SlideShare ist ein Scribd-Unternehmen logo

Cloud native policy enforcement with Open Policy Agent

‱Als PPTX, PDF herunterladen‱
‱
L
LibbySchulze

Cloud native policy enforcement with Open Policy Agent

Internet
1 von 32
Policy-based access control An introduction to Open Policy Agent
Anders Eknert ● Developer advocate at Styra ● Software development ● Background in identity systems ● Two years into OPA ● Cooking and food ● Football @anderseknert anderseknert
Challenge: Manage policy in increasingly distributed, complex and heterogeneous systems
Challenge: Manage policy in increasingly distributed, complex and heterogeneous systems
Challenge: Manage policy in increasingly distributed, complex and heterogeneous systems
Challenge: Manage policy in increasingly distributed, complex and heterogeneous systems
Challenge: Manage policy in increasingly distributed, complex and heterogeneous systems
Goal: Unify policy enforcement across the stack
● Open source general purpose policy engine ● Unified toolset and framework for policy across the stack ● Decouples policy from application logic ● Separates policy decision from enforcement ● Policies written in declarative language Rego ● Popular use cases ranging from kubernetes admission control, microservice authorization, infrastructure, data source filtering, to CI/CD pipeline policies and many more.
Vibrant community ● 160 contributors ● 50+ integrations ● 4500+ Github Stars ● 3600+ Slack users ● 30+ million Docker image pulls ● Ecosystem including Conftest, Gatekeeper, VS Code and IntelliJ editor plugins.
Production users
OPA and Rego
Policy decision model Service OP A Policy (Rego) Data (JSON) Request Policy Decision Policy Query Input can be ANY JSON value Output can be ANY JSON value
Policy decision model Service OP A Policy (Rego) Data (JSON) Request Policy Decision Policy Query Input can be ANY JSON value Output can be ANY JSON value Request Policy Decision Linux PAM
● OPA runs as a lightweight self-contained server binary. ● OPA ideally deployed as close to service as possible. This usually means on the same host, as a daemon or in a sidecar container. ● Applications communicate with the OPA server through its REST API. ● Go library available for Go applications. ● Envoy/Istio based applications. WASM. Deployment
Policy authoring and Rego ● Declarative high-level policy language used by OPA. ● Policy consists of any number of rules. ● Rules commonly return true/false but may return any type available in JSON, like strings, lists and objects. ● 140+ built-in functions: JWTs, date/time, CIDR math ,etc. ● Policy testing is easy with provided unit test framework. ● Well documented! https://www.openpolicyagent.org/docs/latest/ ● Try it out! https://play.openpolicyagent.org/
Policy data ● JSON Web Tokens ● As part of query input ● Push data ● Bundle API ● http.send function from inside policy
Demo
Kubernetes
The Kubernetes API Authentication kubectl apply -f app.yaml Authorization Mutating admission controller etcd Validating admission controller Before a resource is persisted in etcd must first pass a series of modules
The Kubernetes API Authentication kubectl apply -f app.yaml etcd Authorization Mutating admission controller Validating admission controller Modules are chainable
The Kubernetes API Authentication kubectl apply -f app.yaml etcd Authorization Mutating admission controller Validating admission controller Built-in modules Static token, service account token, client certificate, OpenID Connect. Node, ABAC, RBAC AlwaysPullImages, DefaultStorageClass, DefaultTolerationSeconds LimitRanger, DenyEscalatingExec
The Kubernetes API Authentication kubectl apply -f app.yaml etcd Authorization Mutating admission controller Validating admission controller Webhook Webhook Webhook Webhook
The Kubernetes API Authentication kubectl apply -f app.yaml etcd Authorization Mutating admission controller Validating admission controller
The Kubernetes API Authentication kubectl apply -f app.yaml etcd Authorization Mutating admission controller Validating admission controller
Validating admission controller ● By far the most popular module to extend ● Allows building policy-based guardrails around clusters ● Common policies enforce: ○ Use of internal Docker registry and other image constraints ○ Required labels on resources - team belonging, cost centre, etc ○ Ingress host/path uniqueness ○ HTTPS for services ○ Deny attributes like hostPath volume mounts ○ Limits on resource allocation ○ Pod Security Policies ○ ...anything really
Kubernetes validating admission controller webhook Input Policy Output
Management APIs Service OP A Policy (Rego) Data (JSON) Request Policy Decision Policy Query Decision logs Managing OPA at scale ● Bundle API - distribute policy and data from a central location ● Decision log API - allow OPA instances to report back on any decisions made. This may be used for auditing as well as for refinement of policies. ● Status API - allows OPA to send status and health updates to the management server. ● Discovery API - provides OPA instances the option to periodically fetch configuration.
Getting started ● Start small – write a few simple policies and tests. ● Browse the OPA documentation. Get a feel for the basics and the built-ins. ● Consider possible applications near to you - previous apps and libraries you’ve worked with. Consider the informal policies it dealt with. ● Delegate policy responsibilities to OPA. Again, start small! Perhaps a single endpoint to begin somewhere. Deploy and build experience. ● Scale up - consider management, logging, bundle server, etc. ● Styra Academy - https://academy.styra.com ● Styra DAS - http://www.styra.com/das-free ● Join the OPA Slack community! - https://openpolicyagent.slack.com
Thank you!

Empfohlen

Persist your data in an ephemeral k8 ecosystem
Persist your data in an ephemeral k8 ecosystemPersist your data in an ephemeral k8 ecosystem
Persist your data in an ephemeral k8 ecosystemLibbySchulze
 
Protecting the Data Lake
Protecting the Data LakeProtecting the Data Lake
Protecting the Data LakeAshutosh Narkar
 
AnsibleFest 2020 - Automate cybersecurity solutions in a cloud native scenario
AnsibleFest 2020 - Automate cybersecurity solutions in a cloud native scenarioAnsibleFest 2020 - Automate cybersecurity solutions in a cloud native scenario
AnsibleFest 2020 - Automate cybersecurity solutions in a cloud native scenarioRoberto Carratala
 
Digital Forensics and Incident Response in The Cloud
Digital Forensics and Incident Response in The CloudDigital Forensics and Incident Response in The Cloud
Digital Forensics and Incident Response in The CloudVelocidex Enterprises
 
The service mesh management plane
The service mesh management planeThe service mesh management plane
The service mesh management planeLibbySchulze
 
Deploying Anything as a Service (XaaS) Using Operators on Kubernetes
Deploying Anything as a Service (XaaS) Using Operators on KubernetesDeploying Anything as a Service (XaaS) Using Operators on Kubernetes
Deploying Anything as a Service (XaaS) Using Operators on KubernetesAll Things Open
 
Barbican 1.0 - Open Source Key Management for OpenStack
Barbican 1.0 - Open Source Key Management for OpenStackBarbican 1.0 - Open Source Key Management for OpenStack
Barbican 1.0 - Open Source Key Management for OpenStackjarito030506
 
Taking Care of Business at Office Depot with Elastic Cloud Enterprise
Taking Care of Business at Office Depot with Elastic Cloud Enterprise Taking Care of Business at Office Depot with Elastic Cloud Enterprise
Taking Care of Business at Office Depot with Elastic Cloud Enterprise Elasticsearch
 

Empfohlen

Persist your data in an ephemeral k8 ecosystem
Persist your data in an ephemeral k8 ecosystemPersist your data in an ephemeral k8 ecosystem
Persist your data in an ephemeral k8 ecosystemLibbySchulze
 
Protecting the Data Lake
Protecting the Data LakeProtecting the Data Lake
Protecting the Data LakeAshutosh Narkar
 
