Open Policy Agent — A great alternative for Pod Security Policy

Challenges with PSP?

  • PSP doesn’t handle auto-injected sidecars well,
  • Challenges when validating objects in CI/CD pipelines,
  • Difficulties in assigning PSPs, with confusion in mutating/non-mutating PSPs,
  • And many more.

To deep dive into PSP challenges, follow this link.

What path shall we follow then?

OPA Deep Dive!

The community behind the lines?

CNCF Cloud Native Interactive Landscape — Open Policy Agent (OPA)

What is it?

OPA is well designed and integrated with Kubernetes APIs

Policy-as-Code

OPA makes Security Officers’ life even more comfortable.

  • Allow only container images to be pulled from trusted Container Registries,
  • Allow only signed images to be used,
  • Prohibit Images that match specific image tags or hash/SHA.
  • Ensure that containers will run with a specific UserID,
  • Prohibit Pods from running in privileged mode or as root users,
  • Prohibit insecure capabilities to be bound to containers.
  • Prevent spinning up a service that exposes unwanted applications to the internet,
  • Limit spinning up unnecessary external load balancers,
  • Ensure that all protocols for internet-facing apps can only expose HTTPS.
  • Apply guardrails to pods from communicating with the outside world; Useful to prevent malware-infected zombies from participating in external DDoS attacks or Bitcoin mining. In the case of compromised pods, the risk is drastically reduced.
  • Only specific teams can use nodes backed with GPUs,
  • Pods not labeled as agreed-on will be restricted from running in the environment.

Enjoy a free “Playground”!

OpenPolicyAgent — Playground

&! To Finish

Thank you for reading me!

--

--

--

Is a Cloud-Native enthusiast with 12 plus years of experience. He’s continuously immersing himself in the latest technology trends & projects.

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Kubernetes rolling updates upon configurations changes

CLOUD TO COMMON PEOPLE

What is graph in datastructure?

Northcoders Bootcamp: Weeks 5–6… Jason vs Back-End

Comparing CSS Flexbox, CSS Grid, and Bootstrap Grid

Database Architecture comparison.

Approaching a major version dependency upgrade

OpenShift — Day 01

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Aymen Abdelwahed

Aymen Abdelwahed

Is a Cloud-Native enthusiast with 12 plus years of experience. He’s continuously immersing himself in the latest technology trends & projects.