►
From YouTube: Applying Policy Throughout The Application Lifecycle with Open Policy Agent - Gareth Rushgrove, Snyk
Description
Join us for Kubernetes Forums Seoul, Sydney, Bengaluru and Delhi - learn more at kubecon.io
Don't miss KubeCon + CloudNativeCon 2020 events in Amsterdam March 30 - April 2, Shanghai July 28-30 and Boston November 17-20! Learn more at kubecon.io. The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects
Applying Policy Throughout The Application Lifecycle with Open Policy Agent - Gareth Rushgrove, Snyk
Open Policy Agent is built to be used as a library in other tools and there are already several open source projects using OPA as generic policy engine. This is powerful because it allows end users to invest in one use case, and reuse some of the same knowledge and tools, especially the Rego data assertion language, to solve other adjacent problems. In this talk we will look at applying Open Policy Agent tools throughout the application lifecycle. We’ll explore: * Writing unit tests for Kubernetes configuration (and Helm charts) using Conftest * Defining a CI pipeline in code, and testing that using OPA * Gating deployments to the cluster using Gatekeeper * Auditing the cluster for security best practices, by porting the Kubesec ruleset to Rego * Porting pod security policies to OPA * Writing unit tests for the Rego policy code we wrote above
https://sched.co/UaW8
A
So,
as
I
mentioned,
I'm
Gareth
rush
Grove
from
the
UK,
hence
the
accent,
I
work
at
a
security
company
making
job
tools
called
six
I,
contribute
to
a
bunch
of
open-source
projects
and
I'm.
More
obviously
gonna
be
talking
about
that
here.
Today,
I
want
to
take
a
step
back
from
the
over
long
title
and
talk
a
little
bit
about
what
we
mean
by
policy
in
the
context
of
software.
Development
and
I
want
to
introduce
open
policy
agent
and
some
tools
from
that
ecosystem
and
then
really
dive
into
an
example.
A
Maybe
it's
that
someone
has
that
mandated
all
all
of
your
go
projects
should
be
using
a
specific
version
of
go
again
applicable
to
all
sorts
of
other
different
languages
and
frameworks.
Maybe
it's
that
the
lawyers
are
involved
and
all
the
open
source
projects
should
all
use
the
specific
as
the
same
license.
If
you're
releasing
code
under
an
open-source
project,
you've
decided
it
has
to
be
this
license,
or
maybe
it's
more
specific.
Maybe
it's
about
all
those
docket
for
creating
or
other
assets.
A
A
So,
if
that's
the
sort
of
working
definition
of
policy,
at
least
for
the
next
half
an
hour
h-how'd,
might
we
choose
to
enforce
that
in
our
software
pipelines
and
the
why
there
is
really
that
scaling
policy
enforcement
where
it
is
that
sort
of
some
people,
hopefully
haven't
gone
into
a
smoke-filled
room,
but
might
Hutton
come
up
with
these
rules
and
then
written
them
into
work,
word
document
and
then
put
it
on
SharePoint
and
like
yep,
we're
all
good.
Now,
all
of
those
things
are
true
that
doesn't
work.
A
Ultimately,
people
don't
find
it.
People
don't
believe
it.
People
don't
pay
attention
to
it.
People
appreciate
that
it's
probably
out
of
date
like
maintaining
that
as
a
sort
of
static
thing,
that's
manually,
enforced
really
just
leads
to
the
stress
of
often
people
on
the
security
side
or
compliance
side
running
around
your
organization
like
trying
to
play
whack-a-mole,
not
because
people
are
doing
the
wrong
things
on
purpose,
but
because
it's
hard
to
Italy
scale
processes
built
on
people.
A
A
An
important
thing
to
note
here
is
feedback
like
it's
not
just
enough
to
know
the
current
state
of
okay
yep.
We
need
to
know
that,
like
10%
of
our
NGO
projects
are
not
on
the
correct
version,
but
how
do
we
actually
fix
that,
like
just
reporting,
it
isn't
probably
good
enough?
The
reality
is
that
we
need
feedback,
often
to
developers
to
resolve
those
things.