AnsibleFest 2020 - Automate cybersecurity solutions in a cloud native scenario
AnsibleFest 2020 - Automate cybersecurity solutions in a cloud native scenarioAnsibleFest 2020 - Automate cybersecurity solutions in a cloud native scenario
AnsibleFest 2020 - Automate cybersecurity solutions in a cloud native scenarioRoberto Carratala
 
Digital Forensics and Incident Response in The Cloud
Digital Forensics and Incident Response in The CloudDigital Forensics and Incident Response in The Cloud
Digital Forensics and Incident Response in The CloudVelocidex Enterprises
 
The service mesh management plane
The service mesh management planeThe service mesh management plane
The service mesh management planeLibbySchulze
 
Deploying Anything as a Service (XaaS) Using Operators on Kubernetes
Deploying Anything as a Service (XaaS) Using Operators on KubernetesDeploying Anything as a Service (XaaS) Using Operators on Kubernetes
Deploying Anything as a Service (XaaS) Using Operators on KubernetesAll Things Open
 
Barbican 1.0 - Open Source Key Management for OpenStack
Barbican 1.0 - Open Source Key Management for OpenStackBarbican 1.0 - Open Source Key Management for OpenStack
Barbican 1.0 - Open Source Key Management for OpenStackjarito030506
 
Taking Care of Business at Office Depot with Elastic Cloud Enterprise
Taking Care of Business at Office Depot with Elastic Cloud Enterprise Taking Care of Business at Office Depot with Elastic Cloud Enterprise
Taking Care of Business at Office Depot with Elastic Cloud Enterprise Elasticsearch
 
Améliorer OpenStack avec les technologies Intel
Améliorer OpenStack avec les technologies IntelAméliorer OpenStack avec les technologies Intel
Améliorer OpenStack avec les technologies IntelOdinot Stanislas
 
Monitoring Your AWS EKS Environment with Datadog
Monitoring Your AWS EKS Environment with DatadogMonitoring Your AWS EKS Environment with Datadog
Monitoring Your AWS EKS Environment with DatadogDevOps.com
 
Build Robust Blockchain Services with Hyperledger and Containers
Build Robust Blockchain Services with Hyperledger and ContainersBuild Robust Blockchain Services with Hyperledger and Containers
Build Robust Blockchain Services with Hyperledger and ContainersLinuxCon ContainerCon CloudOpen China
 
Deploying NGINX in Cloud Native Kubernetes
Deploying NGINX in Cloud Native KubernetesDeploying NGINX in Cloud Native Kubernetes
Deploying NGINX in Cloud Native KubernetesKangaroot
 
Scality S3 Server: Node js Meetup Presentation
Scality S3 Server: Node js Meetup PresentationScality S3 Server: Node js Meetup Presentation
Scality S3 Server: Node js Meetup PresentationScality
 
AWS re:Invent 2016 - Scality's Open Source AWS S3 Server
AWS re:Invent 2016 - Scality's Open Source AWS S3 ServerAWS re:Invent 2016 - Scality's Open Source AWS S3 Server
AWS re:Invent 2016 - Scality's Open Source AWS S3 ServerScality
 
Netflix Open Source Meetup Season 3 Episode 2
Netflix Open Source Meetup Season 3 Episode 2Netflix Open Source Meetup Season 3 Episode 2
Netflix Open Source Meetup Season 3 Episode 2aspyker
 
Open Source Applied - Real World Use Cases
Open Source Applied - Real World Use CasesOpen Source Applied - Real World Use Cases
Open Source Applied - Real World Use CasesAll Things Open
 
Big Data security: Facing the challenge by Carlos GĂłmez at Big Data Spain 2017
Big Data security: Facing the challenge by Carlos GĂłmez at Big Data Spain 2017Big Data security: Facing the challenge by Carlos GĂłmez at Big Data Spain 2017
Big Data security: Facing the challenge by Carlos GĂłmez at Big Data Spain 2017Big Data Spain
 
CWIN17 london becoming cloud native part 2 - guy martin docker
CWIN17 london becoming cloud native part 2 - guy martin dockerCWIN17 london becoming cloud native part 2 - guy martin docker
CWIN17 london becoming cloud native part 2 - guy martin dockerCapgemini
 
Modular Web Applications With Netzke
Modular Web Applications With NetzkeModular Web Applications With Netzke
Modular Web Applications With Netzkenetzke
 
Opentelemetry - From frontend to backend
Opentelemetry - From frontend to backendOpentelemetry - From frontend to backend
Opentelemetry - From frontend to backendSebastian Poxhofer
 
Openstack Swift Introduction
Openstack Swift IntroductionOpenstack Swift Introduction
Openstack Swift IntroductionPark YounSung
 
Virtual Kubernetes Clusters on Amazon EKS
Virtual Kubernetes Clusters on Amazon EKSVirtual Kubernetes Clusters on Amazon EKS
Virtual Kubernetes Clusters on Amazon EKSJim Bugwadia
 
Practical Guide to Securing Kubernetes
Practical Guide to Securing KubernetesPractical Guide to Securing Kubernetes
Practical Guide to Securing KubernetesLacework
 
Top Considerations For Operating a Kubernetes Environment at Scale
Top Considerations For Operating a Kubernetes Environment at ScaleTop Considerations For Operating a Kubernetes Environment at Scale
Top Considerations For Operating a Kubernetes Environment at ScaleSignalFx
 
Digital Forensics and Incident Response in The Cloud Part 3
Digital Forensics and Incident Response in The Cloud Part 3Digital Forensics and Incident Response in The Cloud Part 3
Digital Forensics and Incident Response in The Cloud Part 3Velocidex Enterprises
 
Keeping your Enterprise’s Big Data Secure by Owen O’Malley at Big Data Spain ...
Keeping your Enterprise’s Big Data Secure by Owen O’Malley at Big Data Spain ...Keeping your Enterprise’s Big Data Secure by Owen O’Malley at Big Data Spain ...
Keeping your Enterprise’s Big Data Secure by Owen O’Malley at Big Data Spain ...Big Data Spain
 
Introduction to Virtual Kubelet
Introduction to Virtual KubeletIntroduction to Virtual Kubelet
Introduction to Virtual KubeletMitchell Pronschinske
 
Automated Remediation with Rundeck + Sensu
Automated Remediation with Rundeck + SensuAutomated Remediation with Rundeck + Sensu
Automated Remediation with Rundeck + SensuRundeck
 
OPA APIs and Use Case Survey
OPA APIs and Use Case SurveyOPA APIs and Use Case Survey
OPA APIs and Use Case SurveyTorin Sandall
 
Securing APIs with Open Policy Agent
Securing APIs with Open Policy AgentSecuring APIs with Open Policy Agent
Securing APIs with Open Policy AgentNordic APIs
 

Weitere Àhnliche Inhalte

Was ist angesagt?

