Using Open Policy Agent to Meet Evolving Policy Requirements
Jeremy Rickard at KubeCon + CloudNativeCon North America 2020
Our team runs a Kubernetes platform for 30+ teams in a variety of commercial and government environments. Each of these environments has different security and compliance requirements, such as PCI and FedRAMP. We must deal with evolving requirements as our tenants pursue new accreditations. While we could implement a variety of mutating and validating webhook implementations to meet our needs, we instead turned to Open Policy Agent (OPA). OPA has allowed us to quickly develop and deploy new policies as these requirements shift and evolve. In this talk, we will look at several concrete examples of how we used OPA to implement our changing kubernetes policy requirements and help our tenants achieve a variety of compliance certifications, while at the same time striving to make these security policies as unobtrusive to their existing CI/CD pipelines and workflows.