these slides are © 2013-2019 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ OPA In Kubernetes - Why is it needed? 11 Kubernetes API request workflow ** Further information available in: https://kubernetes.io/blog/2019/03/21/a-guide-to-kubernetes-admission-controllers/ API Request API HTTP handler Auth-n Auth-z Mutating admission Object Schema Validation Validating admission Persisted to etcd Mutating Admission Controller Mutating Admission Controller Validating Admission Controller
Unless otherwise indicated, these slides are © 2013-2019 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ OPA In Kubernetes - Why is it needed? 12 API Request API HTTP handler Auth-n Auth-z Mutating admission Object Schema Validation Validating admission Persisted to etcd $ kubectl apply -f service.yaml apiVersion: v1 kind: Service metadata: name: coolapp labels: app: coolapp spec: ports: - name: coolapp port: 80 selector: app: coolapp type: LoadBalancer
Unless otherwise indicated, these slides are © 2013-2019 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ OPA In Kubernetes - Why is it needed? 13 API Request API HTTP handler Auth-n Auth-z Mutating admission Object Schema Validation Validating admission Persisted to etcd $ kubectl apply -f service.yaml Custom Service Admission Controller Service Type Load Balancer Not Allowed!!! apiVersion: v1 kind: Service metadata: name: coolapp labels: app: coolapp spec: ports: - name: coolapp port: 80 selector: app: coolapp type: LoadBalancer
Unless otherwise indicated, these slides are © 2013-2019 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ OPA In Kubernetes - Why is it needed? 14 API Request API HTTP handler Auth-n Auth-z Mutating admission Object Schema Validation Validating admission Persisted to etcd $ kubectl apply -f service.yaml apiVersion: v1 kind: Service metadata: name: coolapp labels: app: coolapp spec: ports: - name: coolapp port: 80 selector: app: coolapp type: ClusterIP Custom Service Admission Controller ClusterIP sounds good to me
Unless otherwise indicated, these slides are © 2013-2019 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ OPA In Kubernetes - Why is it needed? 15 API Request API HTTP handler Auth-n Auth-z Mutating admission Object Schema Validation Validating admission Persisted to etcd $ kubectl apply -f ingress.yaml Custom Ingress Admission Controller Ingress Route Not Allowed!!!apiVersion: networking.k8s.io/v1beta1 kind: Ingress metadata: name: coolapp spec: rules: - host: www.acmecorp.com http: paths: - backend: serviceName: coolapp servicePort: 80 apiVersion: networking.k8s.io/v1beta1 kind: Ingress metadata: name: coolapp spec: rules: - host: www.qa.acmecorp.net http: paths: - backend: serviceName: coolapp servicePort: 80 Ingress Route looks good to me
Unless otherwise indicated, these slides are © 2013-2019 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ OPA In Kubernetes - Why is it needed? 16 API Request API HTTP handler Auth-n Auth-z Mutating admission Object Schema Validation Validating admission Persisted to etcd $ kubectl apply -f policy_ingress.yaml deny[msg] { input.request.kind.kind = "Ingress" input.request.operation = "CREATE" host = input.request.object.spec.rules[_].ho st not fqdn_matches_any(host, valid_ingress_hosts) msg = sprintf("invalid ingress host %q", [host]) } valid_ingress_hosts = {host | whitelist = namespaces[input.request.namespace].m etadata.annotations["ingress- whitelist"] hosts = split(whitelist, ",") host = hosts[_] } Custom Ingress Admission Controller package kubernetes.admission import data.kubernetes.namespaces deny[msg] { input.request.kind.kind == "Service" input.request.operation == "CREATE" input.request.object.spec.type == "LoadBalancer" msg = "Service Type LoadBalancer is not allowed" } $ kubectl apply -f policy_service.yaml
Unless otherwise indicated, these slides are © 2013-2019 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Kubernetes Use Cases 17 ● ServiceType ○ Restrict Cloud Load Balancer ○ Restrict Cloud Load Balancer to internal only ● Registry Whitelist/blacklist ● Ingress ○ Validate domain ○ Validate TLS ● NetworkPolicy validation
Unless otherwise indicated, these slides are © 2013-2019 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Demo! � Show Harbor Registry and Image Repository � Show OPA Admission Controller � Show and deploy Policy � Attempt to deploy Pod and show failure � Change to fulfill Policy, deploy Pod and show success
Thank You! Aleks Jaime @alekssaul @jaimegag @OpenPolicyAgent https://www.openpolicyagent.org/ https://github.com/open-policy-agent Open Policy Agent Summit - (KubeCon NA 2019) San Diego, CA November 18, 2019 #springone@s1p

Recomendados

OPA: The Cloud Native Policy Engine
OPA: The Cloud Native Policy EngineOPA: The Cloud Native Policy Engine
OPA: The Cloud Native Policy EngineTorin Sandall
 
Rego Deep Dive
Rego Deep DiveRego Deep Dive
Rego Deep DiveTorin Sandall
 
How Netflix Is Solving Authorization Across Their Cloud
How Netflix Is Solving Authorization Across Their CloudHow Netflix Is Solving Authorization Across Their Cloud
How Netflix Is Solving Authorization Across Their CloudTorin Sandall
 
Securing APIs with Open Policy Agent
Securing APIs with Open Policy AgentSecuring APIs with Open Policy Agent
Securing APIs with Open Policy AgentNordic APIs
 
OPA open policy agent
OPA open policy agentOPA open policy agent
OPA open policy agentKnoldus Inc.
 
Open Policy Agent
Open Policy AgentOpen Policy Agent
Open Policy AgentTorin Sandall
 
Introduction to OPA
Introduction to OPAIntroduction to OPA
Introduction to OPAKnoldus Inc.
 
