►
From YouTube: Unit Testing Your Kubernetes Configurations Using Open Policy Agent - Gareth Rushgrove, Docker
Description
Join us for Kubernetes Forums Seoul, Sydney, Bengaluru and Delhi - learn more at kubecon.io
Don't miss KubeCon + CloudNativeCon 2020 events in Amsterdam March 30 - April 2, Shanghai July 28-30 and Boston November 17-20! Learn more at kubecon.io. The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects
Unit Testing Your Kubernetes Configurations Using Open Policy Agent - Gareth Rushgrove, Docker
Open Policy Agent provides a high-level declarative language to author and enforce policies on structured data, for instance Kubernetes configurations. OPA is typically used as a service to enforce authorization policy in a cluster. New configurations submitted to an API are filtered through OPA and accepted or rejected depending on the defined policy. But some types of policy violations can be caught even earlier in the development process. In this talk we’ll discuss: - Why you might benefit from writing unit tests for your Kubernetes configuration - Getting started with regol, OPAs declarative assertion language - Integrating OPA-based tests with your continuous integration system - Testing Kubernetes configurations when working with other ecosystem tools like Helm, Kustomize and Pulumi - Extending the same approach to other structured configuration files
https://sched.co/MPYj
A
A
bunch
beyond
the
room,
so
I'm
here
to
talk
about
unit
testing
your
kubernetes
configurations
using
open
policy
agent.
Hopefully
that's
clear
from
this
slide,
if
you're
not
here
for
that
talk
like
too
late,
so
I'm
Gareth,
rush,
Grove
Gareth
are
basically
everywhere
on
the
internet.
I
am
now
a
director
of
product
management
at
a
company
called
sneaked,
doing
container
and
just
generally
open
source
software
vulnerabilities
stuff
when
the
movies,
if
you're
like
in
their
hot
hole.
A
If
you're
like
two
years
later
and
I'm
gonna
talk
about
a
quit
Ivanov
those
quick
introduction
to
open
policy
agent.
There
are
a
load
of
really
good
on
policy
agent
talks
throughout
the
conference.
It's
one
of
the
CN
CF
projects
and
this
isn't
an
introduction,
I'll
sort
of
fly
through
it.
Hopefully
I'm
a
tense
Biden
courage.
A
You
should
go
to
a
bunch
of
the
other
talks
as
well
I'm
going
to
talk
about
testing
and
in
the
context
of
policy
and
enforcement
of
policy
and
I'm
gonna,
introduce
a
new
tool
that
I've
been
building
to
sort
of
try
and
bring
these
two
worlds
together.
Rigo
is
the
programming
language.
That's
used
in
open
policy
agent
I
think
it's
really
cool
I'm,
a
DSL,
geek
I'm
gonna,
try
and
convince
you
all.
It's
really
cool
and
see
how
that
goes.
A
I'm
going
to
talk
about
portability
between
different
committees,
like
configuration
solutions,
turns
out
different
people
using
different
tools.
That's
fine!
Can
we
solve
some
of
the
testing
parts
in
one
go
rather
than
per
tool
and
also
honestly
infrastructure?
Isn't
all
and
configuration
isn't
all
committees,
but
can
we
solve
even
more
general
problems
with
one
hammer
and
we'll
see
how
we
go
bunch
of
live
demos?
A
Hopefully,
if
everything
works
so
open
policy
agent,
whose
all
right
who's
already
heard
of
open
policy
agent
in
the
room,
lots
of
hands,
but
not
everyone,
that's
fine
and
who's
actually
using
a
pulse
agent
already
for
things
and
the
scalp
a
scattering
of
hands
cool
yeah,
open
solids,
Oh
toys
in
is
really
interesting,
but
what
is
it
so
again
like?
This
is
a
very
abridged
version
of
this,
but
it's
a
well
described
is
a
policy
based
control.
The
cloud
native
environments
like
we
need
to
dig
down
a
little
bit
more
than
that.
A
It's
ultimately
and
how
I
see
it
is
it's
a
language
for
describing
policy
against
structured
data
and
we'll
show
some
examples
and
what
that
looks
like
and
it's
the
engine
which
you
then
you
give
it
your
structured
data
and
it
takes
that
policy
and
tells
you
whether
that
that
document,
you've
given
it
is
compliant
against
your
policy
or
basically
extracts
out
meaning
now
that's
again
fairly
low-level.