Améliorer OpenStack avec les technologies Intel
Améliorer OpenStack avec les technologies IntelAméliorer OpenStack avec les technologies Intel
Améliorer OpenStack avec les technologies IntelOdinot Stanislas
 
Monitoring Your AWS EKS Environment with Datadog
Monitoring Your AWS EKS Environment with DatadogMonitoring Your AWS EKS Environment with Datadog
Monitoring Your AWS EKS Environment with DatadogDevOps.com
 
Build Robust Blockchain Services with Hyperledger and Containers
Build Robust Blockchain Services with Hyperledger and ContainersBuild Robust Blockchain Services with Hyperledger and Containers
Build Robust Blockchain Services with Hyperledger and ContainersLinuxCon ContainerCon CloudOpen China
 
Deploying NGINX in Cloud Native Kubernetes
Deploying NGINX in Cloud Native KubernetesDeploying NGINX in Cloud Native Kubernetes
Deploying NGINX in Cloud Native KubernetesKangaroot
 
Scality S3 Server: Node js Meetup Presentation
Scality S3 Server: Node js Meetup PresentationScality S3 Server: Node js Meetup Presentation
Scality S3 Server: Node js Meetup PresentationScality
 
AWS re:Invent 2016 - Scality's Open Source AWS S3 Server
AWS re:Invent 2016 - Scality's Open Source AWS S3 ServerAWS re:Invent 2016 - Scality's Open Source AWS S3 Server
AWS re:Invent 2016 - Scality's Open Source AWS S3 ServerScality
 
Netflix Open Source Meetup Season 3 Episode 2
Netflix Open Source Meetup Season 3 Episode 2Netflix Open Source Meetup Season 3 Episode 2
Netflix Open Source Meetup Season 3 Episode 2aspyker
 
Open Source Applied - Real World Use Cases
Open Source Applied - Real World Use CasesOpen Source Applied - Real World Use Cases
Open Source Applied - Real World Use CasesAll Things Open
 
Big Data security: Facing the challenge by Carlos GĂłmez at Big Data Spain 2017
Big Data security: Facing the challenge by Carlos GĂłmez at Big Data Spain 2017Big Data security: Facing the challenge by Carlos GĂłmez at Big Data Spain 2017
Big Data security: Facing the challenge by Carlos GĂłmez at Big Data Spain 2017Big Data Spain
 
CWIN17 london becoming cloud native part 2 - guy martin docker
CWIN17 london becoming cloud native part 2 - guy martin dockerCWIN17 london becoming cloud native part 2 - guy martin docker
CWIN17 london becoming cloud native part 2 - guy martin dockerCapgemini
 
Modular Web Applications With Netzke
Modular Web Applications With NetzkeModular Web Applications With Netzke
Modular Web Applications With Netzkenetzke
 
Opentelemetry - From frontend to backend
Opentelemetry - From frontend to backendOpentelemetry - From frontend to backend
Opentelemetry - From frontend to backendSebastian Poxhofer
 
Openstack Swift Introduction
Openstack Swift IntroductionOpenstack Swift Introduction
Openstack Swift IntroductionPark YounSung
 
Virtual Kubernetes Clusters on Amazon EKS
Virtual Kubernetes Clusters on Amazon EKSVirtual Kubernetes Clusters on Amazon EKS
Virtual Kubernetes Clusters on Amazon EKSJim Bugwadia
 
Practical Guide to Securing Kubernetes
Practical Guide to Securing KubernetesPractical Guide to Securing Kubernetes
Practical Guide to Securing KubernetesLacework
 
Top Considerations For Operating a Kubernetes Environment at Scale
Top Considerations For Operating a Kubernetes Environment at ScaleTop Considerations For Operating a Kubernetes Environment at Scale
Top Considerations For Operating a Kubernetes Environment at ScaleSignalFx
 
Digital Forensics and Incident Response in The Cloud Part 3
Digital Forensics and Incident Response in The Cloud Part 3Digital Forensics and Incident Response in The Cloud Part 3
Digital Forensics and Incident Response in The Cloud Part 3Velocidex Enterprises
 
Keeping your Enterprise’s Big Data Secure by Owen O’Malley at Big Data Spain ...
Keeping your Enterprise’s Big Data Secure by Owen O’Malley at Big Data Spain ...Keeping your Enterprise’s Big Data Secure by Owen O’Malley at Big Data Spain ...
Keeping your Enterprise’s Big Data Secure by Owen O’Malley at Big Data Spain ...Big Data Spain
 
Introduction to Virtual Kubelet
Introduction to Virtual KubeletIntroduction to Virtual Kubelet
Introduction to Virtual KubeletMitchell Pronschinske
 
Automated Remediation with Rundeck + Sensu
Automated Remediation with Rundeck + SensuAutomated Remediation with Rundeck + Sensu
Automated Remediation with Rundeck + SensuRundeck
 

Was ist angesagt? (20)

Améliorer OpenStack avec les technologies Intel
Améliorer OpenStack avec les technologies IntelAméliorer OpenStack avec les technologies Intel
Améliorer OpenStack avec les technologies Intel
 
Monitoring Your AWS EKS Environment with Datadog
Monitoring Your AWS EKS Environment with DatadogMonitoring Your AWS EKS Environment with Datadog
Monitoring Your AWS EKS Environment with Datadog
 
Build Robust Blockchain Services with Hyperledger and Containers
Build Robust Blockchain Services with Hyperledger and ContainersBuild Robust Blockchain Services with Hyperledger and Containers
Build Robust Blockchain Services with Hyperledger and Containers
 
Deploying NGINX in Cloud Native Kubernetes
Deploying NGINX in Cloud Native KubernetesDeploying NGINX in Cloud Native Kubernetes
Deploying NGINX in Cloud Native Kubernetes
 
Scality S3 Server: Node js Meetup Presentation
Scality S3 Server: Node js Meetup PresentationScality S3 Server: Node js Meetup Presentation
Scality S3 Server: Node js Meetup Presentation
 
AWS re:Invent 2016 - Scality's Open Source AWS S3 Server
AWS re:Invent 2016 - Scality's Open Source AWS S3 ServerAWS re:Invent 2016 - Scality's Open Source AWS S3 Server
AWS re:Invent 2016 - Scality's Open Source AWS S3 Server
 
Netflix Open Source Meetup Season 3 Episode 2
Netflix Open Source Meetup Season 3 Episode 2Netflix Open Source Meetup Season 3 Episode 2
Netflix Open Source Meetup Season 3 Episode 2
 
Open Source Applied - Real World Use Cases
Open Source Applied - Real World Use CasesOpen Source Applied - Real World Use Cases
Open Source Applied - Real World Use Cases
 
Big Data security: Facing the challenge by Carlos GĂłmez at Big Data Spain 2017
Big Data security: Facing the challenge by Carlos GĂłmez at Big Data Spain 2017Big Data security: Facing the challenge by Carlos GĂłmez at Big Data Spain 2017
Big Data security: Facing the challenge by Carlos GĂłmez at Big Data Spain 2017
 
CWIN17 london becoming cloud native part 2 - guy martin docker
CWIN17 london becoming cloud native part 2 - guy martin dockerCWIN17 london becoming cloud native part 2 - guy martin docker
CWIN17 london becoming cloud native part 2 - guy martin docker
 
Modular Web Applications With Netzke
Modular Web Applications With NetzkeModular Web Applications With Netzke
Modular Web Applications With Netzke
 
Opentelemetry - From frontend to backend
Opentelemetry - From frontend to backendOpentelemetry - From frontend to backend
Opentelemetry - From frontend to backend
 
Openstack Swift Introduction
Openstack Swift IntroductionOpenstack Swift Introduction
Openstack Swift Introduction
 
Virtual Kubernetes Clusters on Amazon EKS
Virtual Kubernetes Clusters on Amazon EKSVirtual Kubernetes Clusters on Amazon EKS
Virtual Kubernetes Clusters on Amazon EKS
 
Practical Guide to Securing Kubernetes
Practical Guide to Securing KubernetesPractical Guide to Securing Kubernetes
Practical Guide to Securing Kubernetes
 
Top Considerations For Operating a Kubernetes Environment at Scale
Top Considerations For Operating a Kubernetes Environment at ScaleTop Considerations For Operating a Kubernetes Environment at Scale
Top Considerations For Operating a Kubernetes Environment at Scale
 
Digital Forensics and Incident Response in The Cloud Part 3
Digital Forensics and Incident Response in The Cloud Part 3Digital Forensics and Incident Response in The Cloud Part 3
Digital Forensics and Incident Response in The Cloud Part 3
 
Keeping your Enterprise’s Big Data Secure by Owen O’Malley at Big Data Spain ...
Keeping your Enterprise’s Big Data Secure by Owen O’Malley at Big Data Spain ...Keeping your Enterprise’s Big Data Secure by Owen O’Malley at Big Data Spain ...
Keeping your Enterprise’s Big Data Secure by Owen O’Malley at Big Data Spain ...
 