Opa gatekeeper
Opa gatekeeperOpa gatekeeper
Opa gatekeeperRita Zhang
 

Recomendados

OPA: The Cloud Native Policy Engine
OPA: The Cloud Native Policy EngineOPA: The Cloud Native Policy Engine
OPA: The Cloud Native Policy EngineTorin Sandall
 
Rego Deep Dive
Rego Deep DiveRego Deep Dive
Rego Deep DiveTorin Sandall
 
How Netflix Is Solving Authorization Across Their Cloud
How Netflix Is Solving Authorization Across Their CloudHow Netflix Is Solving Authorization Across Their Cloud
How Netflix Is Solving Authorization Across Their CloudTorin Sandall
 
Securing APIs with Open Policy Agent
Securing APIs with Open Policy AgentSecuring APIs with Open Policy Agent
Securing APIs with Open Policy AgentNordic APIs
 
OPA open policy agent
OPA open policy agentOPA open policy agent
OPA open policy agentKnoldus Inc.
 
Open Policy Agent
Open Policy AgentOpen Policy Agent
Open Policy AgentTorin Sandall
 
Introduction to OPA
Introduction to OPAIntroduction to OPA
Introduction to OPAKnoldus Inc.
 
Opa gatekeeper
Opa gatekeeperOpa gatekeeper
Opa gatekeeperRita Zhang
 
Introduction to Kong API Gateway
Introduction to Kong API GatewayIntroduction to Kong API Gateway
Introduction to Kong API GatewayYohann Ciurlik
 
Implementing Authorization
Implementing AuthorizationImplementing Authorization
Implementing AuthorizationTorin Sandall
 
Open Policy Agent Deep Dive Seattle 2018
Open Policy Agent Deep Dive Seattle 2018Open Policy Agent Deep Dive Seattle 2018
Open Policy Agent Deep Dive Seattle 2018Torin Sandall
 
CNCF opa
CNCF opaCNCF opa
CNCF opaJuraj Hantak
 
Implementing security requirements for banking API system using Open Source ...
Implementing security requirements for banking API system using Open Source ... Implementing security requirements for banking API system using Open Source ...
Implementing security requirements for banking API system using Open Source ...Yuichi Nakamura
 
Docker Kubernetes Istio
Docker Kubernetes IstioDocker Kubernetes Istio
Docker Kubernetes IstioAraf Karsh Hamid
 
Building secure applications with keycloak
Building secure applications with keycloak Building secure applications with keycloak
Building secure applications with keycloak Abhishek Koserwal
 
OPA APIs and Use Case Survey
OPA APIs and Use Case SurveyOPA APIs and Use Case Survey
OPA APIs and Use Case SurveyTorin Sandall
 
Introduction to OpenID Connect
Introduction to OpenID Connect Introduction to OpenID Connect
Introduction to OpenID Connect Nat Sakimura
 
Istio service mesh introduction
Istio service mesh introductionIstio service mesh introduction
Istio service mesh introductionKyohei Mizumoto
 
Kubernetes Secrets Management on Production with Demo
Kubernetes Secrets Management on Production with DemoKubernetes Secrets Management on Production with Demo
Kubernetes Secrets Management on Production with DemoOpsta
 
CNCF Online - Data Protection Guardrails using Open Policy Agent (OPA).pdf
CNCF Online - Data Protection Guardrails using Open Policy Agent (OPA).pdfCNCF Online - Data Protection Guardrails using Open Policy Agent (OPA).pdf
CNCF Online - Data Protection Guardrails using Open Policy Agent (OPA).pdfLibbySchulze
 
Terraform vs Pulumi
Terraform vs PulumiTerraform vs Pulumi
Terraform vs PulumiHoaiNam307
 
Enforcing Bespoke Policies in Kubernetes
Enforcing Bespoke Policies in KubernetesEnforcing Bespoke Policies in Kubernetes
Enforcing Bespoke Policies in KubernetesTorin Sandall
 
Service Mesh - Observability
Service Mesh - ObservabilityService Mesh - Observability
Service Mesh - ObservabilityAraf Karsh Hamid
 
Service Mesh on Kubernetes with Istio
Service Mesh on Kubernetes with IstioService Mesh on Kubernetes with Istio
Service Mesh on Kubernetes with IstioMichelle Holley
 
Docker Kubernetes Istio
Docker Kubernetes IstioDocker Kubernetes Istio
Docker Kubernetes IstioAraf Karsh Hamid
 
Secure Spring Boot Microservices with Keycloak
Secure Spring Boot Microservices with KeycloakSecure Spring Boot Microservices with Keycloak
Secure Spring Boot Microservices with KeycloakRed Hat Developers
 
Microservices Docker Kubernetes Istio Kanban DevOps SRE
Microservices Docker Kubernetes Istio Kanban DevOps SREMicroservices Docker Kubernetes Istio Kanban DevOps SRE
Microservices Docker Kubernetes Istio Kanban DevOps SREAraf Karsh Hamid
 
DSO-LG 2021 Reboot: Policy As Code (Anders Eknert)
DSO-LG 2021 Reboot: Policy As Code (Anders Eknert)DSO-LG 2021 Reboot: Policy As Code (Anders Eknert)
DSO-LG 2021 Reboot: Policy As Code (Anders Eknert)Michael Man
 
Simple Data Movement Patterns: Legacy Application to Cloud-Native Environment...
Simple Data Movement Patterns: Legacy Application to Cloud-Native Environment...Simple Data Movement Patterns: Legacy Application to Cloud-Native Environment...
Simple Data Movement Patterns: Legacy Application to Cloud-Native Environment...VMware Tanzu
 
riffing on Knative - Scott Andrews
riffing on Knative - Scott Andrewsriffing on Knative - Scott Andrews
riffing on Knative - Scott AndrewsVMware Tanzu
 

Más contenido relacionado

La actualidad más candente

Introduction to Kong API Gateway
Introduction to Kong API GatewayIntroduction to Kong API Gateway
Introduction to Kong API GatewayYohann Ciurlik
 
Implementing Authorization
Implementing AuthorizationImplementing Authorization
Implementing AuthorizationTorin Sandall
 