It's
a
library
which
has
a
whole
bunch
of
use
cases
and.
A
That's
the
sort
of
general
take
you'll.
Have
some
data
you'll?
Have
some
policy
open
port
agent
will
combine
those
things
together.
It's
a
low-level
sort
of
component
to
other
tools
and
what's
happening
in
the
ecosystem.
Is
people
are
building
on
top
of
this
and
so
you're,
starting
to
see
anywhere
where
people
are
saying
we
need
some
policy,
like
our
software
does
one
thing,
but
customers
need
to
bring
some
of
their
business
understanding
to
it
that,
like
different
people,
want
to
do
different
things.
A
Lots
of
people
talk
about
policy
of
port
agent
is
implementing
that
in
software.
That's
what
that
allows
is
a
lot
of
those
times
where
you've
been
in
a
large
organization
and
you've
had
a
policy
conversation
and
that's
resulted
in
a
word
document.
Now
we
can
convert
that
into
code
and
you're.
Seeing
this
cropping
up
in
loads
of
places.
A
Gatekeeper
is
a
really
popular
project
now
in
the
communities
at
space.
It's
a
an
admission
controller
that
users
of
policy
agent,
but
you're,
also
seeing
it
in
sto.
There's
an
open
policy
agent
aspect
there
and
the
Ceph
project
as
well
again
has
a
policy
need
and
they've
been
able
to
plug
in
up
and
policy
agent.
It's
becoming
sort
of
something
that's
supported
in
lots
of
invoices
I.
A
A
It's
just
that
if
you
can
do
more
tests
here,
you
can
be
more
predictable,
like
testing
later,
at
least
around
communities.
Most
of
the
focus
around
open
policy
agent
has
been
over
here.
It's
been
testing
in
the
cluster
and
it's
been
admission
controllers.
It's
been
gating
your
cluster
according
to
some
policy,
and
that's
really
useful
and
I
think
there'll
be
other
talks
that
will
cover
that
sort
of
use
case
in
more
detail,
I'm
more
interested
in
well.
What?
A
The
continuous
delivery
foundation
meeting
is
palm
books
are
wider
coop
con
yesterday
and
people
kept
talking
about
everything
as
code,
just
as
a
general
movement
and
we've
gotta,
whether
it's
been
infrastructure
configuration
whether
it's
been
software,
we
we're
taking
things
that
were
traditionally
conversations
and
people
and
documents
and
converting
them
into
software,
because
then
we
can
have
a
conversation
that
is
both
people,
but
also
computers
and
that's
true
of
communities
configuration
as
a
general
domain.
We've
been
moving
that
into,
and
often
lots
and
lots
of,
yel
documents,
but
other
tools
as
well.
A
But
would
you
write
code
without
writing
tests?
I'd
say
if
this
was
a
Java
conference,
like
everyone
be
like
well,
yeah
I
mean
I,
even
written
any
Java.
Without
writing.
Some
JUnit
tests
for
I
can't
remember
and
actually
where
we
are
today
with
the
languages
that
we're
building
around
the
communities,
API
I,
would
say
most
people
are
not
writing
tests
for
those
things.
We
don't
have
the
tools
or
the
culture,
rod
or
setup.
Yet
so
that's
where
my
new
favourite
hammer
comes
in
contest.
So
this
is
a
new
open-source
project.
A
A
So
the
basic
gist
is
well
in
the
inner
kubernetes
context,
at
least
given
a
deployment
of
given
any
other
committees
manifest,
but
we'll
we'll
start
with
the
deployment.
For
now
we
can
write
policies
about
that
deployment
and
maybe
it's
just
specific
to
what
namespace,
maybe
it's
specific
to
your
organization.
Maybe
it's
specific
to
a
specific
cluster
and
whatever
it
is.
A
So
rego
is
a
new
language.
Some
people
are
gonna
like
that.
Not
that's
fine
and
virtually
it's
reasonably
straightforward.