Introduction to Virtual Kubelet
Introduction to Virtual KubeletIntroduction to Virtual Kubelet
Introduction to Virtual Kubelet
 
Automated Remediation with Rundeck + Sensu
Automated Remediation with Rundeck + SensuAutomated Remediation with Rundeck + Sensu
Automated Remediation with Rundeck + Sensu
 

Ähnlich wie Cloud native policy enforcement with Open Policy Agent

OPA APIs and Use Case Survey
OPA APIs and Use Case SurveyOPA APIs and Use Case Survey
OPA APIs and Use Case SurveyTorin Sandall
 
Securing APIs with Open Policy Agent
Securing APIs with Open Policy AgentSecuring APIs with Open Policy Agent
Securing APIs with Open Policy AgentNordic APIs
 
Securing APIs with Open Policy Agent
Securing APIs with Open Policy AgentSecuring APIs with Open Policy Agent
Securing APIs with Open Policy AgentAnders Eknert
 
Open Policy Agent
Open Policy AgentOpen Policy Agent
Open Policy AgentTorin Sandall
 
Fine-grained Authorization in a Containerized World
Fine-grained Authorization in a Containerized WorldFine-grained Authorization in a Containerized World
Fine-grained Authorization in a Containerized WorldAshutosh Narkar
 
Distributed Authorization with Open Policy Agent.pdf
Distributed Authorization with Open Policy Agent.pdfDistributed Authorization with Open Policy Agent.pdf
Distributed Authorization with Open Policy Agent.pdfNordic APIs
 
apidays Helsinki & North 2023 - API authorization with Open Policy Agent, And...
apidays Helsinki & North 2023 - API authorization with Open Policy Agent, And...apidays Helsinki & North 2023 - API authorization with Open Policy Agent, And...
apidays Helsinki & North 2023 - API authorization with Open Policy Agent, And...apidays
 
Practical Data Mesh: Building Decentralized Data Architectures with Event Stream
Practical Data Mesh: Building Decentralized Data Architectures with Event StreamPractical Data Mesh: Building Decentralized Data Architectures with Event Stream
Practical Data Mesh: Building Decentralized Data Architectures with Event StreamEva Mave Ng
 
Practical Data Mesh: Building Decentralized Data Architectures with Event Str...
Practical Data Mesh: Building Decentralized Data Architectures with Event Str...Practical Data Mesh: Building Decentralized Data Architectures with Event Str...
Practical Data Mesh: Building Decentralized Data Architectures with Event Str...Harshana Martin
 
LF Energy Webinar: Introduction to TROLIE
LF Energy Webinar: Introduction to TROLIELF Energy Webinar: Introduction to TROLIE
LF Energy Webinar: Introduction to TROLIEDanBrown980551
 
Enforcing Bespoke Policies in Kubernetes
Enforcing Bespoke Policies in KubernetesEnforcing Bespoke Policies in Kubernetes
Enforcing Bespoke Policies in KubernetesTorin Sandall
 
Automation Deployments and Gudielines.pptx
Automation Deployments and Gudielines.pptxAutomation Deployments and Gudielines.pptx
Automation Deployments and Gudielines.pptxNikhileshSathyavarap
 
15-factor-apps.pdf
15-factor-apps.pdf15-factor-apps.pdf
15-factor-apps.pdfNilesh Gule
 
Opa microservice authorization
Opa microservice authorizationOpa microservice authorization
Opa microservice authorizationAnders Eknert
 
GitLab Commit: Enhance your Compliance with Policy-Based CI/CD
GitLab Commit: Enhance your Compliance with Policy-Based CI/CDGitLab Commit: Enhance your Compliance with Policy-Based CI/CD
GitLab Commit: Enhance your Compliance with Policy-Based CI/CDNico Meisenzahl
 
Ladies Be Architects - Integration - Multi-Org, Security, JSON, Backup & Restore
Ladies Be Architects - Integration - Multi-Org, Security, JSON, Backup & RestoreLadies Be Architects - Integration - Multi-Org, Security, JSON, Backup & Restore
Ladies Be Architects - Integration - Multi-Org, Security, JSON, Backup & Restoregemziebeth
 
Aci presentation
Aci presentationAci presentation
Aci presentationJoe Ryan
 
Dynamic Policy Enforcement for Microservice Environments
Dynamic Policy Enforcement for Microservice EnvironmentsDynamic Policy Enforcement for Microservice Environments
Dynamic Policy Enforcement for Microservice EnvironmentsNebulaworks
 

Ähnlich wie Cloud native policy enforcement with Open Policy Agent (20)

OPA APIs and Use Case Survey
OPA APIs and Use Case SurveyOPA APIs and Use Case Survey
OPA APIs and Use Case Survey
 
Securing APIs with Open Policy Agent
Securing APIs with Open Policy AgentSecuring APIs with Open Policy Agent
Securing APIs with Open Policy Agent
 
Securing APIs with Open Policy Agent
Securing APIs with Open Policy AgentSecuring APIs with Open Policy Agent
Securing APIs with Open Policy Agent
 
Open Policy Agent
Open Policy AgentOpen Policy Agent
Open Policy Agent
 
Fine-grained Authorization in a Containerized World
Fine-grained Authorization in a Containerized WorldFine-grained Authorization in a Containerized World
Fine-grained Authorization in a Containerized World
 
Distributed Authorization with Open Policy Agent.pdf
Distributed Authorization with Open Policy Agent.pdfDistributed Authorization with Open Policy Agent.pdf
Distributed Authorization with Open Policy Agent.pdf
 
apidays Helsinki & North 2023 - API authorization with Open Policy Agent, And...
apidays Helsinki & North 2023 - API authorization with Open Policy Agent, And...apidays Helsinki & North 2023 - API authorization with Open Policy Agent, And...
apidays Helsinki & North 2023 - API authorization with Open Policy Agent, And...
 
Practical Data Mesh: Building Decentralized Data Architectures with Event Stream
Practical Data Mesh: Building Decentralized Data Architectures with Event StreamPractical Data Mesh: Building Decentralized Data Architectures with Event Stream
Practical Data Mesh: Building Decentralized Data Architectures with Event Stream
 
Practical Data Mesh: Building Decentralized Data Architectures with Event Str...
Practical Data Mesh: Building Decentralized Data Architectures with Event Str...Practical Data Mesh: Building Decentralized Data Architectures with Event Str...
Practical Data Mesh: Building Decentralized Data Architectures with Event Str...
 