Open Policy Agent Deep Dive Seattle 2018
Open Policy Agent Deep Dive Seattle 2018Open Policy Agent Deep Dive Seattle 2018
Open Policy Agent Deep Dive Seattle 2018Torin Sandall
 
Implementing security requirements for banking API system using Open Source ...
Implementing security requirements for banking API system using Open Source ... Implementing security requirements for banking API system using Open Source ...
Implementing security requirements for banking API system using Open Source ...Yuichi Nakamura
 
Building secure applications with keycloak
Building secure applications with keycloak Building secure applications with keycloak
Building secure applications with keycloak Abhishek Koserwal
 
OPA APIs and Use Case Survey
OPA APIs and Use Case SurveyOPA APIs and Use Case Survey
OPA APIs and Use Case SurveyTorin Sandall
 
Introduction to OpenID Connect
Introduction to OpenID Connect Introduction to OpenID Connect
Introduction to OpenID Connect Nat Sakimura
 
Istio service mesh introduction
Istio service mesh introductionIstio service mesh introduction
Istio service mesh introductionKyohei Mizumoto
 
Kubernetes Secrets Management on Production with Demo
Kubernetes Secrets Management on Production with DemoKubernetes Secrets Management on Production with Demo
Kubernetes Secrets Management on Production with DemoOpsta
 
CNCF Online - Data Protection Guardrails using Open Policy Agent (OPA).pdf
CNCF Online - Data Protection Guardrails using Open Policy Agent (OPA).pdfCNCF Online - Data Protection Guardrails using Open Policy Agent (OPA).pdf
CNCF Online - Data Protection Guardrails using Open Policy Agent (OPA).pdfLibbySchulze
 
Terraform vs Pulumi
Terraform vs PulumiTerraform vs Pulumi
Terraform vs PulumiHoaiNam307
 
Enforcing Bespoke Policies in Kubernetes
Enforcing Bespoke Policies in KubernetesEnforcing Bespoke Policies in Kubernetes
Enforcing Bespoke Policies in KubernetesTorin Sandall
 
Service Mesh - Observability
Service Mesh - ObservabilityService Mesh - Observability
Service Mesh - ObservabilityAraf Karsh Hamid
 
Service Mesh on Kubernetes with Istio
Service Mesh on Kubernetes with IstioService Mesh on Kubernetes with Istio
Service Mesh on Kubernetes with IstioMichelle Holley
 
Secure Spring Boot Microservices with Keycloak
Secure Spring Boot Microservices with KeycloakSecure Spring Boot Microservices with Keycloak
Secure Spring Boot Microservices with KeycloakRed Hat Developers
 
Microservices Docker Kubernetes Istio Kanban DevOps SRE
Microservices Docker Kubernetes Istio Kanban DevOps SREMicroservices Docker Kubernetes Istio Kanban DevOps SRE
Microservices Docker Kubernetes Istio Kanban DevOps SREAraf Karsh Hamid
 
DSO-LG 2021 Reboot: Policy As Code (Anders Eknert)
DSO-LG 2021 Reboot: Policy As Code (Anders Eknert)DSO-LG 2021 Reboot: Policy As Code (Anders Eknert)
DSO-LG 2021 Reboot: Policy As Code (Anders Eknert)Michael Man
 

La actualidad más candente (20)

Introduction to Kong API Gateway
Introduction to Kong API GatewayIntroduction to Kong API Gateway
Introduction to Kong API Gateway
 
Implementing Authorization
Implementing AuthorizationImplementing Authorization
Implementing Authorization
 
Open Policy Agent Deep Dive Seattle 2018
Open Policy Agent Deep Dive Seattle 2018Open Policy Agent Deep Dive Seattle 2018
Open Policy Agent Deep Dive Seattle 2018
 
CNCF opa
CNCF opaCNCF opa
CNCF opa
 
Implementing security requirements for banking API system using Open Source ...
Implementing security requirements for banking API system using Open Source ... Implementing security requirements for banking API system using Open Source ...
Implementing security requirements for banking API system using Open Source ...
 
Docker Kubernetes Istio
Docker Kubernetes IstioDocker Kubernetes Istio
Docker Kubernetes Istio
 
Building secure applications with keycloak
Building secure applications with keycloak Building secure applications with keycloak
Building secure applications with keycloak
 
OPA APIs and Use Case Survey
OPA APIs and Use Case SurveyOPA APIs and Use Case Survey
OPA APIs and Use Case Survey
 
Introduction to OpenID Connect
Introduction to OpenID Connect Introduction to OpenID Connect
Introduction to OpenID Connect
 
Istio service mesh introduction
Istio service mesh introductionIstio service mesh introduction
Istio service mesh introduction
 
Kubernetes Secrets Management on Production with Demo
Kubernetes Secrets Management on Production with DemoKubernetes Secrets Management on Production with Demo
Kubernetes Secrets Management on Production with Demo
 
CNCF Online - Data Protection Guardrails using Open Policy Agent (OPA).pdf
CNCF Online - Data Protection Guardrails using Open Policy Agent (OPA).pdfCNCF Online - Data Protection Guardrails using Open Policy Agent (OPA).pdf
CNCF Online - Data Protection Guardrails using Open Policy Agent (OPA).pdf
 
Terraform vs Pulumi
Terraform vs PulumiTerraform vs Pulumi
Terraform vs Pulumi
 
Enforcing Bespoke Policies in Kubernetes
Enforcing Bespoke Policies in KubernetesEnforcing Bespoke Policies in Kubernetes
Enforcing Bespoke Policies in Kubernetes
 
Service Mesh - Observability
Service Mesh - ObservabilityService Mesh - Observability
Service Mesh - Observability
 
Service Mesh on Kubernetes with Istio
Service Mesh on Kubernetes with IstioService Mesh on Kubernetes with Istio
Service Mesh on Kubernetes with Istio
 
Docker Kubernetes Istio
Docker Kubernetes IstioDocker Kubernetes Istio
Docker Kubernetes Istio
 
