GitOps is a great way to reliably and securely deploy both the infrastructure and applications in the context of Kubernetes. In this talk we will have a look at how we can use CNCF Open Policy Agent (OPA) to define and enforce policies along the entire supply chain. For example, an OPA Rego-based bot can review Git commits and automatically provide feedback, and in the runtime space the Gatekeeper project can be of great value. Link to YouTube Video of this talk: https://youtu.be/Xe0PDeENMoE Speaker: Michael Hausenblas, Developer Advocate, AWS Bio: Michael is a Developer Advocate at AWS, part of the container service team, focusing on container security. Michael shares his experience around cloud native infrastructure and apps through demos, blog posts, books, and public speaking engagements as well as contributes to open source software. Before AWS, Michael worked at Red Hat, Mesosphere, MapR and in two research institutions in Ireland and Austria.

1. © 2020, Amazon Web Services, Inc. or its Affiliates.
Defining and Enforcing Policies the GitOps Way
Michael Hausenblas, AWS
Weave Online User Group, 2020-05-05

2. © 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential
$ whoami
• Senior Product Developer Advocate in the
AWS container service team
• Previous roles: Red Hat, Mesosphere, MapR, research
• Let’s connect:
• Slack: AWS dev, Kubernetes, CNCF, Weaveworks
• Twitter: @mhausenblas
• Mail: hausenbl@amazon.com

3. © 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential
programming-kubernetes.info kubernetes-security.info
Current books

4. © 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential
Open Policy Agent (OPA)

5. © 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential
• A general-purpose policy engine
• CNCF Incubating Project https://www.openpolicyagent.org
• Many integrations, from Kubernetes to WASM
What is OPA?

6. © 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential
How does OPA work?

7. © 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential
Example 1: counting
policy
data
OPA
query
play.openpolicyagent.org/p/bOlISBZwB3

8. © 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential
Example 2: finding reviewers
policy
data
OPA
query
play.openpolicyagent.org/p/VPe2sIy5PU

9. © 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential
Example 3: verifying approvals
policy
data
OPA
query
play.openpolicyagent.org/p/HJ8124kLZ7

10. © 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential
Kubernetes example
security good practice: use a dedicated service account for an app
check for serviceAccountName in Deployment, if not set the default SA
is used and this means we have a violation

11. © 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential
Using OPA openpolicyagent.org/docs/latest/integration/
OPA
app
HTTP API
Go app
OPA
example: mhausenblas/cidrchk
example: open-policy-agent/kube-mgmt

12. © 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential
Supply Chain

13. © 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential
GitOps supply chain concept
code repo
config repo
CI container registry Kubernetes cluster

14. © 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential
Policy use cases along the supply chain
• In the context of the IDE/editor
• Part of the repo (bot)
• Part of the CI pipeline
• Part of the runtime (Kubernetes)

15. © 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential
Editor plugin
open-policy-agent/vscode-opa

16. © 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential
Repo action or CI
instrumenta/conftest-action swade1987/deprek8ion

17. © 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential
In Kubernetes: Gatekeeper
open-policy-agent/gatekeeper

18. © 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential
In Kubernetes: Gatekeeper
open-policy-agent/gatekeeper

19. © 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential
Resources

20. © 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential
Videos
• Deep Dive: Open Policy Agent
• CNCF webinar: K8s with OPA Gatekeeper
• cloud native dev: Open Policy Agent (OPA)
Tooling
• https://play.openpolicyagent.org
• https://conftest.dev

21. © 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential
• https://kubernetes.io/blog/2019/08/06/opa-gatekeeper-policy-and-
governance-for-kubernetes/
• https://aws.amazon.com/blogs/opensource/using-open-policy-agent-on-
amazon-eks
• https://opensource.com/article/20/3/deprek8
• https://www.infracloud.io/opa-microservices-authorization-simplified/
• https://marcyoung.us/post/gatekeeper-v3/
Articles

22. © 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential
Q & A