Testing
earlier
is
faster
feedback,
but
maybe
not
complete
you're,
not
gonna,
see
everything
testing
later
like
this
is
maybe
where
you're
running
everything.
A
A
So
what
is
our
policy
agent
so
I
like
to
think
of
it
as
an
open-source
policy
engine,
so
so
open
source
project?
It's
part
of
the
CNCs
sort
of
family
of
projects
now
and
and
it's
an
engine
for
making
policy
decisions.
Ultimately,
you've
probably
built
sort
of
hard-coded
versions
of
sort
of
policy
engines
in
your
code
before
open,
just
solves
all
the
same
problems
in
a
generalized
way.
You
can
use
it
as
a
library
and
go.
A
You
can
run
it
as
a
service
and
only
you
give
it
some
policy
and
written
in
a
language
called
rego
and
I'll
show
some
examples
of
that
and
you
give
it
some
data
and
it
gives
you
back
the
like.
The
answers
to
I
will
actually
what
happened
when
we
input.
We
applied
that
policy
to
that
data,
and
it's
also
a
really
nice,
like
friendly
open-source
community.
There
there's
a
sensible,
slight
channel,
there's
a
whole
bunch
of
nice
folks
around
or
Vincent
described
it.
It's.
A
So
here's
a
quick
example:
let's
say
that
we're
having
a
conversation
about
the
rest
like
where
we're
going
to
go
for
food
this
evening
and
because
we're
at
solve
our
conference,
we've
decided
to
collect
that
list
in
a
JSON
document
like
bear
with
me
so
well,
we've
got
a
data
structure.
We've
we've
listed
some
restaurants
that
we
could
go
to
and
maybe
different
people
have
suggested
different
ones,
but
I've
got
some
opinions
about
where
we
might
eat
and
realistically
I
can't
bear
unlimited
breadsticks.
A
It's
just
it's
not
good,
so
I'm
saying
a
policy
which
says
here
well,
if
it
like,
we
will
basically
fail.
We
will
say
that
no
we're
out
of
policy
if
Olive
Garden
is
in
that
list
totally
unfair,
but
an
example
of
the
type
of
thing
you
can
do
so
this
is
rego.
This
is
the
policy
language,
the
DSL
that
were
using
to
make
these
assertions.
A
So
obviously,
making
decisions
about
where
we
go
308,
it's
probably
not
a
super
strong
use
case.
Open
policy
agent
is
integrated
into
all
sorts
of
different
services,
and
this
list
keeps
growing
so
it's
integrated
into
sto
and
safe
and
gatekeeper,
which
I'll
come
onto
later,
because
there's
lots
of
services
where
you
want
to
make
policy
decisions
and
open,
gives
you
a
really
powerful
tool
to
do
so
and
there's
advantages
to
have
being
able
to
describe
your
policies
for
different
things
in
the
same
language.
A
It's
quite
commonly
used
actually
in
the
connecting
space
in
the
moment
now.
This
is
strong
like
link
between
the
two
areas.
It's
mainly
used
over
here,
so
it's
mainly
used
in
our
sort
of
simplified
model
in
production
in
your
in
connect.
These
questions,
often
as
part
of
an
emission
controller
and
we'll
come
on
to
an
example
of
that
later,
with
gatekeeper,
but
mainly
over
here.
What
we
said
before
was
actually
that-
and
this
is
great
for
in
compliance
and
sort
of
completeness,
but
not
great
for
fast
feedback.
A
So
going
back
sort
of
a
little
while
ago,
I
was
sort
of
super
interesting
open
source
engine,
but
I
was
more
interested
in
that
side
of
things.
I
was
more
like
well,
how
can
we
get
the
power
of
policy
into
developers
hands
so
I
had
some
time
on
my
hands
somehow
took
open
policy
agent
and
wrote
a
contest
so
I
did
it
hot
just
introducing
contest
in
Barcelona,
so
this
is
built
on
top
of
open
policy
agent,
open
policy,
I
didn't
use
all
the
hard
work
context
provides
and
developer,
focused
user
experience
and
user
interface.
