Open Policy Agent — A great alternative for Pod Security Policy

Challenges with PSP?

  • PSP doesn’t handle auto-injected sidecars well,
  • Challenges when validating objects in CI/CD pipelines,
  • Difficulties in assigning PSPs, with confusion in mutating/non-mutating PSPs,
  • And many more.

To deep dive into PSP challenges, follow this link.

What path shall we follow then?

OPA Deep Dive!

The community behind the lines?

CNCF Cloud Native Interactive Landscape — Open Policy Agent (OPA)

What is it?

OPA is well designed and integrated with Kubernetes APIs

Policy Examples

OPA makes Security Officers’ life even more comfortable.

  • Allow only container images to be pulled from trusted Container Registries,
  • Allow only signed images to be used,
  • Prohibit Images that match specific image tags or hash/SHA.
  • Ensure that containers will run with a specific UserID,
  • Prohibit Pods from running in privileged mode or as root users,
  • Prohibit insecure capabilities to be bound to containers.
  • Prevent spinning up a service that exposes unwanted applications to the internet,
  • Limit spinning up unnecessary external load balancers,
  • Ensure that all protocols for internet-facing apps can only expose HTTPS.
  • Apply guardrails to pods from communicating with the outside world; Useful to prevent malware-infected zombies from participating in external DDoS attacks or Bitcoin mining. In the case of compromised pods, the risk is drastically reduced.
  • Only specific teams can use nodes backed with GPUs,
  • Pods not labeled as agreed-on will be restricted from running in the environment.

Enjoy a free “Playground”!

OpenPolicyAgent — Playground

&! To Finish

Thank you for reading me!

Is a Cloud-Native enthusiast with 12 plus years of experience. He’s continuously immersing himself in the latest technology trends & projects.

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

HOW TO MAKE INSTA HASHTAG POPULARITY SCRAPER BOT USING DATAKUND?

Understanding and optimization of Google App Engine’s automatic scaling

Using DataDog API to pull metrics data for EC2 instances

IEC 62304: Medical Device Software LifeCycle Processes

Be Covid Ready with Teleglobal’s Cloud Managed Services

Edge Computing

Customer Q&A: How Craighead Electric Cooperative Corporation deployed their fiber network 55%…

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Aymen Abdelwahed

Aymen Abdelwahed

Is a Cloud-Native enthusiast with 12 plus years of experience. He’s continuously immersing himself in the latest technology trends & projects.

More from Medium

K8s Operators— CIS Kubernetes Benchmarks

Using Pipy as a Kubernetes policy engine

Kind, Keycloak and ArgoCD with SSO

Using multiple domains and TLS certs on Traefik on Kubernetes