Once
you
get
going,
and
so
what
we
actually
said
here
so
we've
said
input
input
is
the
the
document
I'm
passing
in.
So
in
this
case
it's
that
kameez
deployment,
structure
and
I'm
saying
well,
it
will.
It
will
have
a
kind
property
and
that
property
will
have
a
value
of
deployment.
A
Saying
Kim
yetis
world,
it's
yeah,
it's
a
deployment
where
then
saying
runners,
not
route
equals
true,
not
so,
basically
we're
saying,
and
if
it
does
not
have
that
value.
If
it
does
not
have
that
key
runners
really
not
in
true
set
to
true,
then
we're
going
to
deny
so
and
in
this
case
we're
going
to
put
a
message
saying:
containers
must
not
run
as
reach
so
for
those
that
aren't
as
familiar
with
the
humanities
configuration
structure
and
what
that's
saying
is,
if
you
don't
have
that
flag
set.
A
Those
containers
have
a
lot
more
permissions
on
your
cluster
and
might
do
bad
things.
It's
a
reasonably
good
best
practice
to
wait
where
you
can
default.
Having
that
set
and
here's
a
way
of
us
actually
writing
a
test
to
make
sure
that's
the
case
and
obviously
that's
a
nice
simple
example.
You
can
write
quite
elaborate
policies
based
on
your
real
world.
Real
domain
messy
organizational
policy
structures.
Rigo
is
a
language
that
gives
you
that
flexibility
contests
simply
provides
you
a
nice
friendly
local
CLI
tool
to
run
that.
A
So
contests
test
20
ITR
config
that
that
you
want
to
test
in
the
background
here.
There's
a
policy
folder
and
with
the
code
we
just
saw
in
and
you
can
point
at
policy
from
different
places
and
there's
some
other
bits
pieces
and
you
can
point
it
out
multiple
files
and
we
can
test
those.
But
let's
see
that
in
action
because
everyone
likes
a
quick
demo,
let's
go
the
right
way.
So
here
I've
got
a.
A
A
Actually
we
so
we've
got
a
number
of
different
policy
files
in
here
and
I'll
show
some
of
them
and
now
and
I'll
show
a
few
later.
This
one
is
pretty
similar
to
what
I
just
showed
there.
We've
got
a
couple
of
policies,
one
is
doing
exactly
what
we
were
talking
about,
which
was
looking
for
non
route.
Sorry
root,
containers
in
deployments
and
saying
nope,
we're
not
having
any
of
that
and
the
other
one
is
saying
you
must
have
set
these
two
labels
and
again
that's
a
common
practice
in
organization.
A
A
Here
again,
similarly-
and
this
is
a
bit
of
a
sort
of
example-
policy-
this
is
just
simply
saying,
and
if
there's
any
community
services
that
nope
not
having
any
of
that.
Obviously
that's
not
a
real
world
policy,
but
it's
a
nice
demonstration
and
the
difference
here
is
instead
of
being
deny.
This
is
one
and-
and
this
is
really
a
way
of
saying
yeah-
we've
got
these
policies,
but
we
want
to
nudge
people,
not
stop
them.
A
A
A
So,
let's
dig
into
Rigo
a
little
bit
because
again,
there's
always
a
barrier
to
entry
when
you're
faced
with
a
new
language
and
one
of
the
nice
things
with
Rio
is
actually
the
document,
the
documentation
is
pretty
good.
It's
a
domain-specific
language
specifically
for
describing
policy
against
structured
data.
So
it's
not
trying
to
be
everything.
A
It's
not
a
huge
language
here
and
the
documentation
provided
by
the
opposed
agent
project
itself
is
actually
really
good
and
there's
lots
of
examples
and
there's
also
the
under
the
hood
details
to
understand
what
the
syntax
is
so
definitely
check
out
the
open
policy
agent
website
and
look
at
the
language
I
think
once
you
play
around
with
it
and
comtesse
provides
a
nice
easy
way
of
playing
around
with
it.
It's
just
one
command.
You
run
it
against
your
config
and
some
policy.
A
If
you
saw
well
I'm,
not
sure
I
want
to
download
anything
yet
there's
the
rego
playground-
and
this
is
an
online
website-
you
can
go
along
to
the
on
the
open
policy
agent
website.
