Chapter 11: Extending Security Using Open Policy Agent

So far, we have covered Kubernetes' built in authentication and authorization capabilities, which help to secure a cluster. While this will cover most use cases, it doesn't cover all of them. Several security best practices that Kubernetes can't handle are pre-authorizing container registries and ensuring that resource requests are on all Pod objects.

These tasks are left to outside systems and are called dynamic admission controllers. The Open Policy Agent (OPA), and its Kubernetes native sub-project, GateKeeper, are one of the most popular ways to handle these use cases. This chapter will detail the deployment of OPA and GateKeeper, how it's architected, and how to develop policies. ...

Get Kubernetes and Docker - An Enterprise Guide now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial

Kubernetes and Docker - An Enterprise Guide by Scott Surovich, Marc Boorshtein

Chapter 11: Extending Security Using Open Policy Agent

Don’t leave empty-handed

It’s yours, free.

Check it out now on O’Reilly