LF Energy Webinar: Introduction to TROLIE
LF Energy Webinar: Introduction to TROLIELF Energy Webinar: Introduction to TROLIE
LF Energy Webinar: Introduction to TROLIE
 
Enforcing Bespoke Policies in Kubernetes
Enforcing Bespoke Policies in KubernetesEnforcing Bespoke Policies in Kubernetes
Enforcing Bespoke Policies in Kubernetes
 
CNCF opa
CNCF opaCNCF opa
CNCF opa
 
Automation Deployments and Gudielines.pptx
Automation Deployments and Gudielines.pptxAutomation Deployments and Gudielines.pptx
Automation Deployments and Gudielines.pptx
 
15-factor-apps.pdf
15-factor-apps.pdf15-factor-apps.pdf
15-factor-apps.pdf
 
Opa microservice authorization
Opa microservice authorizationOpa microservice authorization
Opa microservice authorization
 
GitLab Commit: Enhance your Compliance with Policy-Based CI/CD
GitLab Commit: Enhance your Compliance with Policy-Based CI/CDGitLab Commit: Enhance your Compliance with Policy-Based CI/CD
GitLab Commit: Enhance your Compliance with Policy-Based CI/CD
 
Ladies Be Architects - Integration - Multi-Org, Security, JSON, Backup & Restore
Ladies Be Architects - Integration - Multi-Org, Security, JSON, Backup & RestoreLadies Be Architects - Integration - Multi-Org, Security, JSON, Backup & Restore
Ladies Be Architects - Integration - Multi-Org, Security, JSON, Backup & Restore
 
Dynomite @ RedisConf 2017
Dynomite @ RedisConf 2017Dynomite @ RedisConf 2017
Dynomite @ RedisConf 2017
 
Aci presentation
Aci presentationAci presentation
Aci presentation
 
Dynamic Policy Enforcement for Microservice Environments
Dynamic Policy Enforcement for Microservice EnvironmentsDynamic Policy Enforcement for Microservice Environments
Dynamic Policy Enforcement for Microservice Environments
 

Mehr von LibbySchulze

Running distributed tests with k6.pdf
Running distributed tests with k6.pdfRunning distributed tests with k6.pdf
Running distributed tests with k6.pdfLibbySchulze
 
Extending Kubectl.pptx
Extending Kubectl.pptxExtending Kubectl.pptx
Extending Kubectl.pptxLibbySchulze
 
Enhancing Data Protection Workflows with Kanister And Argo Workflows
Enhancing Data Protection Workflows with Kanister And Argo WorkflowsEnhancing Data Protection Workflows with Kanister And Argo Workflows
Enhancing Data Protection Workflows with Kanister And Argo WorkflowsLibbySchulze
 
Fallacies in Platform Engineering.pdf
Fallacies in Platform Engineering.pdfFallacies in Platform Engineering.pdf
Fallacies in Platform Engineering.pdfLibbySchulze
 
Intro to Fluvio.pptx.pdf
Intro to Fluvio.pptx.pdfIntro to Fluvio.pptx.pdf
Intro to Fluvio.pptx.pdfLibbySchulze
 
Enhance your Kafka Infrastructure with Fluvio.pptx
Enhance your Kafka Infrastructure with Fluvio.pptxEnhance your Kafka Infrastructure with Fluvio.pptx
Enhance your Kafka Infrastructure with Fluvio.pptxLibbySchulze
 
CNCF On-Demand Webinar_ LitmusChaos Project Updates.pdf
CNCF On-Demand Webinar_ LitmusChaos Project Updates.pdfCNCF On-Demand Webinar_ LitmusChaos Project Updates.pdf
CNCF On-Demand Webinar_ LitmusChaos Project Updates.pdfLibbySchulze
 
Oh The Places You'll Sign.pdf
Oh The Places You'll Sign.pdfOh The Places You'll Sign.pdf
Oh The Places You'll Sign.pdfLibbySchulze
 
Rancher MasterClass - Avoiding-configuration-drift.pptx
Rancher MasterClass - Avoiding-configuration-drift.pptxRancher MasterClass - Avoiding-configuration-drift.pptx
Rancher MasterClass - Avoiding-configuration-drift.pptxLibbySchulze
 
vFunction Konveyor Meetup - Why App Modernization Projects Fail - Aug 2022.pptx
vFunction Konveyor Meetup - Why App Modernization Projects Fail - Aug 2022.pptxvFunction Konveyor Meetup - Why App Modernization Projects Fail - Aug 2022.pptx
vFunction Konveyor Meetup - Why App Modernization Projects Fail - Aug 2022.pptxLibbySchulze
 
CNCF Live Webinar: Low Footprint Java Containers with GraalVM
CNCF Live Webinar: Low Footprint Java Containers with GraalVMCNCF Live Webinar: Low Footprint Java Containers with GraalVM
CNCF Live Webinar: Low Footprint Java Containers with GraalVMLibbySchulze
 
EnRoute-OPA-Integration.pdf
EnRoute-OPA-Integration.pdfEnRoute-OPA-Integration.pdf
EnRoute-OPA-Integration.pdfLibbySchulze
 
AirGap_zusammen_neu.pdf
AirGap_zusammen_neu.pdfAirGap_zusammen_neu.pdf
AirGap_zusammen_neu.pdfLibbySchulze
 
Copy of OTel Me All About OpenTelemetry The Current & Future State, Navigatin...
Copy of OTel Me All About OpenTelemetry The Current & Future State, Navigatin...Copy of OTel Me All About OpenTelemetry The Current & Future State, Navigatin...
Copy of OTel Me All About OpenTelemetry The Current & Future State, Navigatin...LibbySchulze
 
OTel Me All About OpenTelemetry The Current & Future State, Navigating the Pr...
OTel Me All About OpenTelemetry The Current & Future State, Navigating the Pr...OTel Me All About OpenTelemetry The Current & Future State, Navigating the Pr...
OTel Me All About OpenTelemetry The Current & Future State, Navigating the Pr...LibbySchulze
 
CNCF_ A step to step guide to platforming your delivery setup.pdf
CNCF_ A step to step guide to platforming your delivery setup.pdfCNCF_ A step to step guide to platforming your delivery setup.pdf
CNCF_ A step to step guide to platforming your delivery setup.pdfLibbySchulze
 
CNCF Online - Data Protection Guardrails using Open Policy Agent (OPA).pdf
CNCF Online - Data Protection Guardrails using Open Policy Agent (OPA).pdfCNCF Online - Data Protection Guardrails using Open Policy Agent (OPA).pdf
CNCF Online - Data Protection Guardrails using Open Policy Agent (OPA).pdfLibbySchulze
 
Securing Windows workloads.pdf
Securing Windows workloads.pdfSecuring Windows workloads.pdf
Securing Windows workloads.pdfLibbySchulze
 
Securing Windows workloads.pdf
Securing Windows workloads.pdfSecuring Windows workloads.pdf
Securing Windows workloads.pdfLibbySchulze
 
Advancements in Kubernetes Workload Identity for Azure
Advancements in Kubernetes Workload Identity for AzureAdvancements in Kubernetes Workload Identity for Azure
Advancements in Kubernetes Workload Identity for AzureLibbySchulze
 

Mehr von LibbySchulze (20)

Running distributed tests with k6.pdf
Running distributed tests with k6.pdfRunning distributed tests with k6.pdf
Running distributed tests with k6.pdf
 
Extending Kubectl.pptx
Extending Kubectl.pptxExtending Kubectl.pptx
Extending Kubectl.pptx
 
Enhancing Data Protection Workflows with Kanister And Argo Workflows
Enhancing Data Protection Workflows with Kanister And Argo WorkflowsEnhancing Data Protection Workflows with Kanister And Argo Workflows
Enhancing Data Protection Workflows with Kanister And Argo Workflows
 
Fallacies in Platform Engineering.pdf
Fallacies in Platform Engineering.pdfFallacies in Platform Engineering.pdf
Fallacies in Platform Engineering.pdf
 
Intro to Fluvio.pptx.pdf
Intro to Fluvio.pptx.pdfIntro to Fluvio.pptx.pdf
Intro to Fluvio.pptx.pdf
 
Enhance your Kafka Infrastructure with Fluvio.pptx
Enhance your Kafka Infrastructure with Fluvio.pptxEnhance your Kafka Infrastructure with Fluvio.pptx
Enhance your Kafka Infrastructure with Fluvio.pptx
 