You'll
find
the
links
here.
You
can
just
write
and
you
can
give
it
some
input.
You
can
give
it
your
policy
and
you
can
see
what
the
output
would
be
were
that
applied.
A
But
it's
more
than
just
yeah
there's
some
syntax
and
some
policy
bits.
It
is
a
language
and
it
is
a
language
with
some
tooling
so
open
policy.
It
has
built-in
support
for
actually
bit
like
writing
unit
tests
of
your
policies
in
Rego.
If
you're
thinking
of
this
is
getting
meta,
you
would
be
correct
here.
We're
writing
unit
tests
in
Rego
of
our
policies
in
Rego,
which
are
testing
our
configuration,
and
that
makes
sense.
A
It
just
sounds
weird,
so
here
actually
we're
writing
tests
against
some
of
those
policies
and
if
I
pass
it
in
a
sort
of
fake
deployment
here.
Well
that
definitely
doesn't
have
that
flag,
saying
don't
run
your
containers,
this
route
and
it's
going
to
successfully
deny-
and
you
can
see
more
example,
more
sort
of
detailed
examples
here
and
but
that's
just
built
into
the
OPA
tool
itself.
So
then
you
can
just
go
into
your
policies,
run
OPA
tests
and
you'll
have
a
sense
of
yeah.
A
Not
only
have
we
had
that
conversation
about
our
policies,
but
we've
described
them
correctly
as
well,
because
often
those
pop
that
policy
conversation
is
separate
to
your
usage
of
your
configuration.
It's
a
little
bit
different
to
look
a
conversation
around
like
unit
testing
code,
we're
not
most
the
time
you're
doing
that
together.
This
is
more
the
unit
testing.
A
In
the
case
of
rego
and
again
lots
of
people
hadn't
come
across
open
policy
agent,
yet
or
weren't
using
it
yet,
and
it's
an
early
project
and
there's
not
loads
of
real
code
on
github
yet
so
like
this
is
something
that's
pretty
new,
but
very
interesting
too
alone
projects,
there's,
obviously
more
Riga
code.
There
isn't
public
in
different
private
places.
People
are
using
it
elsewhere.
Sharing
public
policies
is
an
interesting
conversation,
but
I'd
love
to
see
this
number
explode
because
I
think
there's
lots
of
utility
open
policy.
A
Agent
also
has
a
concept
on
bundles
because
it
turns
out
that
some
of
that
policy
is
going
to
be
reusable
and
that
might
be
reusable
in
the
context
of
your
own
organization.
It
might
be
reusable
in
the
context
of
the
policies.
You're
writing
have
similar
constructs
and
it
has
a
built
in
bundle
concept,
and
this
is
fairly
like
simples,
my
it's
a
MANET
there's
a
manifest
file
and
there's
a
tar
file
and
you
can
download
them,
but
you
can
I
think
one
thing
I
would
love
to
see
as
we
grow.
A
The
open
policy
aging
community
is
sharing
these
sort
of
helpers
and
things
where.
Actually
you
don't
need
to
become
the
expert
in
all
the
things
you
can
use
a
bunch
of
helpers
to
get
you
there.
So
maybe
it's
helpers
like
this
or
sort
of
has
feels
like
it's
really
like
from
a
policy
point
of
view.
You
might
want
to
just
check
it's
something.
There
we
go
housing,
the
syntax
do
so
badly.
We
commit.
We
can
write
abstractions
to
make
that
easier
to
use
tests
helpers
as
well
they're
like
writing
tests
that
are
more
expressive.
A
You
see
this
in
all
programming
languages.
Writing
like
just
slightly
more
expressive
versions
of
things.
That's
definitely
open
for
sharing
and
I
think
there's
a
load
of
potential
in-
and
this
is
a
very
trivial
example
of
sharing
domain-specific
helpers
and
the
types
of
policy.
Let
your
organization's
policy
might
be
different
someone
else's,
but
if
we're
all
working
with
communities,
the
types
of
things
we're
probably
likely
to
ask
are
similar
and
so
building
libraries
and
around
committees
or
other
project
configuration
I
think
is
a
really
interesting
place
and
we
can
wrap
all
these
with
bundles.
