Alex Krause [email protected] @alex0ptr Cloud Compliance with Open Policy Agent 

The Problem @alex0ptr 

Policy @alex0ptr “Users should only access data of their own teams/projects. ” // TODO Compliance “Security First. Least Privilege, where possible. ” Governance 

@alex0ptr May this action be allowed? Who or what can perform a certain action? Are there violations? 

Infrastructure Machines Network DNS RDBMS Storage Application Platform Container Orchestration Container Images CD- Pipeline Applications User Management Configuration HTTP APIs + UIs Code Continuous Integration Code Artifacts Version Control Logs Secret Store API Gateways Metrics Backups @alex0ptr Life of the YAML -Engineer 

@alex0ptr @PreAuthorize("#username == authentication.principal.username") public String getMyRoles(String username) { //... } 

(1) Many components, which (2) use different concepts, protocols, and configuration languages, with(3) strong coupling to the concrete implementation. The Problems ✔ @alex0ptr 

Solution? @alex0ptr 

@alex0ptr Open Policy Agent Engine + Language 

@alex0ptr Open Policy Agent ‣ Policy Engine ‣ universal ‣ lightweight ‣ de-coupled ‣ easy to integrate “Policy-based control for cloud native environments” 

@alex0ptr OPA: Rego ‣ inheritance: datalog ‣ declarative, logic ‣ made for Policies ‣ and structured data “Use Rego for defining policy that is easy to read and write.” 

@alex0ptr 

@alex0ptr 

The Dream: ✨ Central Policy Repository ✨ @alex0ptr 

The Present @alex0ptr 

Demo The Basics @alex0ptr 

@alex0ptr @Configuration @EnableWebSecurity public class WebSecurityConfig extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { http.authorizeRequests() .anyRequest() .authenticated() .accessDecisionManager(accessDecisionManager()); } @Bean public AccessDecisionManager accessDecisionManager() { List> decisionVoters = Arrays .asList(new OPAVoter("http://localhost:8181/v1/data/http/authz/allow")); return new UnanimousBased(decisionVoters); } } 

@alex0ptr “Policy Controller for Kubernetes” ‣ K8s Admission Controller ‣ CRDs for Policies ‣ Audit ‣ Policy Library Gatekeeper 

Demo Gatekeeper @alex0ptr 

@alex0ptr “Write tests against structured configuration data […]” ‣ CLI wrapper for OPA ‣ shift-left for Policies ‣ YAML/JSON, HCL(2), INI, TOML, Dockerfile ‣ go-getter support Conftest 

Demo Conftest @alex0ptr 

Conclusion @alex0ptr 

@alex0ptr Gatekeeper Rego Conftest Tooling Integration Integrations Complexity 

xing.com/companies/qawaregmbh linkedin.com/company/qaware-gmbh slideshare.net/qaware twitter.com/qaware github.com/qaware youtube.com/qawaregmbh Alex Krause [email protected] @alex0ptr 

QAware 21.09.2018 25 

QAware GmbH Mainz Rheinstraße 4 D 55116 Mainz Tel.: +49 (0) 6131 215 69 – 0 Fax: +49 (0) 6131 215 69 – 68 xing.com/companies/qawaregmbh linkedin.com/company/qaware-gmbh slideshare.net/qaware twitter.com/qaware github.com/qaware youtube.com/qawaregmbh 

QAware GmbH München Aschauer Straße 32 81549 München Tel.: +49 (0) 89 23 23 15 – 0 Fax: +49 (0) 89 23 23 15 – 129 xing.com/companies/qawaregmbh linkedin.com/company/qaware-gmbh slideshare.net/qaware twitter.com/qaware github.com/qaware youtube.com/qawaregmbh