CNCF On-Demand Webinar_ LitmusChaos Project Updates.pdf
CNCF On-Demand Webinar_ LitmusChaos Project Updates.pdfCNCF On-Demand Webinar_ LitmusChaos Project Updates.pdf
CNCF On-Demand Webinar_ LitmusChaos Project Updates.pdf
 
Oh The Places You'll Sign.pdf
Oh The Places You'll Sign.pdfOh The Places You'll Sign.pdf
Oh The Places You'll Sign.pdf
 
Rancher MasterClass - Avoiding-configuration-drift.pptx
Rancher MasterClass - Avoiding-configuration-drift.pptxRancher MasterClass - Avoiding-configuration-drift.pptx
Rancher MasterClass - Avoiding-configuration-drift.pptx
 
vFunction Konveyor Meetup - Why App Modernization Projects Fail - Aug 2022.pptx
vFunction Konveyor Meetup - Why App Modernization Projects Fail - Aug 2022.pptxvFunction Konveyor Meetup - Why App Modernization Projects Fail - Aug 2022.pptx
vFunction Konveyor Meetup - Why App Modernization Projects Fail - Aug 2022.pptx
 
CNCF Live Webinar: Low Footprint Java Containers with GraalVM
CNCF Live Webinar: Low Footprint Java Containers with GraalVMCNCF Live Webinar: Low Footprint Java Containers with GraalVM
CNCF Live Webinar: Low Footprint Java Containers with GraalVM
 
EnRoute-OPA-Integration.pdf
EnRoute-OPA-Integration.pdfEnRoute-OPA-Integration.pdf
EnRoute-OPA-Integration.pdf
 
AirGap_zusammen_neu.pdf
AirGap_zusammen_neu.pdfAirGap_zusammen_neu.pdf
AirGap_zusammen_neu.pdf
 
Copy of OTel Me All About OpenTelemetry The Current & Future State, Navigatin...
Copy of OTel Me All About OpenTelemetry The Current & Future State, Navigatin...Copy of OTel Me All About OpenTelemetry The Current & Future State, Navigatin...
Copy of OTel Me All About OpenTelemetry The Current & Future State, Navigatin...
 
OTel Me All About OpenTelemetry The Current & Future State, Navigating the Pr...
OTel Me All About OpenTelemetry The Current & Future State, Navigating the Pr...OTel Me All About OpenTelemetry The Current & Future State, Navigating the Pr...
OTel Me All About OpenTelemetry The Current & Future State, Navigating the Pr...
 
CNCF_ A step to step guide to platforming your delivery setup.pdf
CNCF_ A step to step guide to platforming your delivery setup.pdfCNCF_ A step to step guide to platforming your delivery setup.pdf
CNCF_ A step to step guide to platforming your delivery setup.pdf
 
CNCF Online - Data Protection Guardrails using Open Policy Agent (OPA).pdf
CNCF Online - Data Protection Guardrails using Open Policy Agent (OPA).pdfCNCF Online - Data Protection Guardrails using Open Policy Agent (OPA).pdf
CNCF Online - Data Protection Guardrails using Open Policy Agent (OPA).pdf
 
Securing Windows workloads.pdf
Securing Windows workloads.pdfSecuring Windows workloads.pdf
Securing Windows workloads.pdf
 
Securing Windows workloads.pdf
Securing Windows workloads.pdfSecuring Windows workloads.pdf
Securing Windows workloads.pdf
 
Advancements in Kubernetes Workload Identity for Azure
Advancements in Kubernetes Workload Identity for AzureAdvancements in Kubernetes Workload Identity for Azure
Advancements in Kubernetes Workload Identity for Azure
 

KĂŒrzlich hochgeladen

Low Rate Call Girls Kolkata Avani đŸ€Œ 8250192130 🚀 Vip Call Girls Kolkata
Low Rate Call Girls Kolkata Avani đŸ€Œ 8250192130 🚀 Vip Call Girls KolkataLow Rate Call Girls Kolkata Avani đŸ€Œ 8250192130 🚀 Vip Call Girls Kolkata
Low Rate Call Girls Kolkata Avani đŸ€Œ 8250192130 🚀 Vip Call Girls Kolkataanamikaraghav4
 
Call Now ☎ 8264348440 !! Call Girls in Shahpur Jat Escort Service Delhi N.C.R.
Call Now ☎ 8264348440 !! Call Girls in Shahpur Jat Escort Service Delhi N.C.R.Call Now ☎ 8264348440 !! Call Girls in Shahpur Jat Escort Service Delhi N.C.R.
Call Now ☎ 8264348440 !! Call Girls in Shahpur Jat Escort Service Delhi N.C.R.soniya singh
 
VIP Call Girls Kolkata Ananya đŸ€Œ 8250192130 🚀 Vip Call Girls Kolkata
VIP Call Girls Kolkata Ananya đŸ€Œ 8250192130 🚀 Vip Call Girls KolkataVIP Call Girls Kolkata Ananya đŸ€Œ 8250192130 🚀 Vip Call Girls Kolkata
VIP Call Girls Kolkata Ananya đŸ€Œ 8250192130 🚀 Vip Call Girls Kolkataanamikaraghav4
 
Russian Call Girls in Kolkata Ishita đŸ€Œ 8250192130 🚀 Vip Call Girls Kolkata
Russian Call Girls in Kolkata Ishita đŸ€Œ 8250192130 🚀 Vip Call Girls KolkataRussian Call Girls in Kolkata Ishita đŸ€Œ 8250192130 🚀 Vip Call Girls Kolkata
Russian Call Girls in Kolkata Ishita đŸ€Œ 8250192130 🚀 Vip Call Girls Kolkataanamikaraghav4
 
VIP Kolkata Call Girls Salt Lake 8250192130 Available With Room
VIP Kolkata Call Girls Salt Lake 8250192130 Available With RoomVIP Kolkata Call Girls Salt Lake 8250192130 Available With Room
VIP Kolkata Call Girls Salt Lake 8250192130 Available With Roomgirls4nights
 
Enjoy Night⚡Call Girls Dlf City Phase 3 Gurgaon >àŒ’8448380779 Escort Service
Enjoy Night⚡Call Girls Dlf City Phase 3 Gurgaon >àŒ’8448380779 Escort ServiceEnjoy Night⚡Call Girls Dlf City Phase 3 Gurgaon >àŒ’8448380779 Escort Service
Enjoy Night⚡Call Girls Dlf City Phase 3 Gurgaon >àŒ’8448380779 Escort ServiceDelhi Call girls
 
Russian Call girls in Dubai +971563133746 Dubai Call girls
Russian Call girls in Dubai +971563133746 Dubai Call girlsRussian Call girls in Dubai +971563133746 Dubai Call girls
Russian Call girls in Dubai +971563133746 Dubai Call girlsstephieert
 
Hot Service (+9316020077 ) Goa Call Girls Real Photos and Genuine Service
Hot Service (+9316020077 ) Goa Call Girls Real Photos and Genuine ServiceHot Service (+9316020077 ) Goa Call Girls Real Photos and Genuine Service
Hot Service (+9316020077 ) Goa Call Girls Real Photos and Genuine Servicesexy call girls service in goa
 
Moving Beyond Twitter/X and Facebook - Social Media for local news providers
Moving Beyond Twitter/X and Facebook - Social Media for local news providersMoving Beyond Twitter/X and Facebook - Social Media for local news providers
Moving Beyond Twitter/X and Facebook - Social Media for local news providersDamian Radcliffe
 