Secure Spring Boot Microservices with Keycloak
Secure Spring Boot Microservices with KeycloakSecure Spring Boot Microservices with Keycloak
Secure Spring Boot Microservices with Keycloak
 
Microservices Docker Kubernetes Istio Kanban DevOps SRE
Microservices Docker Kubernetes Istio Kanban DevOps SREMicroservices Docker Kubernetes Istio Kanban DevOps SRE
Microservices Docker Kubernetes Istio Kanban DevOps SRE
 
DSO-LG 2021 Reboot: Policy As Code (Anders Eknert)
DSO-LG 2021 Reboot: Policy As Code (Anders Eknert)DSO-LG 2021 Reboot: Policy As Code (Anders Eknert)
DSO-LG 2021 Reboot: Policy As Code (Anders Eknert)
 

Similar a Policy Enforcement on Kubernetes with OPA

Simple Data Movement Patterns: Legacy Application to Cloud-Native Environment...
Simple Data Movement Patterns: Legacy Application to Cloud-Native Environment...Simple Data Movement Patterns: Legacy Application to Cloud-Native Environment...
Simple Data Movement Patterns: Legacy Application to Cloud-Native Environment...VMware Tanzu
 
riffing on Knative - Scott Andrews
riffing on Knative - Scott Andrewsriffing on Knative - Scott Andrews
riffing on Knative - Scott AndrewsVMware Tanzu
 
Better Than BASH: Scripting Kotlin
Better Than BASH: Scripting KotlinBetter Than BASH: Scripting Kotlin
Better Than BASH: Scripting KotlinVMware Tanzu
 
SDLC for Pivotal Platform powered by Spring Initializr and Concourse
SDLC for Pivotal Platform powered by Spring Initializr and ConcourseSDLC for Pivotal Platform powered by Spring Initializr and Concourse
SDLC for Pivotal Platform powered by Spring Initializr and ConcourseVMware Tanzu
 
PKS Networking with NSX-T: You Focus on your App, We'll Take Care of the Rest!
PKS Networking with NSX-T: You Focus on your App, We'll Take Care of the Rest!PKS Networking with NSX-T: You Focus on your App, We'll Take Care of the Rest!
PKS Networking with NSX-T: You Focus on your App, We'll Take Care of the Rest!VMware Tanzu
 
Accelerating the Consumption of APIs Built on Cloud Foundry
Accelerating the Consumption of APIs Built on Cloud FoundryAccelerating the Consumption of APIs Built on Cloud Foundry
Accelerating the Consumption of APIs Built on Cloud FoundryVMware Tanzu
 
.NET and Kubernetes: Bringing Legacy .NET Into the Modern World with Pivotal ...
.NET and Kubernetes: Bringing Legacy .NET Into the Modern World with Pivotal ....NET and Kubernetes: Bringing Legacy .NET Into the Modern World with Pivotal ...
.NET and Kubernetes: Bringing Legacy .NET Into the Modern World with Pivotal ...VMware Tanzu
 
All you need to know to deploy applications on Kubernetes
All you need to know to deploy applications on KubernetesAll you need to know to deploy applications on Kubernetes
All you need to know to deploy applications on KubernetesOleksandr Slynko
 
Living on the Edge With Spring Cloud Gateway - Cora Iberkleid
Living on the Edge With Spring Cloud Gateway - Cora IberkleidLiving on the Edge With Spring Cloud Gateway - Cora Iberkleid
Living on the Edge With Spring Cloud Gateway - Cora IberkleidVMware Tanzu
 
Living on the Edge With Spring Cloud Gateway - Cora Iberkleid
Living on the Edge With Spring Cloud Gateway - Cora IberkleidLiving on the Edge With Spring Cloud Gateway - Cora Iberkleid
Living on the Edge With Spring Cloud Gateway - Cora IberkleidVMware Tanzu
 
Cloud Foundry Services on PKS with No Extra Code, "We Bosh So You Don’t Have ...
Cloud Foundry Services on PKS with No Extra Code, "We Bosh So You Don’t Have ...Cloud Foundry Services on PKS with No Extra Code, "We Bosh So You Don’t Have ...
Cloud Foundry Services on PKS with No Extra Code, "We Bosh So You Don’t Have ...VMware Tanzu
 
Spring Cloud Gateway - Ryan Baxter
Spring Cloud Gateway - Ryan BaxterSpring Cloud Gateway - Ryan Baxter
Spring Cloud Gateway - Ryan BaxterVMware Tanzu
 
How to Manage Microservices and APIs with Apigee and Istio
How to Manage Microservices and APIs with Apigee and IstioHow to Manage Microservices and APIs with Apigee and Istio
How to Manage Microservices and APIs with Apigee and IstioVMware Tanzu
 
Containerizing a Data Warehouse for Kubernetes
Containerizing a Data Warehouse for KubernetesContainerizing a Data Warehouse for Kubernetes
Containerizing a Data Warehouse for KubernetesVMware Tanzu
 
How to Build More Secure Service Brokers
How to Build More Secure Service BrokersHow to Build More Secure Service Brokers
How to Build More Secure Service BrokersVMware Tanzu
 
Steeltoe: Develop .NET Microservices Without Cloud Platform Lock-In
Steeltoe: Develop .NET Microservices Without Cloud Platform Lock-InSteeltoe: Develop .NET Microservices Without Cloud Platform Lock-In
Steeltoe: Develop .NET Microservices Without Cloud Platform Lock-InVMware Tanzu
 
All You Need to Know to Deploy Applications on Kubernetes
All You Need to Know to Deploy Applications on KubernetesAll You Need to Know to Deploy Applications on Kubernetes
All You Need to Know to Deploy Applications on KubernetesVMware Tanzu
 
Developing Real-Time Data Pipelines with Apache Kafka
Developing Real-Time Data Pipelines with Apache KafkaDeveloping Real-Time Data Pipelines with Apache Kafka
Developing Real-Time Data Pipelines with Apache KafkaJoe Stein
 

