Traditional embedded security checks are hard to audit and maintain, so decoupling them as policy-as-code enables continuous validation and simplifies compliance.
Proactively catching security violations in the CI pipeline is far better than reacting to incidents in production, moving beyond tribal knowledge to codified policies.
OPA is a CNCF graduated project that provides a unified way to enforce policies across APIs using a custom declarative language called Rego.
Simple Rego policies can enforce rules like user data access control, manager hierarchies, or ensuring Kubernetes pods use a trusted container registry.
The OPA Playground provides an interactive environment for writing, testing, and debugging Rego policies against sample input data, such as Kubernetes configurations.
OPA can be deployed as a Go library or a sidecar daemon, enabling advanced use cases like validating Elasticsearch queries to enforce fine-grained data access control.
OPA policies can codify Center for Internet Security (CIS) benchmarks to continuously scan Kubernetes clusters for misconfigurations and security vulnerabilities.
While powerful, OPA adoption can be hindered by the complexity of writing performant queries and the learning curve associated with its custom language, Rego.
The Q&A covers Rego's support for JSON and YAML, deployment options on bare metal or VMs, and potential integrations with APIs like GraphQL.
32:16Anderson Dadario & Denys Vitali
29:49Lian Li
17:31Axel Barbier
![Policy as [versioned] code - you're doing it wrong](https://customer-goifxnzhrq3d0d54.cloudflarestream.com/23fa4a514c18f0a9b39573f31d96ba54/thumbnails/thumbnail.jpg?time=33000ms)
45:57Chris Nesbitt-Smith
1:00:00Alex Olivier
23:29Deepu
30:07Moritz Johner
29:31Adam Larter
.gif?w=240&auto=compress,format)
Jobs that call for the skills explored in this talk.
iits-consulting GmbH
München, Germany
SYSKRON GmbH
Regensburg, Germany
smartclip Europe GmbH
Hamburg, Germany
CONTIAMO GMBH
Berlin, Germany
adconova GmbH
inopla GmbH