VIP 7001035870 Find & Meet Hyderabad Call Girls LB Nagar high-profile Call Girl
VIP 7001035870 Find & Meet Hyderabad Call Girls LB Nagar high-profile Call GirlVIP 7001035870 Find & Meet Hyderabad Call Girls LB Nagar high-profile Call Girl
VIP 7001035870 Find & Meet Hyderabad Call Girls LB Nagar high-profile Call Girladitipandeya
 
Call Girls Dubai Prolapsed O525547819 Call Girls In Dubai Princes$
Call Girls Dubai Prolapsed O525547819 Call Girls In Dubai Princes$Call Girls Dubai Prolapsed O525547819 Call Girls In Dubai Princes$
Call Girls Dubai Prolapsed O525547819 Call Girls In Dubai Princes$kojalkojal131
 
VIP Kolkata Call Girl Salt Lake 👉 8250192130 Available With Room
VIP Kolkata Call Girl Salt Lake 👉 8250192130 Available With RoomVIP Kolkata Call Girl Salt Lake 👉 8250192130 Available With Room
VIP Kolkata Call Girl Salt Lake 👉 8250192130 Available With Roomishabajaj13
 
VIP Kolkata Call Girl Kestopur 👉 8250192130 Available With Room
VIP Kolkata Call Girl Kestopur 👉 8250192130 Available With RoomVIP Kolkata Call Girl Kestopur 👉 8250192130 Available With Room
VIP Kolkata Call Girl Kestopur 👉 8250192130 Available With Roomdivyansh0kumar0
 
Call Girls In Ashram Chowk Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Ashram Chowk Delhi 💯Call Us 🔝8264348440🔝Call Girls In Ashram Chowk Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Ashram Chowk Delhi 💯Call Us 🔝8264348440🔝soniya singh
 
VIP Kolkata Call Girl Dum Dum 👉 8250192130 Available With Room
VIP Kolkata Call Girl Dum Dum 👉 8250192130 Available With RoomVIP Kolkata Call Girl Dum Dum 👉 8250192130 Available With Room
VIP Kolkata Call Girl Dum Dum 👉 8250192130 Available With Roomdivyansh0kumar0
 
Delhi Call Girls Rohini 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Call
Delhi Call Girls Rohini 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip CallDelhi Call Girls Rohini 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Call
Delhi Call Girls Rohini 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Callshivangimorya083
 
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024APNIC
 
â‚č5.5k {Cash Payment}New Friends Colony Call Girls In [Delhi NIHARIKA] 🔝|97111...
â‚č5.5k {Cash Payment}New Friends Colony Call Girls In [Delhi NIHARIKA] 🔝|97111...â‚č5.5k {Cash Payment}New Friends Colony Call Girls In [Delhi NIHARIKA] 🔝|97111...
â‚č5.5k {Cash Payment}New Friends Colony Call Girls In [Delhi NIHARIKA] 🔝|97111...Diya Sharma
 
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...APNIC
 

KĂŒrzlich hochgeladen (20)

Low Rate Call Girls Kolkata Avani đŸ€Œ 8250192130 🚀 Vip Call Girls Kolkata
Low Rate Call Girls Kolkata Avani đŸ€Œ 8250192130 🚀 Vip Call Girls KolkataLow Rate Call Girls Kolkata Avani đŸ€Œ 8250192130 🚀 Vip Call Girls Kolkata
Low Rate Call Girls Kolkata Avani đŸ€Œ 8250192130 🚀 Vip Call Girls Kolkata
 
Call Now ☎ 8264348440 !! Call Girls in Shahpur Jat Escort Service Delhi N.C.R.
Call Now ☎ 8264348440 !! Call Girls in Shahpur Jat Escort Service Delhi N.C.R.Call Now ☎ 8264348440 !! Call Girls in Shahpur Jat Escort Service Delhi N.C.R.
Call Now ☎ 8264348440 !! Call Girls in Shahpur Jat Escort Service Delhi N.C.R.
 
VIP Call Girls Kolkata Ananya đŸ€Œ 8250192130 🚀 Vip Call Girls Kolkata
VIP Call Girls Kolkata Ananya đŸ€Œ 8250192130 🚀 Vip Call Girls KolkataVIP Call Girls Kolkata Ananya đŸ€Œ 8250192130 🚀 Vip Call Girls Kolkata
VIP Call Girls Kolkata Ananya đŸ€Œ 8250192130 🚀 Vip Call Girls Kolkata
 
Russian Call Girls in Kolkata Ishita đŸ€Œ 8250192130 🚀 Vip Call Girls Kolkata
Russian Call Girls in Kolkata Ishita đŸ€Œ 8250192130 🚀 Vip Call Girls KolkataRussian Call Girls in Kolkata Ishita đŸ€Œ 8250192130 🚀 Vip Call Girls Kolkata
Russian Call Girls in Kolkata Ishita đŸ€Œ 8250192130 🚀 Vip Call Girls Kolkata
 
VIP Kolkata Call Girls Salt Lake 8250192130 Available With Room
VIP Kolkata Call Girls Salt Lake 8250192130 Available With RoomVIP Kolkata Call Girls Salt Lake 8250192130 Available With Room
VIP Kolkata Call Girls Salt Lake 8250192130 Available With Room
 
Enjoy Night⚡Call Girls Dlf City Phase 3 Gurgaon >àŒ’8448380779 Escort Service
Enjoy Night⚡Call Girls Dlf City Phase 3 Gurgaon >àŒ’8448380779 Escort ServiceEnjoy Night⚡Call Girls Dlf City Phase 3 Gurgaon >àŒ’8448380779 Escort Service
Enjoy Night⚡Call Girls Dlf City Phase 3 Gurgaon >àŒ’8448380779 Escort Service
 
Russian Call girls in Dubai +971563133746 Dubai Call girls
Russian Call girls in Dubai +971563133746 Dubai Call girlsRussian Call girls in Dubai +971563133746 Dubai Call girls
Russian Call girls in Dubai +971563133746 Dubai Call girls
 
Hot Service (+9316020077 ) Goa Call Girls Real Photos and Genuine Service
Hot Service (+9316020077 ) Goa Call Girls Real Photos and Genuine ServiceHot Service (+9316020077 ) Goa Call Girls Real Photos and Genuine Service
Hot Service (+9316020077 ) Goa Call Girls Real Photos and Genuine Service
 
Moving Beyond Twitter/X and Facebook - Social Media for local news providers
Moving Beyond Twitter/X and Facebook - Social Media for local news providersMoving Beyond Twitter/X and Facebook - Social Media for local news providers
Moving Beyond Twitter/X and Facebook - Social Media for local news providers
 
VIP 7001035870 Find & Meet Hyderabad Call Girls LB Nagar high-profile Call Girl
VIP 7001035870 Find & Meet Hyderabad Call Girls LB Nagar high-profile Call GirlVIP 7001035870 Find & Meet Hyderabad Call Girls LB Nagar high-profile Call Girl
VIP 7001035870 Find & Meet Hyderabad Call Girls LB Nagar high-profile Call Girl
 
Model Call Girl in Jamuna Vihar Delhi reach out to us at 🔝9953056974🔝
Model Call Girl in Jamuna Vihar Delhi reach out to us at 🔝9953056974🔝Model Call Girl in Jamuna Vihar Delhi reach out to us at 🔝9953056974🔝
Model Call Girl in Jamuna Vihar Delhi reach out to us at 🔝9953056974🔝
 
Call Girls Dubai Prolapsed O525547819 Call Girls In Dubai Princes$
Call Girls Dubai Prolapsed O525547819 Call Girls In Dubai Princes$Call Girls Dubai Prolapsed O525547819 Call Girls In Dubai Princes$
Call Girls Dubai Prolapsed O525547819 Call Girls In Dubai Princes$
 
