Traditional embedded security checks are hard to audit and maintain, so decoupling them as policy-as-code enables continuous validation and simplifies compliance.
Proactively catching security violations in the CI pipeline is far better than reacting to incidents in production, moving beyond tribal knowledge to codified policies.
OPA is a CNCF graduated project that provides a unified way to enforce policies across APIs using a custom declarative language called Rego.
Simple Rego policies can enforce rules like user data access control, manager hierarchies, or ensuring Kubernetes pods use a trusted container registry.
The OPA Playground provides an interactive environment for writing, testing, and debugging Rego policies against sample input data, such as Kubernetes configurations.
OPA can be deployed as a Go library or a sidecar daemon, enabling advanced use cases like validating Elasticsearch queries to enforce fine-grained data access control.
OPA policies can codify Center for Internet Security (CIS) benchmarks to continuously scan Kubernetes clusters for misconfigurations and security vulnerabilities.
While powerful, OPA adoption can be hindered by the complexity of writing performant queries and the learning curve associated with its custom language, Rego.
The Q&A covers Rego's support for JSON and YAML, deployment options on bare metal or VMs, and potential integrations with APIs like GraphQL.
zeb consulting
Frankfurt am Main, Germany
32:16Anderson Dadario & Denys Vitali
17:31Axel Barbier
![Policy as [versioned] code - you're doing it wrong](https://customer-goifxnzhrq3d0d54.cloudflarestream.com/23fa4a514c18f0a9b39573f31d96ba54/thumbnails/thumbnail.jpg?time=33000ms)
45:57Chris Nesbitt-Smith
1:00:00Alex Olivier
23:29Deepu
56:27Luke Hinds
30:07Moritz Johner
23:08Rico Komenda
Jobs that call for the skills explored in this talk.
Wolters Kluwer
Alphen aan den Rijn, Netherlands
oraïse GmbH
Frankfurt am Main, Germany
