Chapter 11: Extending Security Using Open Policy Agent

So far, we have covered Kubernetes' built in authentication and authorization capabilities, which help to secure a cluster. While this will cover most use cases, it doesn't cover all of them. Several security best practices that Kubernetes can't handle are pre-authorizing container registries and ensuring that resource requests are on all Pod objects.

These tasks are left to outside systems and are called dynamic admission controllers. The Open Policy Agent (OPA), and its Kubernetes native sub-project, GateKeeper, are one of the most popular ways to handle these use cases. This chapter will detail the deployment of OPA and GateKeeper, how it's architected, and how to develop policies. ...

Get Kubernetes and Docker - An Enterprise Guide now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.