Continuous Lifecycle: Enhance Your Compliance and Governance With Policy-Based CI/CD
0 likes169 views
This document discusses using Open Policy Agent (OPA) to enhance compliance and governance in CI/CD pipelines. It introduces OPA as a general-purpose policy engine that uses a declarative policy language to decouple application logic from policy decisions. The document explains how OPA works, including its Rego policy language and built-in functions. It provides examples of using OPA for tasks like validating Kubernetes manifests and Terraform configuration changes.
Continuous Lifecycle: Enhance Your Compliance and Governance With Policy-Based CI/CD
- 1. Enhance Your Compliance and Governance With Policy-Based CI/CD Continuous Lifecycle & Container Conf 2021
- 2. Nico Meisenzahl • Senior Cloud & DevOps Consultant at white duck • Microsoft MVP, GitLab Hero • Cloud Native, Kubernetes & Azure © white duck GmbH 2021 Phone: +49 8031 230159 0 Email: nico.meisenzahl@whiteduck.de Twitter: @nmeisenzahl LinkedIn: https://www.linkedin.com/in/nicomeisenzahl Blog: https://meisenzahl.org
- 3. Agenda • Why do we need compliance and governance in CI/CD? • What is Open Policy Agent and how does it work? • How to get started – demo time © white duck GmbH 2021
- 4. Why do we need governance? • Regulatory compliance: comply with relevant laws, policies, and regulations • Standards: adhere to established and standard requirements • Contractual commitments: like vendor agreements, customers contracts • Corporate requirements: rules and policies defined by the company to comply with its needs © white duck GmbH 2021
- 5. Compliance and governance in CI/CD? Shift Left! • rises awareness • defines the “how” around the “what” of the pipeline • security and compliance gates • ensures requirements are always met © white duck GmbH 2021
- 6. Open Policy Agent (OPA) “policy-based control for cloud native environments” • general-purpose policy engine across your stack • graduated CNCF project introduced by styra • declarative policy language • decoupled the application logic from policy decisions • REST API with sidecar or daemon • Golang library or Wasm module • provides APIs for easy management © white duck GmbH 2021
- 7. © white duck GmbH 2021
- 8. Ecosystem • API and service authorization with Envoy, Kong, Traefik, … • authorization policies for SQL, Kafka, … • container network authorization with Istio and Linkerd • test policies for Terraform infrastructure changes • policies for SSH and sudo • policy and governance for Kubernetes • and many more • https://www.openpolicyagent.org/docs/latest/ecosystem © white duck GmbH 2021
- 10. How OPA works
- 11. Rego • “ray-go” • declarative Policy Language • ”is Nico allowed to POST a payload to /api?” • rules commonly return true/false • but may return any value • 140+ build-in functions • date/time, string, ... • Regex • JWT validation © white duck GmbH 2021
- 12. How OPA works
- 13. How to get started • OPA playground • https://play.openpolicyagent.org • docs • https://www.openpolicyagent.org/docs • OPA CLI • opa run (server) • opa eval (swiss-army knife)
- 14. Demos • Terraform change validation with GitLab CI/CD • Kubernetes manifest security validation with GitHub Actions • further samples • dependency deny list • https://play.openpolicyagent.org/p/b0n6CHElcw • Kubernetes Ingress validation • https://play.openpolicyagent.org/p/5o1UFjIl0S © white duck GmbH 2021
- 15. Questions? • Slides: https://www.slideshare.net/nmeisenzahl • Demos: • https://gitlab.com/nico-meisenzahl/demo-opa-terraform-validation • https://github.com/nmeisenzahl/demo-opa-cicd-validation © white duck GmbH 2021 Phone: +49 8031 230159 0 Email: nico.meisenzahl@whiteduck.de Twitter: @nmeisenzahl LinkedIn: https://www.linkedin.com/in/nicomeisenzahl Blog: https://meisenzahl.org