book

Policy as Code

Name: Policy as Code
Author: Jimmy Ray
ISBN: 9781098139186

by Jimmy Ray

July 2024

Intermediate to advanced

556 pages

13h 27m

English

O'Reilly Media, Inc.

Audio summary available

Read now

Unlock full access

Includes

Quizzes

Preface
I Needed Policy as CodeWho Should Read This BookConventions Used in This Book Using Code ExamplesO’Reilly Online Learning How to Contact Us Acknowledgments
1. Policy as Code: A Gentle Introduction
What Is Policy?What Is Policy as Code?What Is a Policy?PaC Policy CharacteristicsThe Role of JSON and YAMLGuardrails: Preventing the UnwantedPlans: Reacting to the UnplannedAdopting Open Source SoftwareDisadvantages of OSSThe Care and Feeding of OSSStandards and ControlsPolicy as Code for Everything as CodePolicy Engines and LanguagesChoosing the Right PaC SolutionExample PaC Selection FactorsPaC Selection ScorecardThe Cloud Native Computing FoundationSummary
2. Open Policy Agent
Hello WorldOPA Installation and ModesOPA Command-Line InterfaceOPA Read-Eval-Print LoopOPA ServerOPA evalOPA execRego Policy LanguageOPA Document ModelRego Syntax and LogicWriting and Testing RegoThe Rego PlaygroundAdvanced Bundling TopicsBundle SigningBundles for Extension: WebAssemblyExtending and Integrating with OPASummary
3. Policy as Code and Access Control
Privileged Access ManagementOPA Bearer Token AuthN and AuthZRole-Based Access ControlOPA and RBACAttribute-Based Access ControlOPA and ABACAdministering Policies and DataBundle ServerStyra DAS and Policy-Based Access ManagementStyra RunOpen Policy Administration LayerUsing OCI Images with OPA and Open Policy ContainersSummary
4. Policy as Code and Kubernetes
CNCF and Policy ManagementImplementing Security Controls and Controlling BehaviorsAPI Server RequestsAdmission ControllersDynamic Admission ControllersMutating ResourcesValidating ResourcesAPI Server Request Latency and Webhook OrderAuditing and Background Scanning Existing ResourcesGenerating Resources and PoliciesKubernetes Native Policy FeaturesPod SecurityPod Security AdmissionValidating Admission PolicyAuthZ Webhook ModeAuthZ DecisionsAuthZ Webhook and PaCExample PolicyPolicy ReportingSummary
5. Open Policy Agent and Kubernetes
OPA InstallationValidating Admission WebhookKubernetes Management SidecarKubernetes Policy ManagementKubernetes Data ManagementData from ConfigmapsOPA AuthZ and kube-mgmtKubernetes PoliciesValidation PoliciesOPA Policy Entry PointCustom Helper LibrariesMutating Configuration and PoliciesCentralized OPA Management with Styra DASPolicy ManagementUninstalling Styra DASSummary
6. MagTape and Kubernetes
Installing and Uninstalling MagTapeMagTape initProxying OPA with MagTapeControlling Deny VolumesThe Deny Volume KnobSlack NotificationsSummary
7. OPA/Gatekeeper and Kubernetes
InstallationIgnoring NamespacesConfig: Alpha FeatureUninstalling GatekeeperPoliciesOPA Constraint FrameworkValidation PoliciesEnforcement ActionsMutation PoliciesUse Case: Multitenancy IsolationAudit ModeExternal Data ProvidersPolicy ExpansionPolicy TestingSummary
8. Kyverno and Kubernetes
InstallationIgnoring NamespacesDynamic Webhook ConfigurationsUninstalling KyvernoPoliciesPolicy LexiconPolicy CompositionPolicy TypesPolicy ReportingBackground ScansPolicy TestingSummary
9. jsPolicy and Kubernetes
InstallationCRD Webhook ConfigurationPolicy Webhook ConfigurationsUninstalling jsPolicyPoliciesInline PoliciesBundled PoliciesSummary