VIP Kolkata Call Girl Salt Lake 👉 8250192130 Available With Room
VIP Kolkata Call Girl Salt Lake 👉 8250192130 Available With RoomVIP Kolkata Call Girl Salt Lake 👉 8250192130 Available With Room
VIP Kolkata Call Girl Salt Lake 👉 8250192130 Available With Room
 
VIP Kolkata Call Girl Kestopur 👉 8250192130 Available With Room
VIP Kolkata Call Girl Kestopur 👉 8250192130 Available With RoomVIP Kolkata Call Girl Kestopur 👉 8250192130 Available With Room
VIP Kolkata Call Girl Kestopur 👉 8250192130 Available With Room
 
Call Girls In Ashram Chowk Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Ashram Chowk Delhi 💯Call Us 🔝8264348440🔝Call Girls In Ashram Chowk Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Ashram Chowk Delhi 💯Call Us 🔝8264348440🔝
 
VIP Kolkata Call Girl Dum Dum 👉 8250192130 Available With Room
VIP Kolkata Call Girl Dum Dum 👉 8250192130 Available With RoomVIP Kolkata Call Girl Dum Dum 👉 8250192130 Available With Room
VIP Kolkata Call Girl Dum Dum 👉 8250192130 Available With Room
 
Delhi Call Girls Rohini 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Call
Delhi Call Girls Rohini 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip CallDelhi Call Girls Rohini 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Call
Delhi Call Girls Rohini 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Call
 
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
 
â‚č5.5k {Cash Payment}New Friends Colony Call Girls In [Delhi NIHARIKA] 🔝|97111...
â‚č5.5k {Cash Payment}New Friends Colony Call Girls In [Delhi NIHARIKA] 🔝|97111...â‚č5.5k {Cash Payment}New Friends Colony Call Girls In [Delhi NIHARIKA] 🔝|97111...
â‚č5.5k {Cash Payment}New Friends Colony Call Girls In [Delhi NIHARIKA] 🔝|97111...
 
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
 

Cloud native policy enforcement with Open Policy Agent

  • 1. Policy-based access control An introduction to Open Policy Agent
  • 2. Anders Eknert ● Developer advocate at Styra ● Software development ● Background in identity systems ● Two years into OPA ● Cooking and food ● Football @anderseknert anderseknert
  • 3. Challenge: Manage policy in increasingly distributed, complex and heterogeneous systems
  • 4. Challenge: Manage policy in increasingly distributed, complex and heterogeneous systems
  • 5. Challenge: Manage policy in increasingly distributed, complex and heterogeneous systems
  • 6. Challenge: Manage policy in increasingly distributed, complex and heterogeneous systems
  • 7. Challenge: Manage policy in increasingly distributed, complex and heterogeneous systems
  • 9.
  • 10. ● Open source general purpose policy engine ● Unified toolset and framework for policy across the stack ● Decouples policy from application logic ● Separates policy decision from enforcement ● Policies written in declarative language Rego ● Popular use cases ranging from kubernetes admission control, microservice authorization, infrastructure, data source filtering, to CI/CD pipeline policies and many more.
  • 11. Vibrant community ● 160 contributors ● 50+ integrations ● 4500+ Github Stars ● 3600+ Slack users ● 30+ million Docker image pulls ● Ecosystem including Conftest, Gatekeeper, VS Code and IntelliJ editor plugins.
  • 13.
  • 16. Policy decision model Service OP A Policy (Rego) Data (JSON) Request Policy Decision Policy Query Input can be ANY JSON value Output can be ANY JSON value Request Policy Decision Linux PAM
  • 17. ● OPA runs as a lightweight self-contained server binary. ● OPA ideally deployed as close to service as possible. This usually means on the same host, as a daemon or in a sidecar container. ● Applications communicate with the OPA server through its REST API. ● Go library available for Go applications. ● Envoy/Istio based applications. WASM. Deployment
  • 18. Policy authoring and Rego ● Declarative high-level policy language used by OPA. ● Policy consists of any number of rules. ● Rules commonly return true/false but may return any type available in JSON, like strings, lists and objects. ● 140+ built-in functions: JWTs, date/time, CIDR math ,etc. ● Policy testing is easy with provided unit test framework. ● Well documented! https://www.openpolicyagent.org/docs/latest/ ● Try it out! https://play.openpolicyagent.org/
  • 19. Policy data ● JSON Web Tokens ● As part of query input ● Push data ● Bundle API ● http.send function from inside policy
  • 20. Demo
  • 22. The Kubernetes API Authentication kubectl apply -f app.yaml Authorization Mutating admission controller etcd Validating admission controller Before a resource is persisted in etcd must first pass a series of modules
  • 23. The Kubernetes API Authentication kubectl apply -f app.yaml etcd Authorization Mutating admission controller Validating admission controller Modules are chainable
  • 24. The Kubernetes API Authentication kubectl apply -f app.yaml etcd Authorization Mutating admission controller Validating admission controller Built-in modules Static token, service account token, client certificate, OpenID Connect. Node, ABAC, RBAC AlwaysPullImages, DefaultStorageClass, DefaultTolerationSeconds LimitRanger, DenyEscalatingExec
  • 25. The Kubernetes API Authentication kubectl apply -f app.yaml etcd Authorization Mutating admission controller Validating admission controller Webhook Webhook Webhook Webhook
  • 26. The Kubernetes API Authentication kubectl apply -f app.yaml etcd Authorization Mutating admission controller Validating admission controller
  • 27. The Kubernetes API Authentication kubectl apply -f app.yaml etcd Authorization Mutating admission controller Validating admission controller
  • 28. Validating admission controller ● By far the most popular module to extend ● Allows building policy-based guardrails around clusters ● Common policies enforce: ○ Use of internal Docker registry and other image constraints ○ Required labels on resources - team belonging, cost centre, etc ○ Ingress host/path uniqueness ○ HTTPS for services ○ Deny attributes like hostPath volume mounts ○ Limits on resource allocation ○ Pod Security Policies ○ ...anything really
  • 29. Kubernetes validating admission controller webhook Input Policy Output
  • 30. Management APIs Service OP A Policy (Rego) Data (JSON) Request Policy Decision Policy Query Decision logs Managing OPA at scale ● Bundle API - distribute policy and data from a central location ● Decision log API - allow OPA instances to report back on any decisions made. This may be used for auditing as well as for refinement of policies. ● Status API - allows OPA to send status and health updates to the management server. ● Discovery API - provides OPA instances the option to periodically fetch configuration.
  • 31. Getting started ● Start small – write a few simple policies and tests. ● Browse the OPA documentation. Get a feel for the basics and the built-ins. ● Consider possible applications near to you - previous apps and libraries you’ve worked with. Consider the informal policies it dealt with. ● Delegate policy responsibilities to OPA. Again, start small! Perhaps a single endpoint to begin somewhere. Deploy and build experience. ● Scale up - consider management, logging, bundle server, etc. ● Styra Academy - https://academy.styra.com ● Styra DAS - http://www.styra.com/das-free ● Join the OPA Slack community! - https://openpolicyagent.slack.com

Hinweis der Redaktion

  1. Application composed of modules
  2. Application composed of modules
  3. Application composed of modules
  4. Application composed of modules
  5. Application composed of modules
  6. Application composed of modules
  7. Application composed of modules
  8. Application composed of modules
  9. OPA the oracle
  10. OPA the oracle
  11. OPA the oracle
  12. Application composed of modules
  13. Application composed of modules
  14. Application composed of modules
  15. Application composed of modules
  16. Application composed of modules
  17. Application composed of modules
  18. OPA the oracle
  19. Application composed of modules