A
On
top
of
that-
and
so
it's
still
a
general
purpose
tool,
but
it
a
very
specific
use
case
really
around
testing.
So
it's
much
more
like
more
of
a
local
testing
tool
or
a
tool
for
CI
intervention,
and
it
has
a
whole
bunch
of
things
that
just
make
it
easier
to
solve
those
types
of
problems.
So
own
policy
agent
really
cares
about
data.
A
Well
confidence
based,
he
says,
I
know
about
all
the
data
formats
you're
using
just
give
me
them
and
I'll
sort
it
out,
so
it
supports
Jason
and
Yama
on
nine
I
and
HCl
and
Tamil
and
Q
and
dockerfile,
and
probably
some
others
at
this
point,
so
give
it
your
config
files
and
some
policy,
and
we
can
make
assertions
on
that.
It
also
has
some
built-in
tools
for
sharing
and
like
sort
of
develop
a
friendly
output.
A
A
Whereas
Oprah
is
sort
of
integrated
into
I
guess
that
more
server-side
services
comp
test
basically
then
ends
up
integrated
into
various
developer
tools.
So
there's
github
actions,
there's
Tecton
tasks,
there's
a
circle
CI
orb
that
was
contributed
by
a
someone
who
was
using
circle
and
came
along
and
joined
the
project.
A
So
that's
that's
the
sort
of
components,
parts
that
I'm
gonna
use
to
sort
of
build
out
this
pipeline,
but
let's
jump
into
an
actual
example,
I'm
good,
because
I
want
to
make
this
like
a
bit
more
real
I'm,
picking
a
specific
project
that
means
I
needed
to
pick.
Sangwich
I've
picked
Python
because
I
like
Python,
but
this
is
totally
applicable
to
anything.
The
real
the
reality
is
if
you've
got
some
other
language,
shell
framework,
you're
gonna
have
some
config
files,
you
know
what
they
are,
and
so
don't
worry
about
the
Python
specific
bits.
A
You've
probably
got
some
config
file
in
your
repo
for
everything.
So
one
of
the
things
that
a
Python
project
often
has
is
wow
there's
a
number
of
different
alternatives.
Pipp
file
is
one
of
them
for
describing
our
defining
the
dependencies
of
the
project
so
which
packages
am
I
using
in
my
Python
project,
so
this
might
in
Java
you
might
have
a
pom
to
XML
file
or
a
Gradle
file
in
Ruby.
A
It
might
be
a
gem
file
in
node
project
on
Jason,
all
of
those
files,
a
configuration
and
well
in
my
organization,
my
hypothetical
organization
we've
got
some
rules
around
those
in
one
case.
Well,
we
should
be
on
Python,
3
and
big
s.
Well,
that's
a
patent
to
is
their
end
of
life.
So
that's
definitely
something
where
organizations
would
say
it.
This
isn't
describing
it
in
code
also,
we
should
be
using
SSL,
so
simple
assertions
about
things
that
you
could
like
have
a
conversation
about
now
encoding
described
in
code.
So
let's
have
a
look.
A
So
I'm
gonna
run
contest
test.
I'm
gonna
tell
the
tell
contest
that
this
is
Tamil
and
pip
file
doesn't
have
an
extension
not
and
not
easy
to
auto
discover
that
so,
basically,
we're
being
explicit
in
this
case
and
namespaces
me
saying:
use
the
policies
related
to
pip
file
and
what
and
pip
file
is
the
actual
file.
A
So
I
can
run
that
and
lo
and
behold
we
fail
if
I
change
my
Tamil
file,
obviously
again
don't
region
which
flows
civics
and
we
run
obviously
like
I've
started
all
problems
and
like
that
was
something
that
I
just
ran
in
my
project.
That
was
generic
to
my
organization.
My
project
had
a
problem:
I
was
able
to
fix
it
and
obviously
we
could
fix
the
other
one
as
well
so
pretty
simple,
but
and
in
this
particular
project,
there's
actually
quite
a
few
different
config
files.
