►
Description
In this hands-on demonstration we take a look at Open Policy Agent (OPA). Creating a policy, testing it with the OPA sandbox syntax checker, deploying it into a cluster and testing it. We also then look at how this fits into Prisma Cloud and a whirlwind tour of some more features.
A
Hello
and
thank
you
for
joining
me,
ashley
ward,
in
this
quick,
15
minute
video
on
some
things
that
we
can
do
around
securing
kubernetes.
Now
my
name
is
ashley
ward.
As
I've
said,
I
am
the
cloud
cto
for
palo
alto
networks
within
prismacloud,
focusing
on
the
emir
region,
and
now
that
means
that
I
get
to
do
not
lots
of
nice
talks
and
speak
to
customers
and
evangelize
about
stuff.
A
But
it
also
means
that
everybody
wants
me
to
talk
about
their
part
of
a
product
and
when
we
talk
about
securing
things
like
kubernetes,
we
know
that
having
a
platform
that
does
all
that
is
critical.
But
that
does
mean
for
me
that
lots
of
people
want
me
to
show
lots
of
different
things.
So
I'm
going
to
jump
over
and
I'm
going
to
play
this
video
while
I'm
talking
and
then
we
will
do
a
live
demonstration
at
the
end.
A
One
of
the
things
that
people
said
to
me
that
they
wanted
was
everybody
at
kubecon:
well,
they're,
going
to
be
spitting
up
clusters
and
having
small
clusters
and
multiple
clusters
and
different
environments,
and
they
want
to
know
how
easy
it
is
to
deploy
software
on
there
to
secure
it,
and
I
kind
of
thought:
well,
that's
very
sales
pitchy,
but,
okay,
fine,
if
people
would
be
really
interested
in
that
I
can
spin
up
a
cluster.
A
I
can
use
eks
ctl
or
eks
cuttle,
and
I
can
spin
up
a
cluster
as
you
can
see,
there
takes
usually
well
16
minutes
is
how
long
it
took
there.
If
it's
17
minutes,
I
could
then
quite
easily
deploy
my
defender
yaml
in
there
and
see
them
all
pop
up
in
my
console
and
everybody's
happy.
Look
at
me.
I've
done
all
this
nice
stuff.
I
could
then
make
sure
that
I
can
see
these
things.
Are
there,
so
I've
got
my
the
hosts.
Are
there?
The
defenders
are
there
and
they're
connected.
A
I
could
jump
over
then
and
say
right,
okay!
Well,
in
the
time
that
it's
taken
for
that
to
be
deployed,
do
I
have
any
vulnerabilities
that
might
be
on
there
so
jumping
over
to
the
host
and
saying
what
hosts
have
I
got?
There's
my
new
amazon
linux
ones
that
are
there.
Do
they
have
some
vulnerabilities?
Oh
great,
they
do
super.
I
don't
care
at
this
point.
I
just
want
to
show
that
I've
gone
ahead
and
scanned
that
straight
away
and
then
what
about?
If
I
look
for
vulnerabilities
for
images?
Well,
what
do
we
know?
A
Let's,
let's
filter
by
the
host
name,
just
to
show
that
we're
not
using
the
old
ones
and
there
we
are,
let's
make
the
screen
bigger
and
we
have
some
vulnerable
images
that
are
there
great
happy
days.
We've
shown
we
can
do
that,
but
this
is
kubecon.
So
what
about
somebody
else,
shouting
ashley
do
shift
left.
Everybody
loves
shift
left,
do
shift
left
well,
okay,
fine,
so
we
could
show
shift
left
and
that
would
involve
saying
we
will
pull
down
an
image.
We
will
then
use
a
lovely
command
line
to
scan
that
image.
A
This
is
almost
commoditized,
I
mean
yes,
we
see,
ours
is
better.
Yes,
we
can
do
this
with
pretty
colors
and
we
can
show
just
a
pass
or
a
fail
or
actually
big,
long
screens
of
information.