Similar a Policy Enforcement on Kubernetes with OPA (20)

Simple Data Movement Patterns: Legacy Application to Cloud-Native Environment...
Simple Data Movement Patterns: Legacy Application to Cloud-Native Environment...Simple Data Movement Patterns: Legacy Application to Cloud-Native Environment...
Simple Data Movement Patterns: Legacy Application to Cloud-Native Environment...
 
riffing on Knative - Scott Andrews
riffing on Knative - Scott Andrewsriffing on Knative - Scott Andrews
riffing on Knative - Scott Andrews
 
Better Than BASH: Scripting Kotlin
Better Than BASH: Scripting KotlinBetter Than BASH: Scripting Kotlin
Better Than BASH: Scripting Kotlin
 
SDLC for Pivotal Platform powered by Spring Initializr and Concourse
SDLC for Pivotal Platform powered by Spring Initializr and ConcourseSDLC for Pivotal Platform powered by Spring Initializr and Concourse
SDLC for Pivotal Platform powered by Spring Initializr and Concourse
 
PKS Networking with NSX-T: You Focus on your App, We'll Take Care of the Rest!
PKS Networking with NSX-T: You Focus on your App, We'll Take Care of the Rest!PKS Networking with NSX-T: You Focus on your App, We'll Take Care of the Rest!
PKS Networking with NSX-T: You Focus on your App, We'll Take Care of the Rest!
 
Accelerating the Consumption of APIs Built on Cloud Foundry
Accelerating the Consumption of APIs Built on Cloud FoundryAccelerating the Consumption of APIs Built on Cloud Foundry
Accelerating the Consumption of APIs Built on Cloud Foundry
 
.NET and Kubernetes: Bringing Legacy .NET Into the Modern World with Pivotal ...
.NET and Kubernetes: Bringing Legacy .NET Into the Modern World with Pivotal ....NET and Kubernetes: Bringing Legacy .NET Into the Modern World with Pivotal ...
.NET and Kubernetes: Bringing Legacy .NET Into the Modern World with Pivotal ...
 
Serverless Spring 오충현
Serverless Spring 오충현Serverless Spring 오충현
Serverless Spring 오충현
 
S1P: Spring Cloud on PKS
S1P: Spring Cloud on PKSS1P: Spring Cloud on PKS
S1P: Spring Cloud on PKS
 
All you need to know to deploy applications on Kubernetes
All you need to know to deploy applications on KubernetesAll you need to know to deploy applications on Kubernetes
All you need to know to deploy applications on Kubernetes
 
Living on the Edge With Spring Cloud Gateway - Cora Iberkleid
Living on the Edge With Spring Cloud Gateway - Cora IberkleidLiving on the Edge With Spring Cloud Gateway - Cora Iberkleid
Living on the Edge With Spring Cloud Gateway - Cora Iberkleid
 
Living on the Edge With Spring Cloud Gateway - Cora Iberkleid
Living on the Edge With Spring Cloud Gateway - Cora IberkleidLiving on the Edge With Spring Cloud Gateway - Cora Iberkleid
Living on the Edge With Spring Cloud Gateway - Cora Iberkleid
 
Cloud Foundry Services on PKS with No Extra Code, "We Bosh So You Don’t Have ...
Cloud Foundry Services on PKS with No Extra Code, "We Bosh So You Don’t Have ...Cloud Foundry Services on PKS with No Extra Code, "We Bosh So You Don’t Have ...
Cloud Foundry Services on PKS with No Extra Code, "We Bosh So You Don’t Have ...
 
Spring Cloud Gateway - Ryan Baxter
Spring Cloud Gateway - Ryan BaxterSpring Cloud Gateway - Ryan Baxter
Spring Cloud Gateway - Ryan Baxter
 
How to Manage Microservices and APIs with Apigee and Istio
How to Manage Microservices and APIs with Apigee and IstioHow to Manage Microservices and APIs with Apigee and Istio
How to Manage Microservices and APIs with Apigee and Istio
 
Containerizing a Data Warehouse for Kubernetes
Containerizing a Data Warehouse for KubernetesContainerizing a Data Warehouse for Kubernetes
Containerizing a Data Warehouse for Kubernetes
 
How to Build More Secure Service Brokers
How to Build More Secure Service BrokersHow to Build More Secure Service Brokers
How to Build More Secure Service Brokers
 
Steeltoe: Develop .NET Microservices Without Cloud Platform Lock-In
Steeltoe: Develop .NET Microservices Without Cloud Platform Lock-InSteeltoe: Develop .NET Microservices Without Cloud Platform Lock-In
Steeltoe: Develop .NET Microservices Without Cloud Platform Lock-In
 
All You Need to Know to Deploy Applications on Kubernetes
All You Need to Know to Deploy Applications on KubernetesAll You Need to Know to Deploy Applications on Kubernetes
All You Need to Know to Deploy Applications on Kubernetes
 
Developing Real-Time Data Pipelines with Apache Kafka
Developing Real-Time Data Pipelines with Apache KafkaDeveloping Real-Time Data Pipelines with Apache Kafka
Developing Real-Time Data Pipelines with Apache Kafka
 

Más de VMware Tanzu

What AI Means For Your Product Strategy And What To Do About It
What AI Means For Your Product Strategy And What To Do About ItWhat AI Means For Your Product Strategy And What To Do About It
What AI Means For Your Product Strategy And What To Do About ItVMware Tanzu
 
Make the Right Thing the Obvious Thing at Cardinal Health 2023
Make the Right Thing the Obvious Thing at Cardinal Health 2023Make the Right Thing the Obvious Thing at Cardinal Health 2023
Make the Right Thing the Obvious Thing at Cardinal Health 2023VMware Tanzu
 
Enhancing DevEx and Simplifying Operations at Scale
Enhancing DevEx and Simplifying Operations at ScaleEnhancing DevEx and Simplifying Operations at Scale
Enhancing DevEx and Simplifying Operations at ScaleVMware Tanzu
 