There's
a
PI
test
file.
A
We
can
test
our
PI
test
file
and
you'll
note
there
that
we've
got
instead
of
hard
failures
like
instead
of
it
exiting
with
a
non
zero
exit
code
and
giving
you
red
flashing
failures,
we're
saying
well,
actually
there
are
some
things
where
it
it's
a
strong
hint
but
yeah,
we'll,
probably
let
you
off
most
the
time.
Maybe
these
become
hard
failures
in
the
future,
so
it
contests
you
can
issue
warnings
as
well
and.
A
The
other
thing
here
is
when
you
start
going
well:
okay,
but
how
do
I
know
my
policies,
work
and
I'm
using
this
tool
and
I've
written
some
Rigo
code?
But
how
do
I
know
the
Rieger
code
doesn't
have
bugs
and
well
turns
out
open
policy
agent
has
a
unit
testing
framework
because
it
is
a
developer
tool.
So
let's
have
a
look
at
some
tests
and
again
this
is
rego
ocurred
testing,
the
poll
of
the
policies.
We
wrote
so
again
here
we're
saying:
well,
we
should
deny
we
it
should
fail.
A
If
the
input
is
this,
so
we're
able
to
write
tests
for
our
policies
and
then
use
those
policies
with
a
lot
more
confidence
and
confidence
makes
it
really
easy
to
just
run
those
tests
with
contest
verify
so
that
we'll
run
all
the
unit
tests
for
your
policies.
So
you
have
some
confidence
that,
like
if
someone
says
oh
yeah
like
but
you've
had
to
take
that
word
document
and
you've
turned
it
into
code.
Machines
are
good
at
doing
the
wrong
thing.
If
you've
told
them
to
do
well,
we
can
solve
that
with
testing.
A
So
I
mentioned
a
few
of
these
examples.
You
never
know
if
demos
are
not
gonna
work
again.
Think
of
all
those
configuration
files
that
you
have
in
your
repos
that
scatter
around
think
of
all
the
things
that
you
know
are
the
right
thing
to
do,
but
you
probably
don't
know
whether
you
do
them
everywhere
and
suddenly.
You've
got
a
very
general
purpose
tool
that
can
take
any
of
those
input
formats
and
start
reasoning
about
them.
A
Complex
also-
and
this
is
southern
new
thing-
actually
has
a
Titan
library
as
well.
So
if
someone's
like
I,
don't
want
another
tool,
I
already
have
a
testing
tool.
I'm
already
writing
my
tests.
You
can
actually
just
use
Cobb
test
as
a
library
in
in
hit
word
written
in
Python,
but
here
in
PI
unit
tests,
and
maybe
other
people
will
but
build
a
saw
plugin
for
other
things.
A
You're
still
writing
your
tests
in
Rego,
but
your
test
Runner,
is
now
the
thing
you're
already
running
in
your
CI
system,
which
can
be
have
some
nice
properties
so
and
we're
at
kluve
con.
So
talking
about
how
that
applies
to
karate
is
sort
of
interesting
and
turns
up.
We
definitely
have
config
in
cuba,
Nettie's
there's
quite
a
lot
of
it,
like
I,
like
turns
out
that
there's
probably
close
to
2
million,
like
individual
files,
probably
hung
get
herb,
Exar,
Kun,
a
t-shaped
and
that's
public
ones.
A
How
many
there
are
worldwide
for
everywhere
else
is
a
point
of
speculation,
but
it's
not
a
small
number.
We
definitely
have
a
lot
of
config
and
there
are
definitely
best
practices
issues
like
things
you
can
do
right
or
wrong,
we're
at
quite
a
low
level
of
abstraction
for
the
most
part,
their
shout-out
to
some
prior
art
that
coops
tech
project
they're
a
good
job
of
sort
of
going
through
and
coming
up
with
some
best
practices
around
this
useful
wooden
shot
tool.
A
One
of
the
things
we've
been
doing
is
sort
of
taking
those
rules
and
encoding
them
in
rego
and
again
actually
you're
sort
of
building
the
same
thing
there.
