Philipp Krenn

OPA for the cloud natives

Stop embedding security rules in brittle scripts. OPA lets you manage policy as auditable, version-controlled code, enforced consistently across your stack.

OPA for the cloud natives
#1about 3 minutes

Decoupling security checks from application deployment

Traditional embedded security checks are hard to audit and maintain, so decoupling them as policy-as-code enables continuous validation and simplifies compliance.

#2about 3 minutes

Shifting security left to prevent incidents before deployment

Proactively catching security violations in the CI pipeline is far better than reacting to incidents in production, moving beyond tribal knowledge to codified policies.

#3about 3 minutes

Introducing the Open Policy Agent (OPA) and Rego

OPA is a CNCF graduated project that provides a unified way to enforce policies across APIs using a custom declarative language called Rego.

#4about 3 minutes

Writing basic Rego policies for common use cases

Simple Rego policies can enforce rules like user data access control, manager hierarchies, or ensuring Kubernetes pods use a trusted container registry.

#5about 5 minutes

Using the OPA Playground to test and debug policies

The OPA Playground provides an interactive environment for writing, testing, and debugging Rego policies against sample input data, such as Kubernetes configurations.

#6about 2 minutes

Exploring OPA deployment patterns and advanced use cases

OPA can be deployed as a Go library or a sidecar daemon, enabling advanced use cases like validating Elasticsearch queries to enforce fine-grained data access control.

#7about 3 minutes

Automating infrastructure compliance with CIS benchmarks

OPA policies can codify Center for Internet Security (CIS) benchmarks to continuously scan Kubernetes clusters for misconfigurations and security vulnerabilities.

#8about 3 minutes

Addressing performance and adoption challenges with OPA

While powerful, OPA adoption can be hindered by the complexity of writing performant queries and the learning curve associated with its custom language, Rego.

#9about 3 minutes

Answering audience questions about OPA and Rego

The Q&A covers Rego's support for JSON and YAML, deployment options on bare metal or VMs, and potential integrations with APIs like GraphQL.

Related jobs
Jobs that call for the skills explored in this talk.

Matching moments

Introducing Open Policy Agent for custom policies
30:46 MIN

Introducing Open Policy Agent for custom policies

A practical guide to writing secure Dockerfiles

Exploring other use cases for OPA beyond web APIs
29:05 MIN

Exploring other use cases for OPA beyond web APIs

Decoupled Authorization using Policy as Code

Introducing Policy as Code and Open Policy Agent
04:57 MIN

Introducing Policy as Code and Open Policy Agent

Decoupled Authorization using Policy as Code

How OPA works with a simple Rego policy
11:26 MIN

How OPA works with a simple Rego policy

Decoupled Authorization using Policy as Code

Demo of basic policy evaluation using OPA
14:53 MIN

Demo of basic policy evaluation using OPA

Decoupled Authorization using Policy as Code

Q&A on policy culture, tooling, and security
23:51 MIN

Q&A on policy culture, tooling, and security

Policy as [versioned] code - you're doing it wrong

Dynamically updating authorization policies without downtime
24:40 MIN

Dynamically updating authorization policies without downtime

Decoupled Authorization using Policy as Code

Automating policy enforcement with admission controllers
19:31 MIN

Automating policy enforcement with admission controllers

Kubernetes Security Best Practices

Featured Partners

Related Videos

See all videos
Decoupled Authorization using Policy as Code32:16

Decoupled Authorization using Policy as Code

Anderson Dadario & Denys Vitali

Policy as [versioned] code - you're doing it wrong45:57

Policy as [versioned] code - you're doing it wrong

Chris Nesbitt-Smith

Un-complicate authorization maintenance1:00:00

Un-complicate authorization maintenance

Alex Olivier

Delay the AI Overlords: How OAuth and OpenFGA Can Keep Your AI Agents from Going Rogue23:29

Delay the AI Overlords: How OAuth and OpenFGA Can Keep Your AI Agents from Going Rogue

Deepu

External Secrets Operator: the secrets management toolbox for self-sufficient teams30:07

External Secrets Operator: the secrets management toolbox for self-sufficient teams

Moritz Johner

Kubernetes Security Best Practices23:08

Kubernetes Security Best Practices

Rico Komenda

Break the Chain: Decentralized solutions for today’s Web2.0 privacy problems29:31

Break the Chain: Decentralized solutions for today’s Web2.0 privacy problems

Adam Larter

GitOps for the people29:49

GitOps for the people

Lian Li

From learning to earning

Jobs that call for the skills explored in this talk.

Cloud Engineer (m/w/d)

Cloud Engineer (m/w/d)

fulfillmenttools
Köln, Germany

50-65K
Intermediate
TypeScript
Google Cloud Platform
Continuous Integration