Spring Update | July 2023
Spring Update | July 2023Spring Update | July 2023
Spring Update | July 2023VMware Tanzu
 
Platforms, Platform Engineering, & Platform as a Product
Platforms, Platform Engineering, & Platform as a ProductPlatforms, Platform Engineering, & Platform as a Product
Platforms, Platform Engineering, & Platform as a ProductVMware Tanzu
 
Building Cloud Ready Apps
Building Cloud Ready AppsBuilding Cloud Ready Apps
Building Cloud Ready AppsVMware Tanzu
 
Spring Boot 3 And Beyond
Spring Boot 3 And BeyondSpring Boot 3 And Beyond
Spring Boot 3 And BeyondVMware Tanzu
 
Spring Cloud Gateway - SpringOne Tour 2023 Charles Schwab.pdf
Spring Cloud Gateway - SpringOne Tour 2023 Charles Schwab.pdfSpring Cloud Gateway - SpringOne Tour 2023 Charles Schwab.pdf
Spring Cloud Gateway - SpringOne Tour 2023 Charles Schwab.pdfVMware Tanzu
 
Simplify and Scale Enterprise Apps in the Cloud | Boston 2023
Simplify and Scale Enterprise Apps in the Cloud | Boston 2023Simplify and Scale Enterprise Apps in the Cloud | Boston 2023
Simplify and Scale Enterprise Apps in the Cloud | Boston 2023VMware Tanzu
 
Simplify and Scale Enterprise Apps in the Cloud | Seattle 2023
Simplify and Scale Enterprise Apps in the Cloud | Seattle 2023Simplify and Scale Enterprise Apps in the Cloud | Seattle 2023
Simplify and Scale Enterprise Apps in the Cloud | Seattle 2023VMware Tanzu
 
tanzu_developer_connect.pptx
tanzu_developer_connect.pptxtanzu_developer_connect.pptx
tanzu_developer_connect.pptxVMware Tanzu
 
Tanzu Virtual Developer Connect Workshop - French
Tanzu Virtual Developer Connect Workshop - FrenchTanzu Virtual Developer Connect Workshop - French
Tanzu Virtual Developer Connect Workshop - FrenchVMware Tanzu
 
Tanzu Developer Connect Workshop - English
Tanzu Developer Connect Workshop - EnglishTanzu Developer Connect Workshop - English
Tanzu Developer Connect Workshop - EnglishVMware Tanzu
 
Virtual Developer Connect Workshop - English
Virtual Developer Connect Workshop - EnglishVirtual Developer Connect Workshop - English
Virtual Developer Connect Workshop - EnglishVMware Tanzu
 
Tanzu Developer Connect - French
Tanzu Developer Connect - FrenchTanzu Developer Connect - French
Tanzu Developer Connect - FrenchVMware Tanzu
 
Simplify and Scale Enterprise Apps in the Cloud | Dallas 2023
Simplify and Scale Enterprise Apps in the Cloud | Dallas 2023Simplify and Scale Enterprise Apps in the Cloud | Dallas 2023
Simplify and Scale Enterprise Apps in the Cloud | Dallas 2023VMware Tanzu
 
SpringOne Tour: Deliver 15-Factor Applications on Kubernetes with Spring Boot
SpringOne Tour: Deliver 15-Factor Applications on Kubernetes with Spring BootSpringOne Tour: Deliver 15-Factor Applications on Kubernetes with Spring Boot
SpringOne Tour: Deliver 15-Factor Applications on Kubernetes with Spring BootVMware Tanzu
 
SpringOne Tour: The Influential Software Engineer
SpringOne Tour: The Influential Software EngineerSpringOne Tour: The Influential Software Engineer
SpringOne Tour: The Influential Software EngineerVMware Tanzu
 
SpringOne Tour: Domain-Driven Design: Theory vs Practice
SpringOne Tour: Domain-Driven Design: Theory vs PracticeSpringOne Tour: Domain-Driven Design: Theory vs Practice
SpringOne Tour: Domain-Driven Design: Theory vs PracticeVMware Tanzu
 
SpringOne Tour: Spring Recipes: A Collection of Common-Sense Solutions
SpringOne Tour: Spring Recipes: A Collection of Common-Sense SolutionsSpringOne Tour: Spring Recipes: A Collection of Common-Sense Solutions
SpringOne Tour: Spring Recipes: A Collection of Common-Sense SolutionsVMware Tanzu
 

Más de VMware Tanzu (20)

What AI Means For Your Product Strategy And What To Do About It
What AI Means For Your Product Strategy And What To Do About ItWhat AI Means For Your Product Strategy And What To Do About It
What AI Means For Your Product Strategy And What To Do About It
 
Make the Right Thing the Obvious Thing at Cardinal Health 2023
Make the Right Thing the Obvious Thing at Cardinal Health 2023Make the Right Thing the Obvious Thing at Cardinal Health 2023
Make the Right Thing the Obvious Thing at Cardinal Health 2023
 
Enhancing DevEx and Simplifying Operations at Scale
Enhancing DevEx and Simplifying Operations at ScaleEnhancing DevEx and Simplifying Operations at Scale
Enhancing DevEx and Simplifying Operations at Scale
 
Spring Update | July 2023
Spring Update | July 2023Spring Update | July 2023
Spring Update | July 2023
 
Platforms, Platform Engineering, & Platform as a Product
Platforms, Platform Engineering, & Platform as a ProductPlatforms, Platform Engineering, & Platform as a Product
Platforms, Platform Engineering, & Platform as a Product
 
Building Cloud Ready Apps
Building Cloud Ready AppsBuilding Cloud Ready Apps
Building Cloud Ready Apps
 
Spring Boot 3 And Beyond
Spring Boot 3 And BeyondSpring Boot 3 And Beyond
Spring Boot 3 And Beyond
 