It's
just
that
you
can
be
then
adding
your
own
rules
becomes
easier.
Having
rules
that
are
you
don't
like?
Maybe
you
don't
like
what
I've
got
the
rules?
There,
though
you
want
something
to
be
more
important
or
something
slightly
different,
obviously
having
a
general
purpose
tool
and
the
language
around
it
makes
that
possible,
but
there's
definitely
space
for
like
point-and-shoot,
specific
tools
and
general
ones.
A
In
my
opinion,
so
we've
been
porting
a
bunch
of
the
coupe's
tech
rules
to
Tirico
another
thing
that
crops
up
around
committees
configuration
especially
in
the
security
space
and
so
our
best
practice
areas
been
pod
security
policies.
There
are
some
pros
and
cons
around
of
that
there's
a
session
on
the
wood
sig
off
on
Thursday
I.
Think
talking
about
that,
but
there's
actually
been
some
work
with
Rita
from
Microsoft.
A
There's
a
help
again
as
well,
so
like
again
I'm
trying
to
integrate
this
into
like
the
tools
people
are
using
to
make
it
as
easy
as
possible,
like
helm,
is
a
good
example
where
people
are
packaging
up
their
communities.
Config
well.
Does
that
look
good?
Does
that
work?
Is
it
secure,
and
so
the
Helton
plug-in
basically
just
allows
you
to
run
helm
contests
that
will
take
the
values
that
will
take
the
templates
that
will
put
it
all
together
and
apply
the
policy
on
that.
So
you
don't
have
to
you.
A
So
with
contest,
we've
got
a
local
set
of
tooling
that
we
can
use
to
write
policy
for
all
sorts
of
structured
data
and
any
of
those
config
files
and
that
you
have
laying
around.
We
can
now
with
the
same
tool
set
and
the
same
language
write
policy
about.
So
that's
powerful,
that's
useful
and
again,
like
that's,
really
good
for
local
fast
feedback.
So
how
do
we
start
getting
that
into
a
CI
system,
because
we
want
to
enforce
that
as
well?
A
So-
and
this
is
the
sole
model
I've
been
using,
really
well
make
sure
our
policy
a
disc
the
unit
s
if
it
doesn't
applying
our
policy
is
a
bad
thing
to
do,
and
if
it
does
we'll,
we
can
just
paralyze
all
of
these
things
so
running
our
PIP
file
running
our
docker
file
through
running
the
helm
chart
through
this
is
really
our
PI.
Tasted
like
this
is
a
real
project
with
real
world
config.
We
can
apply
all
sorts
of
things.
A
You
can
get
quite
meta
it.
It
makes
it
quite
powerful.
So
let's
say
we
we
can
start
a
pipeline
in
Tecton.
We
can
run
that
we
and
we
can
see
the
output
as
well
and
again,
let's
have
a
look
at
what
that
looks
like
in
the
Tecton
dashboard
and
again.
Obviously,
your
CI
tool
of
choice
will
have
something
very
similar
where
we
can
see
the
results
of
that
policy
being
constantly
applied.
A
So
in
this
case
well,
yeah
I
had
a
very
poorly
configured,
helm
jar
and
it's
been
caught
into
the
eye
and
now
I
need
to
go
fix.
Those
before
my
home
child
can
get
deployed,
and
again
you
like
this
is
just
another
thing
that
can
be
added
into
your
CI
system.
You're,
still
doing
your
unit
tests
you're
still
doing
your
integration
test,
you're
still
writing
like
testing.
A
It's
also,
generally
speaking,
very
fast
to
run
so
you're,
not
talking
about
something.
That's
going
to
be
hugely
slowing
down
your
pipelines,
so
we've
got
a
tool
set
that
can
be
used.
Luckily,
we've
got
a
tool
set
like
that.
That
is
useful
in
CI,
where
we
can
sort
of
do
some
enforcement,
and
so
we
started
getting
into
production.
A
This
is
where
gate
keeper
comes
in,
like
complicities
focused
on
that
develop
a
problem
in
the
CI
space
you
get.