A
But
one
of
the
things
that
bundles
doesn't
have
yet
is
a
sort
of
like
a
first
class
concept
of
sharing.
And,
yes,
you
can
put
them
on
the
internet.
You
could
put
them
on
an
HTTP
server
and
there's
a
mechanism
within
the
Opia
tools
to
download
those,
but
that's
not
the
same
thing
as
whether
it's
like
NPM
as
a
registry
or
obviously
cost
all
our
hearts.
They're,
like
docker
registries,
where
we've
actually
the
ability
to
nearly
frictionlessly
share
things,
has
interesting
properties.
A
It
becomes
very
easy
for
you
to
get
started
because
you
just
do
wide
with
docker
docker
run
thing
and
that's
downloaded
a
lot
of
stuff
from
the
internet,
someone's
packaged
there
are
pros
and
cons,
but
we
like
that
model.
The
other
thing
here
is
that
the
standards
underpinning
that
have
become
very
widely
implemented.
A
So
basically,
at
this
point
everyone
has
one
or
more
or
CI
registries,
and
there
are
public
ones
that,
like
I'm,
like
docker
hub,
there
are
the
all.
The
main
cloud
providers
have
the
one
that
they'll
tell
you.
Everyone
has
one.
If
your
on-prem,
there
are
multiple
options
there,
there's
the
harbour
project
and
within
the
CN
CF
and
most
of
the
commercial
vendors
will
give
you
on.
A
Everyone,
has
one
of
these
registries
and
they're,
broadly
speaking,
compatible,
but
up
till
now,
we've
really
only
used
them
for,
like
those
docker
images
that
we
run
on
out
like
curious
clusters
all
with
docker,
and
what
about
using
them
for
everything
else.
Steve
Glasgow
from
Microsoft
has
been
pushing
this
within
the
OCI
community.
For
a
little
while
and
as
part
of
this
sort
of
wall,
opa
would
benefit
from
sharing.
Like
first-class
sharing
mechanisms
and
we've
set
up
a
bunch
of
our
CI
media
types
for
our
PA,
that's
now
closed.
We've
got
that
done.
A
We're
actually
demonstrating
that
with
contest,
so
contest
provides
basically
simple,
push
and
pull
semantics,
and
this
doesn't
work
on
every
registry.
Yet
because
of
some
of
the
ambiguities
around
the
spec,
that's
getting
worked
out
and
on
the
OCI
side,
but
it
works
with
like
the
open
source
registry.
I
think
it
will
work
with
harbor
that
I
haven't
checked.
It
works
with
Azure
container
registry
at
the
moment,
hopefully
in
the
future.
This
will
work
with
everything
else.
Well,
this
is
also
under
the
hood.
A
A
As
of
yesterday
Jocelyn's,
the
Microsoft
launched
bundle
bar,
which
is
a
basically
a
front
page
for
a
bunch
of
these
sort
of
media
type
new
package
format.
Things
focused
on
small
OCI
images
for
configuration
purposes,
so
this
has
actually
mirrored
the
helm,
charts
repository
and
also
is
now
starting
to
get
some
of
the
OPA
bits
and
pieces
in
there.
So
again,
like
brand-new
bits
and
pieces
to
play
with
over
time.
A
I'd
love
is
to
collectively
build
up
like
those
OPA
helpers
on
bundle
bar
or
other
repositories
where
we
go
so
one
of
the
things
with
the
coop
iron
committee's
configs
is
that's
the
API
and
being
able
to
test
that
is
useful,
and
if
you're
writing
that
by
hand,
then
you
can
use
the
toiling,
but
also
we're
all
starting
to
use
different
tools
for
the
configuration
for
different
purposes
and
having
one
way
of
writing
tests.
I
think
is
useful
because
it
basically
will
allow
you
to
more
easily
move
between
those
tools.
A
So
maybe
you
start
out
writing
a
bunch
of
can
make
these
configs
by
hand.
Then
you
move
to
like
customizer,
you
move
to
hell
when
you
move
to
other
things
or
you're
using
multiple
tools.