Spring Cloud Gateway - SpringOne Tour 2023 Charles Schwab.pdf
Spring Cloud Gateway - SpringOne Tour 2023 Charles Schwab.pdfSpring Cloud Gateway - SpringOne Tour 2023 Charles Schwab.pdf
Spring Cloud Gateway - SpringOne Tour 2023 Charles Schwab.pdf
 
Simplify and Scale Enterprise Apps in the Cloud | Boston 2023
Simplify and Scale Enterprise Apps in the Cloud | Boston 2023Simplify and Scale Enterprise Apps in the Cloud | Boston 2023
Simplify and Scale Enterprise Apps in the Cloud | Boston 2023
 
Simplify and Scale Enterprise Apps in the Cloud | Seattle 2023
Simplify and Scale Enterprise Apps in the Cloud | Seattle 2023Simplify and Scale Enterprise Apps in the Cloud | Seattle 2023
Simplify and Scale Enterprise Apps in the Cloud | Seattle 2023
 
tanzu_developer_connect.pptx
tanzu_developer_connect.pptxtanzu_developer_connect.pptx
tanzu_developer_connect.pptx
 
Tanzu Virtual Developer Connect Workshop - French
Tanzu Virtual Developer Connect Workshop - FrenchTanzu Virtual Developer Connect Workshop - French
Tanzu Virtual Developer Connect Workshop - French
 
Tanzu Developer Connect Workshop - English
Tanzu Developer Connect Workshop - EnglishTanzu Developer Connect Workshop - English
Tanzu Developer Connect Workshop - English
 
Virtual Developer Connect Workshop - English
Virtual Developer Connect Workshop - EnglishVirtual Developer Connect Workshop - English
Virtual Developer Connect Workshop - English
 
Tanzu Developer Connect - French
Tanzu Developer Connect - FrenchTanzu Developer Connect - French
Tanzu Developer Connect - French
 
Simplify and Scale Enterprise Apps in the Cloud | Dallas 2023
Simplify and Scale Enterprise Apps in the Cloud | Dallas 2023Simplify and Scale Enterprise Apps in the Cloud | Dallas 2023
Simplify and Scale Enterprise Apps in the Cloud | Dallas 2023
 
SpringOne Tour: Deliver 15-Factor Applications on Kubernetes with Spring Boot
SpringOne Tour: Deliver 15-Factor Applications on Kubernetes with Spring BootSpringOne Tour: Deliver 15-Factor Applications on Kubernetes with Spring Boot
SpringOne Tour: Deliver 15-Factor Applications on Kubernetes with Spring Boot
 
SpringOne Tour: The Influential Software Engineer
SpringOne Tour: The Influential Software EngineerSpringOne Tour: The Influential Software Engineer
SpringOne Tour: The Influential Software Engineer
 
SpringOne Tour: Domain-Driven Design: Theory vs Practice
SpringOne Tour: Domain-Driven Design: Theory vs PracticeSpringOne Tour: Domain-Driven Design: Theory vs Practice
SpringOne Tour: Domain-Driven Design: Theory vs Practice
 
SpringOne Tour: Spring Recipes: A Collection of Common-Sense Solutions
SpringOne Tour: Spring Recipes: A Collection of Common-Sense SolutionsSpringOne Tour: Spring Recipes: A Collection of Common-Sense Solutions
SpringOne Tour: Spring Recipes: A Collection of Common-Sense Solutions
 

Último

Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsUnveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsAlberto González Trastoy
 
How To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.jsHow To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.jsAndolasoft Inc
 
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdfThe Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdfkalichargn70th171
 
Diamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with PrecisionDiamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with PrecisionSolGuruz
 
A Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docxA Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docxComplianceQuest1
 
Right Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsRight Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsJhone kinadey
 
CALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female service
CALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female serviceCALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female service
CALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female serviceanilsa9823
 
Software Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsSoftware Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsArshad QA
 
Hand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptxHand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptxbodapatigopi8531
 
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...Health
 
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...harshavardhanraghave
 
TECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providerTECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providermohitmore19
 
Unlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language ModelsUnlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language Modelsaagamshah0812
 
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...MyIntelliSource, Inc.
 
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Steffen Staab
 
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AISyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AIABDERRAOUF MEHENNI
 
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️Delhi Call girls
 
5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdf5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdfWave PLM
 
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfLearn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfkalichargn70th171
 

Último (20)

Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS LiveVip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
 
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsUnveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
 
How To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.jsHow To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.js
 
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdfThe Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
 
Diamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with PrecisionDiamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with Precision
 
A Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docxA Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docx
 
Right Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsRight Money Management App For Your Financial Goals
Right Money Management App For Your Financial Goals
 
CALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female service
CALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female serviceCALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female service
CALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female service
 
Software Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsSoftware Quality Assurance Interview Questions
Software Quality Assurance Interview Questions
 
Hand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptxHand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptx
 
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
 
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
 
TECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providerTECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service provider
 
Unlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language ModelsUnlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language Models
 
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
 
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
 
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AISyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
 
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
 
5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdf5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdf
 
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfLearn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
 