Keeper
is
focused
very
squarely
on
making
your
policy
agent
useful
in
a
kubernetes
context,
so
how
it
does.
This
is
basically,
it
allows
you
to
write,
add
some
controllers
to
committees
and
then
some
some
custom
resources
and
you
can
describe
constraints
and
constraint
templates
off
the
bottom
here.
A
Just
a
bit
is
actually
a
whole
bunch
of
Rigo,
so
the
language
we
were
using
for
a
portage
and
can
be
busy
packaged
into
kubernetes
resources
and
uploaded
to
your
cluster
and
gatekeeper
there
in
acts
as
a
an
admission
controller
and
the
Webber
can
busy
enforces
that.
I'll
show
that
in
a
second
that
does
get
into
the
because
you've
got
the
sort
of
policy
written
in
Rego,
and
you
want
to
write
the
tests
with
that
and
the
tool
set
is
built
around
that.
A
So
I've
missed
you've
got
a
repo
of
a
load
of
rego
files
and
whenever
I
change
those
an
action
kicks
in
and
basically
regenerates
my
constraint
templates
so
not
having
to
manage
multiple
things.
I
can
I
just
have
one
set
of
policies
that
I
can
check
out
the
repo
and
run
but
running
my
CI
and
also
then
get
built-in
to
constrain
templates
that
can
be
then
deployed
to
crises
so
manage
one
set
of
policies
that
can
be
used
throughout
the
process.
A
A
A
Yeah,
so
here
you
can
see
all
of
that
rego
being
put
into
a
kubernetes
shaped
object
again.
This
is
also
generated.
I,
don't
write
this
by
hand
to
make
it
a
little
bit
easier.
I've
got
a
couple
of
namespaces
set
up,
so
what
I'm
gonna
do
is
I'm
going
to
try
and
just
send
this
deployment
off
to
kubernetes
to
deploy
it.
The
deployment
is
very
simple
straight
up
like
basic
hello
world
example.
A
And
I
tried
to
deploy,
but
this
cluster
is
this.
Namespace
is
configured
with
those
constraints
and
cumin.
If
he
says
no
QA,
he
says
well.
Women
they're,
like
the
policy
says
you
can't
have
this
configured
like
this
and
I've
just
blocked
you
I'm
not
allowed
to
deploy
that
deployment.
Connect
is
at
an
early
stage,
Y
at
the
API
level.
Just
said
no,
not
having
that.
A
So
that's
useful.
It
also
might
be
if
you
turn
up
to
your
work
and
you've
written
a
lot
of
policy
and
you
upload
it
to
gatekeeper
and
now
everything
is
blocked.
That's
probably
not
the
best
idea,
like
basically
everyone
will
come
and
kill.
You
is
the
short
version
of
how
that
ends
like
the
like,
so
gate
keeper
also
allows
basically
to
audit
I,
can't
remember
the
entire
command,
so
I've
got
a
handy,
Mac
file,
so
here
we're
actually
looking
at
where
we've
bases
just
run.
A
Coupe
CGL
get
on
the
the
custom
resource
that
was
created
by
gatekeeper
and
you
can
see
a
bunch
of
metadata,
but
then
in
the
status
we
have
all
of
the
violations
of
this
policy.
So,
actually,
if
I
try
and
deploy
this
to
that,
if
I
try
and
deploy
my
deployment
to
the
audit
namespace,
it
gets
deployed,
but
I
have
a
way
of
asking
committees
which
things
in
that
namespace
are
out
of
policy
and
obviously
I
can
then
use
this
to
go.
Okay,
yep,
let's
go
fix
those
problems.
A
Let's
work
with
teams,
let's
get
that
into
their
CI
systems
and
then
at
some
point
this
will
be
a
list
of
0
and
then
we
can
enforce
it
and
once
we're
enforcing.
We
have
like
we're
checking
in
our
what
we're
giving
tools
to
offer.
So
they
can
very
easily
verify
that
it's
not
like
coming
in
late
and
saying
security
says
no
like
it's
in
there
CI
systems
and
if
anyone
says
like
more
I'm,
just
gonna
bypass,
CI
and
I'm
just
going
to
run
command
against
the
cluster.