At
the
same
time,
you
can
use
a
policy
agent
to
describe
the
test
for
all
of
those
things
and
ultimately
because
they
compile
down
to
the
same
config
structures.
A
So
if
you
were
using
customized
well,
you
can
do
customized,
build
and
pipe
the
output
there
and,
if
you're
using
helm,
helm
template
does
the
same
thing
that
will
render
the
helm
template
as
a
finished
config.
In
this
case,
it
would
be
nice
to
have
a
helm
again.
That,
broadly
speaking,
does
that
there's
some
prior
art
around
that
as
well
in
the
helm
community.
And
if
you
were
writing
your
communities
configurations
in
typescript,
because
you
wanted
a
full-on
programming
language.
A
My
new
favorite
configuration
tools,
I
thought
I'd
throw
in
for
their
giggles
is
Q,
and
this
is
again
another
way
of
describing
config
with
much
nicer
semantics
than
Yama
log
Jason.
It's
there
for
authors,
not
just
as
a
wire
format,
so
you
can
have
more
expressive
bits
pieces
and
you
can
combine
things
in
different
ways.
A
A
We
can
also
test
our
live
cluster
because
it's
possible
to
get
back
from,
obviously
the
communities
API
the
documents
and
it
turns
out
the
documents
to
come
back,
a
lists
and
you're,
probably
not
putting
lists
in,
and
so
you
can
absolutely
do
this.
If
you
choose
like
nested
pipes
in
the
bash
fascism's,
maybe
not
the
best
approach.
A
Handily
I've
been
building
a
committees,
CLI
coop
CTL
plugin,
it's
not
actually
available
in
the
crew
index
yet
and
we're
having
a
conversation
with
the
crew
folks
about
that
at
the
moment,
crew.
If
you
haven't
seen
it
is
a
plug-in
manager
for
coop
CTL
plugins,
there's
a
talk
going
on
right
now
about
it
which
you've
missed,
but
you
should
catch
up
on
the
video
on
that
and
hopefully
we'll
get
this
sorted.
A
A
A
Here
I'm
saying:
grab
me
all
deployments
and
check
what's
going
on
so
actually
there
was
one
of
the
deployments
there
had
does
not
house
containers
which
do
not
have
that
flag
on,
and
the
message
is
telling
me
which
ones.
So
we
can
actually
point
and
shoot
a
real
cluster
as
well
as
use
it
say
locally
as
well
as
use
it
in
a
CI
environment.
We
can
apply
all
of
us
in
different
places
and
you
can
use
the
same
of
re
going
up
and
policy
edging
code
in
gatekeeper
to
get
your
cluster
for
new
things.
A
And
it's
not
just
kubernetes
and
we've:
we
can.
We
can
absolutely
right
policy
for
our
coup
message
configurations.
We
can
absolutely
use
it
for
different
configuration
management
tooling
in
the
community
space,
but
config
isn't
a
communities
specific
problem,
it's
generally
computing,
so
we
can
actually
apply
this
in
lots
of
places
and,
having
said
that,
there
are
a
lot
of
communities
configs
around
and
there
are
a
million.
A
There
are
more
than
a
million
communities
shaped
documents
on
github,
and
this
isn't
a
hundred
percent
accurate
but
like
it's
near
enough
and
that's
a
large
enough
number
and
to
be
very
scared
of
so
well
done.
Sort
of
there's
had
chilling
more
than
seventy
million
near
enough
seventy
million.
That's
that
numbers
probably
gone
up
in
the
last
few
days,
and
and
yet
not
all.
A
This
is
going
to
be
handwritten,
but
quite
a
bit
of
it
is,
and
so
it's
generated
and
sometimes
do
you
want
to
apply
policy
against
generate
echo
in
as
well
and
there's-
and
this
is
just
llamo.
This
isn't
all
the
other
formats
that
were
playing
with
contest
contest
at
the
moment
supports
yeah,
mall
or
jason
as
inputs,
and
but
that's
not
that's,
basically,
just
an
implantation
needle
at
the
moment
there
are
issues
open
to
support
other
formats
and
whether
that
might
be
Tamil
or
HCl
or
edn
or
whatever
structured
format.
