Philipp Krenn

OPA for the cloud natives

Stop embedding security rules in brittle scripts. OPA lets you manage policy as auditable, version-controlled code, enforced consistently across your stack.

OPA for the cloud natives
#1about 3 minutes

Decoupling security checks from application deployment

Traditional embedded security checks are hard to audit and maintain, so decoupling them as policy-as-code enables continuous validation and simplifies compliance.

#2about 3 minutes

Shifting security left to prevent incidents before deployment

Proactively catching security violations in the CI pipeline is far better than reacting to incidents in production, moving beyond tribal knowledge to codified policies.

#3about 3 minutes

Introducing the Open Policy Agent (OPA) and Rego

OPA is a CNCF graduated project that provides a unified way to enforce policies across APIs using a custom declarative language called Rego.

#4about 3 minutes

Writing basic Rego policies for common use cases

Simple Rego policies can enforce rules like user data access control, manager hierarchies, or ensuring Kubernetes pods use a trusted container registry.

#5about 5 minutes

Using the OPA Playground to test and debug policies

The OPA Playground provides an interactive environment for writing, testing, and debugging Rego policies against sample input data, such as Kubernetes configurations.

#6about 2 minutes

Exploring OPA deployment patterns and advanced use cases

OPA can be deployed as a Go library or a sidecar daemon, enabling advanced use cases like validating Elasticsearch queries to enforce fine-grained data access control.

#7about 3 minutes

Automating infrastructure compliance with CIS benchmarks

OPA policies can codify Center for Internet Security (CIS) benchmarks to continuously scan Kubernetes clusters for misconfigurations and security vulnerabilities.

#8about 3 minutes

Addressing performance and adoption challenges with OPA

While powerful, OPA adoption can be hindered by the complexity of writing performant queries and the learning curve associated with its custom language, Rego.

#9about 3 minutes

Answering audience questions about OPA and Rego

The Q&A covers Rego's support for JSON and YAML, deployment options on bare metal or VMs, and potential integrations with APIs like GraphQL.

Related jobs
Jobs that call for the skills explored in this talk.

Matching moments

Introducing Open Policy Agent for custom policies
04:00 MIN

Introducing Open Policy Agent for custom policies

A practical guide to writing secure Dockerfiles

Exploring other use cases for OPA beyond web APIs
03:11 MIN

Exploring other use cases for OPA beyond web APIs

Decoupled Authorization using Policy as Code

Q&A on policy culture, tooling, and security
22:06 MIN

Q&A on policy culture, tooling, and security

Policy as [versioned] code - you're doing it wrong

Introducing Policy as Code and Open Policy Agent
06:29 MIN

Introducing Policy as Code and Open Policy Agent

Decoupled Authorization using Policy as Code

Automating policy enforcement with admission controllers
01:21 MIN

Automating policy enforcement with admission controllers

Kubernetes Security Best Practices

How OPA works with a simple Rego policy
03:27 MIN

How OPA works with a simple Rego policy

Decoupled Authorization using Policy as Code

Demo of basic policy evaluation using OPA
02:23 MIN

Demo of basic policy evaluation using OPA

Decoupled Authorization using Policy as Code

Dynamically updating authorization policies without downtime
04:25 MIN

Dynamically updating authorization policies without downtime

Decoupled Authorization using Policy as Code

Featured Partners

Related Videos

See all videos
Decoupled Authorization using Policy as Code32:16

Decoupled Authorization using Policy as Code

Anderson Dadario & Denys Vitali

GitOps for the people29:49

GitOps for the people

Lian Li

Our GitOps approach for deploying an Identity Provider and an API Gateway in a SaaS company17:31

Our GitOps approach for deploying an Identity Provider and an API Gateway in a SaaS company

Axel Barbier

Policy as [versioned] code - you're doing it wrong45:57

Policy as [versioned] code - you're doing it wrong

Chris Nesbitt-Smith

Un-complicate authorization maintenance1:00:00

Un-complicate authorization maintenance

Alex Olivier

Delay the AI Overlords: How OAuth and OpenFGA Can Keep Your AI Agents from Going Rogue23:29

Delay the AI Overlords: How OAuth and OpenFGA Can Keep Your AI Agents from Going Rogue

Deepu

External Secrets Operator: the secrets management toolbox for self-sufficient teams30:07

External Secrets Operator: the secrets management toolbox for self-sufficient teams

Moritz Johner

Kubernetes Security Best Practices23:08

Kubernetes Security Best Practices

Rico Komenda

Related Articles

View all articles
CH
Chris Heilmann
With AIs wide open - WeAreDevelopers at All Things Open 2025
Last week our VP of Developer Relations, Chris Heilmann, flew to Raleigh, North Carolina to present at All Things Open . An excellent event he had spoken at a few times in the past and this being the “Lucky 13” edition, he didn’t hesitate to come and...
With AIs wide open - WeAreDevelopers at All Things Open 2025
CH
Chris Heilmann
WebMCP: Empowering Agents as First-Class Citizens of the Web
WebMCP is an exciting W3C proposal that just landed in Chrome Canary to try out . The idea is that you can use some HTML attributes on a form or register JavaScript tool methods to give agents direct access to content. This gives us as content prov...
WebMCP: Empowering Agents as First-Class Citizens of the Web
DC
Daniel Cranney
Why Attend a Developer Event?
Modern software engineering moves too fast for documentation alone. Attending a world-class event is about shifting from tactical execution to strategic leadership. Skill Diversification: Break out of your specific tech stack to see how the industry...
Why Attend a Developer Event?

From learning to earning

Jobs that call for the skills explored in this talk.