A
So
if
all
you
take
away
from
this
is
local
development
is
important,
especially
when
it
comes
to
things
that
are
potentially
gonna
slow.
You
down
like
make
adopting
good
practice
easy
and
people
will
do
so.
Do
it
in
smoke-filled
rooms
with
documents,
and
it
just
doesn't
scale
like
enforcement
in
continuous
integration
is
where
developers
get
feedback
like.
A
So
it's
the
logical
place
to
introduce
all
the
types
of
feedback
like
policy,
and
then
you
probably
still
want
to
get
your
clusters
and
have
tools
that
allow
your
auditing
properties,
because
that's
where
you're
actually
running
the
things
that
you
want,
the
policies
to
enforce
so
few
takeaways
open
cells
is
pretty
great.
A
policy
agent
is
a
really
interesting
low-level
project
that
can
be
used
for
all
sorts
of
different
use
cases
and
it
made
making
comtesse
really
easy
and
contests
then
went
from
me
hacking
on
something
to
now.
A
A
We
can
probably
all
agree
on
a
good
set
of
best
practices
and
getting
girls
into
code
and
into
the
tooling
would
be
really
nice.
I.
Think
sharing
is
really
the
next
step
for
me
for
the
sort
of
open
policy
agent
project,
and
with
that,
thank
you
very
much.
Hopefully
it's
been
of
interest
and
yeah
come
say.
Hi.
D
So
any
questions
in
the
audience-
hey
Gareth!
Thank
you
for
that.
So
I'm
little
confused
about
the
the
difference
between
comp
test
and
gate
gatekeeper
is
it
in
in
terms
of
the
configuration,
so
it
sounds
like
you're
you've
written
a
tool
that
ports
the
confess
configuration
over.
Is
that
correct?
Yes,.
A
So
comp
test
just
deals
with
rego
and
gatekeeper
basically
takes
rego
and
packages
it
up
for
kubernetes,
so
you
can
send
it
to
the
queue
Metis
API.
So
it's
just
a
wrapper
around
the
rigor
in
llamo
to
go
to
the
coop
to
basically
talk
to
the
corrected
API
and
so
like
you
can
do
that
by
hand
and
I've
just
written
a
tool
that
makes
it
easier
for
me
to
the
you
to
reuse
the
same
rego
in
both
gatekeeper
and
in
contest.
So.
D
A
B
A
The
question
that
is
around
like
ABS
specific
use
cases
and
again
like
cloud
providers
like
if
y'all
configure
anything
like
that
has
loads
of
config
and,
let's
say
you're,
using
terraform
or
you're,
using
cloud
formation
and
they're
just
from
the
point
of
view
of
Congress
they're,
just
data
structures,
and
so
you
can
absolutely
use
Rigo
and
complex
to
test
those
and
there's
a
little
bit
less
prior
art
and
in
terms
of
their
big
api
services
and
less
people
are
doing
so.
But
there
are
some
people
writing
policies,
mainly
internally
in
organizations
for
those
things.
A
There
are
some
examples
in
the
contest
repo
of
like
serverless
framework
as
well,
and
there
are
some
examples,
but
only
a
few
and
Sam
as
well
is
another
example
of
all
of
these
couplet.
It's
just
data
from
the
point
of
view
of
these
tools,
there's
nothing
connecting
specific
in
contest
at
all.
It's
in
the
policy
G
right
and
the
rego
you're
right
that
you
start
adding
the
domains.
Yeah
I'd
love
to
see
a
like
a
shared
library
of
anybody,
s,
policy,
stuff,
I,
think
it'll
be
great.
Okay,.
C
A
Absolutely
the
gear
of
actions
PI
is
purely
as
a
helper
for
generating
some
files
that
I
didn't
want
to
manually
transpose
and
but
actually
most
people
today,
a
manual
either
manually
transposing
them
or
have
like.
If
you've
got
a
CI
pipeline,
you
could
do
that
Auto
generation
there.
