Talk from the Cloud Engineering Summit, all about applying policy to configuration. Covers Open Policy Agent, Conftest and some of the integrated options in Pulumi.
policy a set of ideas or a plan of what to do in particular situations that has been agreed to officially by a group of people, a business organization, a government, or a political party. Cambridge Dictionary noun [ C ] UK /ˈpɒl.ə.si/ US /ˈpɑː.lə.si/
policy a set of ideas or a plan of what to do in particular situations that has been agreed to officially by a group of people, a business organization, a government, or a political party. Cambridge Dictionary noun [ C ] UK /ˈpɒl.ə.si/ US /ˈpɑː.lə.si/ All Go projects should have been updated to use Go 1.13
policy a set of ideas or a plan of what to do in particular situations that has been agreed to officially by a group of people, a business organization, a government, or a political party. Cambridge Dictionary noun [ C ] UK /ˈpɒl.ə.si/ US /ˈpɑː.lə.si/ All Go projects should have been updated to use Go 1.13 All EC2 instances should have tags showing which team owns them
policy a set of ideas or a plan of what to do in particular situations that has been agreed to officially by a group of people, a business organization, a government, or a political party. Cambridge Dictionary noun [ C ] UK /ˈpɒl.ə.si/ US /ˈpɑː.lə.si/ All Go projects should have been updated to use Go 1.13 All EC2 instances should have tags showing which team owns them Dockerfiles should not use FROM with images tagged latest
Open Policy Agent github.com/open-policy-agent/opa Service OPA .rego Query (any JSON value) Decision (any JSON value) Data (JSON) Policy (Rego) Request, Event, etc. Declarative Express policy in a high-level, declarative language that promotes safe, performant, fine-grained controls. Use a language purpose-built for policy in a world where JSON is pervasive. Context-aware Leverage external information to write the policies you really care about. Write logic that adapts to the world around it and attach that logic to the systems that need it.
Write your policies deny[msg] { input.kind = "Deployment" not input.spec.template.spec.securityContext.runAsNonRoot = true msg = "Containers must not run as root" } We should deny any input for which Deployment is the value for kind and When runAsNonRoot is not true REGO
Write unit tests for Rego in Rego test_blank_input { no_violations with input as {} } test_correctly_encrypted_azure_disk { no_violations with input as {"resource": { "azurerm_managed_disk": { "sample": { "encryp } test_unencrypted_azure_disk { deny["Azure disk `sample` is not encrypted"] with input as {"resource": { "azurerm_managed_di } REGO
Any configuration format Conftest currently supports YAML, JSON, INI, TOML, HOCON, HCL, CUE, Dockerfile, EDN, VCL, XML and Jsonnet. Lots of infrastructure use cases Pulumi, Terraform, Azure Resource Manager, AWS CloudFormation, Varnish, Dockerfile, Envoy, CircleCI configuration, Tekton, Kubernetes and lots more. Test any configuration file or structured output Anything that outputs, or takes as input, structured data in a standard format.
Modern Infrastructure as Code Create and deploy cloud software that use containers, serverless functions, hosted services, and infrastructure, on any cloud. Describe infrastructure in Typescript, Python, Go or .NET. let aws = require("@pulumi/aws"); let sg = new aws.ec2.SecurityGroup("web-sg", { ingress: [{ protocol: "tcp", fromPort: 80, toPort: 80, cidrBlocks: ["0.0.0.0/0"]}], }); for (let i = 0; i < 3; i++) { new aws.ec2.Instance(`web-${i}`, { ami: "ami-7172b611", instanceType: "t2.micro", securityGroups: [ sg.name ], userData: `#!/bin/bash echo "Hello, World!" > index.html nohup python -m SimpleHTTPServer 80 &`, }); } TYPESCRIPT
Output to YAML with Pulumi (beta) from pulumi_kubernetes import Provider # Instantiate a Kubernetes Provider and specify the render directory. render_provider = Provider("k8s-yaml-rendered", render_yaml_to_directory="yaml") PYTHON import * as k8s from "@pulumi/kubernetes"; import * as kx from "@pulumi/kubernetesx"; // Instantiate a Kubernetes Provider and specify the render directory. const provider = new k8s.Provider("render-yaml", { renderYamlToDirectory: "rendered", }); TYPESCRIPT
Lots of tools output JSON Any tool that can output to a one of the structured formats supported by Conftest can be tested with Open Policy Agent. Provides a rules engine for anything from kubectl to aws to snyk. Useful for checking output as well as input $ snyk container test your/image --json ... { "title": "CVE-2019-9619", "packageName": "systemd", "language": "linux", "packageManager": "debian:10", "description": "...", "identifiers": { "CVE": [ "CVE-2019-9619" ], }, "severity": "low", "references": [ { "title": "Debian Security Tracker", "url": "https://security-tracker.debian.o
Prohibiting high severity vulnerabilities package main deny[msg] { issue = input.vulnerabilities[index] issue.severity = "high" msg = sprintf("High severity issue found. package: %v issue: %v", [issue.name, issue.title]) } Rego for the JSON output from snyk Here we’re saying we want to prohibit any images with known high-severity vulnerabilities. REGO
Sharing via Git, HTTP, S3 and more $ conftest pull bucket.s3.amazonaws.com/foo # Note here we’re only getting the contents of a specific subdirectory, policy $ conftest pull github.com/garethr/pulumi-okteto-conftest-demo.git//policy Pull policies from remote locations Support for local files, Git, Mercurial, HTTP, Amazon S3, Google GCP
Sharing via OCI registries $ conftest push ghcr.io/garethr/pulumi-okteto-conftest-demo/policy ... $ conftest pull oci://ghcr.io/garethr/pulumi-okteto-conftest-demo/policy:latest Powered by the OCI Artifacts specification Not supported by all registries yet, but ACR, ECR, GitHub Container Registry, Harbor and more support this capability now.
Sharing via Pulumi $ pulumi policy publish # Note here we’re only getting the contents of a specific subdirectory, policy $ pulumi policy ls NAME VERSIONS kubernetes 1 $ pulumi policy enable garethr/kubernetes 1 Pulumi’s commercial service has sharing built-in Automatic enforcement on pulumi up without having to specify the policy pack locally.
Standardize tools for common problems OPA is useful for individual use cases, but the cost of adoption really pays off when using to solve several problems