Yes,
I
suppose
that's
kind
of
cool,
but
is
it
quite
what
people
in
kubecon
are,
after
I'm,
not
sure
but
okay,
fine?
I
can
show
that
this
type
of
thing
does
work.
A
A
Well
then,
somebody
in
this
meeting
to
decide
what
is
actually
going
to
say
at
cubecon.
Well,
let's
do
full
platform
cloud
native
application
protection
platform.
Everybody
will
love
that
you
should
show
them
that
we
don't
just
secure
container
stuff.
We
secure
the
actual
hosts
and
we
also
secure
the
cloud
platform
and
not
just
one
cloud
service
provider
show
that
we
do
lots
and
lots
of
different
cloud
service
providers
and-
and
that
will
be
really
important
and
of
course,
then
somebody
says
yes,
that
is
important.
A
People
do
want
to
know
that,
but
at
kubecon
typically
people
want
to
know
about
kubernetes.
So
is
it
that
great
showing
we
can
do
all
these
things?
Well,
yes,
it's
nice
and
chewy
offi,
but
it's
not
necessarily
what
people
want.
Then
somebody
else
in
the
room
says
well
run
time.
Protection
runtime
protection
is
awesome.
We
do
all
automatic.
A
You
should
definitely
show
that
so
show
that
you've
been
playing
about
with
different
things,
you've
deployed,
so
here
I'm
going
to
spin
up
a
nice
little
engine
x
and
I'm
going
to
go
into
it
and
see
what's
happening.
So
what
have
I
got
here?
I'm
inside
my
nginx
container
great
I've
just
run
bash
great,
and
this
isn't
an
example
of
somebody
really
doing
this.
No
well
I
mean
it
could
be
that
that
container
was
exploited
somehow
other
than
this.
It
could
be
user
error
regardless.
A
The
point
of
this
runtime
stuff
is
no
matter
what
stuff
I
typically
type
in
here.
All
of
it
is
going
to
be
tracked,
all
of
it's
going
to
be
logged
and
we're
going
to
be
able
to
show
that.
So,
as
we
can
see
here,
my
typing
is
particularly
bad.
I'm
picking
commands
that
I
can't
particularly
run
so
we'll
try
and
do
something
else
here
that
would
make
it
at
least
a
little
bit
more
interesting,
curls
there.
A
So
let's
get
a
whole
splurge
of
stuff
from
curl,
great
and
we'll
touch
another
file,
and
then
let's
go
and
see
what
that
means
for
runtime
protection,
runtime
protection
being
a
really
important
part.
That
is
often
overlooked,
so
we
jump
over
and
we
can
see
right.
Oh
look
at
this.
We
have
this
major
incident
that
has
occurred
because,
funnily
enough
we
have
data
exfiltration.
A
We
have
somebody
doing
stuff
inside
an
nginx
container.
Oh
look!
We've
done
stuff
with
google.
That
was
suspicious
name
resolution.
Then
we've
also
made
outbound
connections
oh
great
stuff.
Now
we
can
also
have
a
look
and
we
can
see
exactly
what
went
on
inside
that
container.
So
yes,
the
runtime
stuff
is
super
important
and
it's
super
cool
that
we
can
see
all
of
this
and
log
all
of
this
for
every
single
container,
but
we're
still
talking
about
this
being
kubecon.
A
So
what
can
we
do
to
actually
teach
somebody
so
rattling
through,
because
I've
only
got
a
short
period
of
time?
Let's
come
out
of
this
and
jump
over
to
here.
So
what
can
we
teach
somebody?
And
what's
the
one
takeaway
I'd
really
like
you
to
think
about
opa,
opa,
open
policy
agent
is
awesome.
It's
really
really
cool.
We
love
it.
It's
a
great
way
and
look
at
the
website.
Openpolicyagent.Org,
there's
lots
of
information,
and
it
does
boil
down
to
stop
using
different
things
when
we
can
just
use
one
common
thing
now.