10. Cloud Custodian and Kubernetes
CLI ModeInstallationCleanupPoliciesPolicies with ActionsDiscovery with PoliciesController ModeInstallationValidating PoliciesMutating Policiesc7n-katesSummary
11. PaC and Infrastructure as Code
Infrastructure as CodeImmutabilityBaking Versus FryingImperative and Declarative IaCApplying PaC to IaCPreventive ControlsConftestCheckov and cfn-lintCFN HooksUsing PaC with HooksValidating TerraformTerraform and ConftestOPA tfplanSummary
12. PaC and Terraform IaC
HashiCorp SentinelTerraform ArtifactsMocking DataTestingRunning Policies in TFCAdditional Terraform ValidationCheckovtflintTerrascantfsecSnykSummary
13. PaC and Infrastructure as a Service
ProwlerProwler ChecksProwler CLICloud CustodianInstallationCleanupCloud Custodian PoliciesFinOps with CustodianSummary
14. PaC and the Software Supply Chain
Attacking NormalSSC Policy Enforcement PointsCodebase and Pipeline PEPsPaC and Trivy with Container ImagesSoftware Bill of MaterialsEvaluating SBOMs with PaCDetecting Vulnerabilities in SBOMs with PaCSBOM PromisesSBOM Authenticity and IntegritySummary
15. Retrospectives and Futures
Characteristics of Successful PaC AdoptionMomentumDomain-Specific LanguagesUsabilityProject Extensibility and Ecosystem DevelopmentEnterprise SolutionsPaC Looking ForwardEmbracing Standards with OSCALPaC and Generative AICedarConfigure, Unify, ExecuteConclusion
Index
About the Author

Content preview from Policy as Code

Chapter 7. OPA/Gatekeeper and Kubernetes

When it comes to PaC solutions for Kubernetes API server requests, OPA/Gatekeeper—a.k.a. Gatekeeper—is one the most popular solutions. Gatekeeper is underpinned by OPA; however, it is designed to use native Kubernetes CRDs to build policies for mutation and validation. Using the CRDs and the Constraint Framework—covered later in this chapter—promotes the expressiveness and reusability of Gatekeeper policies.

Gatekeeper is a very mature OSS project with a strong and active community of developers and users. The following links will help you gain more information about Gatekeeper:

In this chapter, we will explore Gatekeeper, examining how it is installed and used. Along the way, I will cover topics like policies, the Constraint Framework, and different modes of operation. Finally, I will describe three features that were recently added to ease adoption of Gatekeeper: external data providers, policy expansion, and the gator CLI.

Let’s begin with installing and configuring Gatekeeper to operate—and play nice—in your clusters.

Installation

There are multiple ways to install Gatekeeper:

kubectl
Helm
make

Since multiple resources are installed at the cluster level and at the Namespace level, I prefer to use the package-manager approach of Helm:

 # Add helm repo $ helm repo add gatekeeper \ https://open-policy-agent.github.io/gatekeeper/charts ...

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

Read now

Unlock full access

More than 5,000 organizations count on O’Reilly

O’Reilly covers everything we've got, with content to help us build a world-class technology community, upgrade the capabilities and competencies of our teams, and improve overall team performance as well as their engagement.

Julian F.

Head of Cybersecurity

I wanted to learn C and C++, but it didn't click for me until I picked up an O'Reilly book. When I went on the O’Reilly platform, I was astonished to find all the books there, plus live events and sandboxes so you could play around with the technology.

Addison B.

Field Engineer

I’ve been on the O’Reilly platform for more than eight years. I use a couple of learning platforms, but I'm on O'Reilly more than anybody else. When you're there, you start learning. I'm never disappointed.

Amir M.

Data Platform Tech Lead

I'm always learning. So when I got on to O'Reilly, I was like a kid in a candy store. There are playlists. There are answers. There's on-demand training. It's worth its weight in gold, in terms of what it allows me to do.

Mark W.

Embedded Software Engineer

Publisher Resources

ISBN: 9781098139179Errata Page

Cloud Computing

Data Engineering

Data Science

AI & ML

Programming Languages

Software Architecture

IT/Ops

Security

Design

Business

Soft Skills

Policy as Code

by Jimmy Ray

Chapter 7. OPA/Gatekeeper and Kubernetes

Installation

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.