It's
purely
an
implementation
detail,
certainly
not
required
by
any
of
the
tooling
along
the
chain.
E
A
Discoverability
and
sharing
are
super
interesting,
but
very
new,
there's
some
tooling
in
complex
that
allows
you
to
share
basically
bundle
peer,
bundles,
which
include
the
rego
and
some
data
and
the
metadata
and
using
an
OCR
registry,
and
it
uses
the
new
OCI
artifact
spec
and
which
B
isn't
implemented
everywhere.
So
actually,
this
currently
only
works
in
a
zoo
and
in
the
docker
distribution,
open
source
project
and
there's
some
new
functionality.
That's
been
added
I've
a
chance
to
look
at
a
problem
by
some
of
the
other
maintain.
A
Is
that
actually
makes
sharing
via
s3
possible,
sharing
via
actually
get
repos
possible?
So
you
basically
have
a
push
and
pull
commands
for
pushing
and
pulling
things.
I
can
push
something
open.
You
can
throw
it
so
early
days
with
that
and
in
there
is
actually
a
contest
like
config
file,
where
you
can
describe
some
of
these
sources.
It's
not
all
fully
baked
yet,
but
and
there's
a
question
of
how
much
of
a
package
management
we
want
and
filled.
A
B
C
A
Yeah,
why
rego
I
altom
utley,
more
verse,
all
Opa
Opa
question,
so
the
OPA
thought
maintained
is
a
good
start.
It's
really
that's
what
they
started
with,
don't
like
their
ritual
appreciate
this
bit
like
you,
dear
cells,
have
a
lot
of
power
and
potentially
a
high
barrier
to
entry,
and
some
people
absolutely
hate
their
cells.
Other
people,
like
oh
I,
like
I,
wanted
ear
cells
for
everything,
and
there
are
definitely
downsides
with
Rigo,
just
as
a
high
barrier
to
entry.
A
A
F
A
Yes
is
the
short
version
with
like
there's.
Definitely
a
few
people
who
are
like
a
bunch
of
these
policies
like
hot
security
policies,
is
a
good
example
where
we
just
want
to
someone
in
the
community
right
then,
when
everyone
can
benefit,
and
that
definitely
feels
like
it's,
the
direction
of
travel
there's
not
a
to
defecate.
There
are
a
few
of
us
who
keep
writing
like
bigger
things
and
sharing
them.
A
That's
why
I
think
this
sharing
tools
are
important?
There's
there
were
some
conversations
at
the
six
security
event
yesterday
about
there's
the
newly
launched
security
hub
project,
and
we
might
look
at
being
able
to
use
security
hub
as
a
way
of
sharing
like
good
it,
like
sort
of.
If
there's
a
good
security
config
for
kubernetes,
can
we
share
on
security
hub
and
currently
it's
mainly
used
for
sharing
Falco
rules,
but
sharing
Rigo
would
make
a
really
nice
next
step
so
early
as
but
definitely
interests
deftly
conversations.
A
Yeah
at
the
moment,
there's
most
of
the
things
are
scattered
in
github,
repos
I.
Think
retail
I
mentioned
from
the
geikie
projects
got
a
bunch
stuff
that
all
of
the
code
I
showed
is
on
my
github
under
Gareth,
R
and
I'll
include
a
link
in
the
sort
of
random
yeah.
The
best
about
the
moment
is
jump
onto
the
opal
policy
agent
slack
and
ask,
and
there
are
a
bunch
of
examples
falling
around
which
we
as
a
community.
We
need
to
get
better
at
putting
that
all
in
one
place
and
sort
of
working
on
together.
Oh.
A
That
sneak
I
just
work
there.
If
you
want
to
see
what
we
do,
though,
all
of
that's
very
cool
and
should
come
to
that
booth,
where
we
provide
the
ultimately
developer,
focused
security,
tooling,
and
so
this
is
definitely
of
interest
and
we're
doing
some
config
stuff.
But
I
I
have
like
three
jobs.
It's
confusing
yeah,
thanks
to
all
the
questions
and
coming.