A
The
good
thing
about
this
is:
there's
lots
of
information
about
how
to
do
stuff
and
there's
the
rego
playground,
and
what
this
means
is
that
we
can
put
in
here
some
input.
We
can
put
what
we
want
to
check,
and
so
you
can
test
all
those
different
policies
that
you're
writing
in
the
same
way
with
rego,
and
we
can
then
go
right.
What's
the
result,
and
in
my
situation
I've
done
a
really
simple
one.
A
I've
got
an
input
here,
that's
going
to
say,
let's
run
in
privilege
mode
and
I've
got
here
a
lovely
little
thing,
that's
saying!
Well,
if
that's
going
to
run
in
privilege
mode,
let's,
let's
catch
that
and
say
something
now,
you
can
then
put
in
denies-
and
you
can
do
all
that
kind
of
good
stuff.
I'm
going
to
jump
over
here
into
into
prismacloud,
where
we're
using
rego
and
oh
look.
I
do
happen
to
have
this
privileged
pod
creation,
which
the
eagle
eyed
amongst
you
will
see.
A
It
is
exactly
the
same
as
I
was
putting
in
here.
So
I've
got
that
all
there.
I
don't
need
to
put
the
package
information
because
the
prismacloud's
going
to
work
that
out
for
me,
so
I've
got
all
of
this
detail
there.
I've
got
that
there
and
now,
let's
actually
try
and
run
this
okay
now
over
here,
you
can
see
that
I
have
actually
put
in
that.
I'm
going
to
use
the
validating
web
hook.
We
provide
the
the
opa
for
that
the
yaml
for
for
creating
it.
The
open
policy
agent
website
has
some
nice
guides.
A
So
that's
what
we've
got
up
here,
then
we've
got
this
privilege.yaml,
so
I've
got
this
the
same
thing
actually,
as
I
had
for
as
I
had
over
here,
I'm
just
using
yaml,
and
here
we've
pulled
something
out.
That's
that's
json!
Actually,
the
way
that
I
did
it
was
I
cheated
to
make
it
all
nice
and
easy
I
deployed
in
yaml,
and
then
I
did
a
get
pods
minus
o
json
and
pulled
that
out
put
that
in
there.
So
I
I
knew
that
it
was
like
belt
and
braces.
I've
got
both.
A
A
I
could
have
it
in
block
or
specifically
allow
all
of
that
detail
was
there.
So
let's
cancel
out
that
now
we
did
run
it.
I
have
already
deployed
that
opa,
the
the.
If
I
jump
back
over
here,
I've
already
put
that
webhook
configuration
in
place.
We've
run
all
the
stuff.
Let's
see
what
we've
got
then.
If
I
go
over
to
monitor-
and
I
jump
over
to
my
events-
I
have
admission
audits.
A
A
So
we
would
encourage-
and
I
would
encourage
you
to
go
and
play
with
opa
and
you
can.
You
can
learn
about
it
very
simply
through
all
of
that.
The
playground
is
really
really
awesome.
Do
have
have
fun
going
around
with
that
and
then,
when
you're
ready
and
when
I
can
learn
to
use
a
mouse
and
when
you're
ready
do
have
a
try
of
prisma.
Because
not
only
do
you
have
the
admission
audits
right
in
there
straight
off
the
bat,
but
we
can
also
see
things
like.
A
We've
also
got
the
runtime
radar
to
be
able
to
say
this
is
how
all
the
containers
are
going
to
talk
to
each
other
and
lots
lots
more
besides,
take
away
check
out,
opa
and
then
also
come
around
our
virtual
booth,
where
we
will
go
into
great
detail
about
all
these
different
features,
including,
if
you
ask
nicely
all
the
stuff
around
cloud
security,
posture
management
as
well
again,
let's
switch
over
here,
so
you
can
at
least
see
things.
My
name
is
ashley
ward.
That's
my
email
address
right
there.