Policy Enforcement on Kubernetes with OPA

  • 1. Policy Enforcement on Kubernetes with OPA October 7–10, 2019 Austin Convention Center Aleks Saul & Jaime Gonzalez Aguilar
  • 2. Unless otherwise indicated, these slides are © 2013-2019 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Who we are Aleks Saul Sr. Platform Architect, Pivotal Inc. @alekssaul 2 Jaime Gonzalez Aguilar Advisory Platform Architect, Pivotal Inc. @jaimegag
  • 3. Unless otherwise indicated, these slides are © 2013-2019 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Agenda ● The Why, What and How of OPA ● OPA Use Cases ● Kubernetes Use Case ● Demo ● Q & A 3
  • 4. Unless otherwise indicated, these slides are © 2013-2019 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ What is OPA? 4
  • 5. Unless otherwise indicated, these slides are © 2013-2019 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ 5 POLICIES GET /salary/{id} #1 AuthZ App Dev #2 AuthZ #3 AuthZ Compliance ??? ???
  • 6. Unless otherwise indicated, these slides are © 2013-2019 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Unify policy enforcement across the stack Manage Policy - as - Code Decouple policy from software Why OPA? 6
  • 7. Unless otherwise indicated, these slides are © 2013-2019 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ OPA: General-purpose Policy Engine 7 GET /salary/bob HTTP/1.1 Authorization: alice true or false { “method”: “GET”, “path”: [“salary”, “bob”], “User”: “alice” }
  • 8. Unless otherwise indicated, these slides are © 2013-2019 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ OPA: General-purpose Policy Engine 8 “Service” refers to any of: ● API Gateway ● Kubernetes API Service ● Custom Service ● CI/CD pipeline script ● etc Output can be any JSON valueInput can be any JSON value:
  • 9. Unless otherwise indicated, these slides are © 2013-2019 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ ● Easy to read and write ● Declarative ● Handles complex data Rego: OPA’s policy language 9 package kubernetes.admission deny[msg] { input.request.kind.kind == "Pod" image := input.request.object.spec.containers[_].image not startswith(image, "hooli.com/") msg := sprintf("image fails to come from trusted registry: %v", [image]) }
  • 10. Unless otherwise indicated, these slides are © 2013-2019 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ 10
  • 11. Unless otherwise indicated, these slides are © 2013-2019 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ OPA In Kubernetes - Why is it needed? 11 Kubernetes API request workflow ** Further information available in: https://kubernetes.io/blog/2019/03/21/a-guide-to-kubernetes-admission-controllers/ API Request API HTTP handler Auth-n Auth-z Mutating admission Object Schema Validation Validating admission Persisted to etcd Mutating Admission Controller Mutating Admission Controller Validating Admission Controller
  • 12. Unless otherwise indicated, these slides are © 2013-2019 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ OPA In Kubernetes - Why is it needed? 12 API Request API HTTP handler Auth-n Auth-z Mutating admission Object Schema Validation Validating admission Persisted to etcd $ kubectl apply -f service.yaml apiVersion: v1 kind: Service metadata: name: coolapp labels: app: coolapp spec: ports: - name: coolapp port: 80 selector: app: coolapp type: LoadBalancer
  • 13. Unless otherwise indicated, these slides are © 2013-2019 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ OPA In Kubernetes - Why is it needed? 13 API Request API HTTP handler Auth-n Auth-z Mutating admission Object Schema Validation Validating admission Persisted to etcd $ kubectl apply -f service.yaml Custom Service Admission Controller Service Type Load Balancer Not Allowed!!! apiVersion: v1 kind: Service metadata: name: coolapp labels: app: coolapp spec: ports: - name: coolapp port: 80 selector: app: coolapp type: LoadBalancer
  • 14. Unless otherwise indicated, these slides are © 2013-2019 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ OPA In Kubernetes - Why is it needed? 14 API Request API HTTP handler Auth-n Auth-z Mutating admission Object Schema Validation Validating admission Persisted to etcd $ kubectl apply -f service.yaml apiVersion: v1 kind: Service metadata: name: coolapp labels: app: coolapp spec: ports: - name: coolapp port: 80 selector: app: coolapp type: ClusterIP Custom Service Admission Controller ClusterIP sounds good to me
  • 15. Unless otherwise indicated, these slides are © 2013-2019 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ OPA In Kubernetes - Why is it needed? 15 API Request API HTTP handler Auth-n Auth-z Mutating admission Object Schema Validation Validating admission Persisted to etcd $ kubectl apply -f ingress.yaml Custom Ingress Admission Controller Ingress Route Not Allowed!!!apiVersion: networking.k8s.io/v1beta1 kind: Ingress metadata: name: coolapp spec: rules: - host: www.acmecorp.com http: paths: - backend: serviceName: coolapp servicePort: 80 apiVersion: networking.k8s.io/v1beta1 kind: Ingress metadata: name: coolapp spec: rules: - host: www.qa.acmecorp.net http: paths: - backend: serviceName: coolapp servicePort: 80 Ingress Route looks good to me
  • 16. Unless otherwise indicated, these slides are © 2013-2019 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ OPA In Kubernetes - Why is it needed? 16 API Request API HTTP handler Auth-n Auth-z Mutating admission Object Schema Validation Validating admission Persisted to etcd $ kubectl apply -f policy_ingress.yaml deny[msg] { input.request.kind.kind = "Ingress" input.request.operation = "CREATE" host = input.request.object.spec.rules[_].ho st not fqdn_matches_any(host, valid_ingress_hosts) msg = sprintf("invalid ingress host %q", [host]) } valid_ingress_hosts = {host | whitelist = namespaces[input.request.namespace].m etadata.annotations["ingress- whitelist"] hosts = split(whitelist, ",") host = hosts[_] } Custom Ingress Admission Controller package kubernetes.admission import data.kubernetes.namespaces deny[msg] { input.request.kind.kind == "Service" input.request.operation == "CREATE" input.request.object.spec.type == "LoadBalancer" msg = "Service Type LoadBalancer is not allowed" } $ kubectl apply -f policy_service.yaml
  • 17. Unless otherwise indicated, these slides are © 2013-2019 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Kubernetes Use Cases 17 ● ServiceType ○ Restrict Cloud Load Balancer ○ Restrict Cloud Load Balancer to internal only ● Registry Whitelist/blacklist ● Ingress ○ Validate domain ○ Validate TLS ● NetworkPolicy validation
  • 18. Unless otherwise indicated, these slides are © 2013-2019 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Demo! � Show Harbor Registry and Image Repository � Show OPA Admission Controller � Show and deploy Policy � Attempt to deploy Pod and show failure � Change to fulfill Policy, deploy Pod and show success
  • 19. Thank You! Aleks Jaime @alekssaul @jaimegag @OpenPolicyAgent https://www.openpolicyagent.org/ https://github.com/open-policy-agent Open Policy Agent Summit - (KubeCon NA 2019) San Diego, CA November 18, 2019 #springone@s1p