A
The
comtesse
repo
has
a
lot
of
different
examples
for
different,
tooling
and
I
won't,
obviously
show
a
lot
loads
of
different
things
and
one
tool
that's
actually
often
used
alongside
and
some
other
infrastructure
tool.
This
is
terrifying
and
some
people
use
it
for
their
communities,
configs
or
just
managing
their
cloud
estates.
A
A
This
terraform
code
happens
to
be
using
the
google
cloud
api's
and
but
I'm
banning
anyone
using
google
container
and
google.
I
am,
and
for
whatever
arbitrary
reason
and
in
a
real
world
context,
though,
actually
you
might
be
like
no
only
certain
people
or
certain
repos
or
certain
places
can
like
manage
I
am
things
if
you're
doing
that,
then
I
have
a
problem
and
we
will
either
warn
or
we
will
say
no,
you
need
to
do
that
for
a
different
route,
and
so
here
is
a
simple
blacklist
implemented
in
Rego.
A
A
So
if
I
do
make
tests
and
again
all
I'm
doing,
there
is
terraform,
show
piping,
outputting,
the
that
and
then
piping
that
contest
here.
Actually,
our
terraform
code
is
going
to
change
some
of
those
prohibited
resources
and
I'm
gonna,
say
nope,
that's
a
bad
thing
I
didn't
mention
before,
but
that
the
contest
does
obviously
output
like
the
relevant
status
codes.
So
you
can
fail,
builds
and
the
like.
A
So
we
can
do
terraform,
config
testing
and
we
can
do
civilus
conflict
testing
and
again
all
these
things
where,
like
when
you
start
thinking
about
them,
are
yeah.
There
are
certain
things
there
are
constraints,
I
want
to
put
on
them.
If
it's
a
small
team,
a
small
organization,
those
are
probably
don't
need
to
be
in
code
as
you
move
into
regulated
environments
as
you
move
into
larger
organizations
and
and
Oh
bits
of
your
organization
that
isn't
as
familiar
with
the
tooling
putting
some
guardrails
around
things
is
really
useful.
A
A
So
I'm
running
up
and
I
wanted
to
say
thank
you
to
a
bunch
of
folks
in
the
open
source.
Community
and
Torian
is
the
person
behind
open
policy
agent
like
and
the
styrofoam
is
in
Lord
of
the
maintain
is
around
that
project
is
really
interesting
and
can
be
used
in
lots
of
different
places
and
I.
Just
have
one
specific
use
case:
Steve,
let's
go
Microsoft
drove
most
of
the
Aussie
I
work
and
Josh
is
doing
a
bunch
of
that
there,
with
bundle
bar
as
well.
So
thanks
open
source
community.
A
It
makes
it
easier
to
build
things
when
people
will
give
you
feedback
and
help
you
along
the
way.
So
summarizing
the
talk
parts.
An
open
policy
agent
is
really
interesting.
Super
flexible
and
check
it
out,
even
if
you're
like
I,
don't
want
this
contest
thing
and
but
check
out
contest
anyway,
it's
on
the
internet
play
around
with
it
open
issues.
Let
me
know
what
you
think.
I
would
expect
like
predicting
things.
A
load
more
integrations
with
open
policy
Asian
in
the
future.
A
I
think
there's
loads
of
potential
for
as
to
have
a
shared
language
for
Policy
I,
think
that's
powerful
in
loads
of
places
and
if
anyone
else
is
super
interested
in
tooling
around
configuration
ping
me
I'd
love
to
have
more
conversations
there
I
think
as
a
community,
we
maybe
got
good
at
a
bunch
of
runtime
stuff
like
service
mesh
is
really
interesting.
However,
we
may
be
not
built
the
developer
tool
chain
yet
to
really
like
for
everyone
to
embrace
cloud
native
computing,
and
so
hopefully
you
enjoyed
the
talk.
A
If
you've
got
any
questions,
if
you've
got
some
time,
I'm
happy
to
answer
by
I'll
be
around
the
rest
of
the
conference.
If
you
can't
find
me
after
this
I'll,
probably
around
the
sneak
booth,
a
bunch,
you
can
go
there
anyway
and
check
out
demos
of
sneek,
which
I
didn't
cover
here
at
all.
No
thank
you
all.