►
From YouTube: CNCF SIG-Security Meeting - 2019-05-15
Description
Join us for Kubernetes Forums Seoul, Sydney, Bengaluru and Delhi - learn more at kubecon.io
Don't miss KubeCon + CloudNativeCon 2020 events in Amsterdam March 30 - April 2, Shanghai July 28-30 and Boston November 17-20! Learn more at kubecon.io. The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects
A
And
I'm
just
bringing
up
the
meeting
notes
we
have
since
I've
been
in
flight
with
no
Wi-Fi
I
haven't
been
able
to
check,
but
I
saw
a
slack
notice
that
we
have
a
email
group
now
that
is
set
up
by
the
CNCs,
so
you
all
should
have
gotten
an
invite
if
you're
on
the
calendar,
if
not,
we
will
add
it
as
soon
as
I
can
figure
everything
out.
Did
anybody
see
anything
about
that.
B
A
C
A
A
And
we
have
a
second
and
just
the
notes
are
attached
to
the
calendar.
Invite
I'll
drop
them
in
the
chat.
A
A
Right
so,
let's
I
don't
think
we.
So,
let's
just
start
we'll
do
a
little
stand-up
see
if
we
end
up
with
Dan
and
JJ
joining
us
and
then
chat
about.
They
then
will
have
the
presentation
from
OPA,
so
I'll
just
call
on
people
in
the
order
that
I
see
them
it's
in
the
zoom
Roger.
We
want
to
introduce
yourself.
Oh.
E
Sure
so
I'm
product
manager,
for
let's
use
the
cast
platform
and
container
kubernetes
and
and
originally
specifically
container
security.
But
it
kind
of
grew
into
the
whole
platform
at
Sousa
and
I've
been
working
on
getting
a
release
out
getting
getting
audits
and
benchmarks
into
the
release
process
but
not,
but
which
has
turned
me
away
from
the
community
for
a
couple
of
months.
But
I'm
back
Thank.
F
B
H
See
as
a
separate
Linux,
Foundation
Foundation,
which
I
think
actually
predates
CN
CF
and
there
was-
and
it's
was
originally
designed
as
a
standards
organization.
Finally,
there
is
funny
where
ends
the
runs:
the
implementation
as
well.
There
was
an
attempt
to
merge
it
into
CN,
CF
put
it
last
year,
but
it
failed.
They
go
complication
reasons,
come
Christina's,
hair
and
sunken
dirt.
A
B
That
we
opened
the
pr2,
so
this
is
something
that
I've
been
working
just
in
combat
as
well.
It's
it's
around
being
cryptic
convenience.
We
talked
about
this
docket
on
so
we
are
modifying
the
OC
I
expect
to
a
lot
specification
for
encryption,
and
part
of
that
is
trying
to
appreciate
the
descendant
project.
B
I
For
the
foremost,
apologies
for
running
a
little
bit
late,
sporting,
getting
together
with
team
and
sort
of
lining
and
making
sure
we
get
last
six
security
stuff
set
up
I
noticed
as
I
was,
you
know
doing
some
internal
bookkeeping
that
you
know
some
some
of
our
active
members.
You
know
didn't
didn't
get
onto
the
the
meeting.
Invite
so
I
tried
to
sort
of
you
know,
coax
everybody
over
and
looks
like
Marc
minute
and
techne
so
great
to
see
everybody
and
I
hope
everyone.
I
You
know
now
has
the
the
new
time
update
and
on
their
calendar
one
decision.
You
know
that
point
that
we
did
come
up
with
was
to
continue
with
weekly
I
tried
to
sort
of
merge
the
streams
of
having
our
working
sessions
on
on
Thursdays
and
the
meeting
on
Fridays
in
to
buy
weekly
meetings
where
we
do
our
working
session
one
week
in
our
meetings
on
another
week,
and
it
was
just
moving
too
many
dials.
So
having
you
know
our
weekly
consistency,
you
know
in
this
meeting
at
our
new
time.
I
think
will
be.
J
K
Hey
sorry,
I
haven't
been
participating
for
a
while
I
was
super
busy,
so
one
of
the
things
that
I
need
to
think
about
is
that
May.
It
should
be
interesting
for
Chaney.
We
think
that
there
is
a
new
persona
which
we
kind
of
call
the
platform
team
that
has
been
discussion
internally
here
at
Google.
So
a
lot
of
the
large
customers
that
are
looking
at
hybrid
have
a
team
that
is
responsible
for
making
sure
that
all
the
policies
they
would
like
to
express
are
available
at
all
those
different
deployment
platforms
and
I.
K
Don't
think
that
is
a
persona
we
had
on
our
radar
so
far
right.
We
mostly
cater
to
the
people
that
come
after
that.
You
know
the
people
that
then
use
and
set
those
policies,
but
what
what
do
those
core
platform
people
do
that
get
tasked
with
their
bank
and-
and
they
say
you
know,
make
sure
all
the
deployment
options
we
have
allow
us
to
stay
compliant.
So
I'm
not
sure
if
we
want
to
extend
the
personas,
we
look
but
I
think
there
is
a
distinct
thing.
J
Yeah,
no
I
think
that
you're
you're
spot-on
that
that
is
kind
of
an
emerging
persona
that
that
we're
seeing
as
well
just
that
there's
a
lot
of
there's
a
lot
of
questions,
especially
well
from
what
I'm
seeing
hybrid
cloud
is
really
just
getting
more
and
more
unified.
From
my
perspective,
where
I'm
at
and
so
it's
kind
of
its
kind
of
setting
groups
up
differently
than
past
places
that
I
fit
in
terms
of
a
shift
of
you
know
who's
your
customer
and
how
you
need
to
pay
attention
to
them.
J
K
Because
you
customize,
then
the
administrator
right.
The
customer
platform
team
are
the
different
administrators
that
you
have.
But
if
you
say
that
things
are
more
I'm,
sorry
I'm
taking
over
the
conversation
here,
which
maybe
make
that
a
separate
point
of
discussion
at
some
point.
But
the
quick
thing
do
we?
If
you
say
that
things
are
harmonized,
are
you
harmonizing
at
the
the
CNCs
level?
So
essentially
everything
you
can
express
in
kubernetes
policies?
Is
that
good
enough
I.
J
K
J
A
A
L
M
Powerful
we
have
wake
half-asleep
in
China,
focusing
on
the
policy,
so
I'm
the
go-to
guy,
if
you
guys
had
like
similar
problems
just
just
mentioned
by
Christian
yeah
happy
to
participate
today,.
A
N
So
I've
been
busy
with
kind
of
both
sides
of
assessment
work,
though
asking
a
lot
of
questions
and
some
of
them
and
I
think
in
a
very
Colombo
Eska
way.
So
a
lot
of
dumb
questions
and
then
just
kind
of
oh
one,
more
thing,
one
more
thing
and
also
been
chatting
with
you
Cormack.
Thank
you
for
getting
the
in
toto
assessment
things
together
that
that's
been
helpful
from
our
side,
so
we've.
D
Well,
I'm
new
here
so
I
present
myself
briefly
I
work
on
it
seems
like
two
or
three
weeks
I've
been
taking
over
as
a
mom
dinner,
so
I
will
be
talking
about
that,
probably
or-
and
we
just
released
0.15
fifteen
that
add
support
for
content
D
and
fixes
a
lot
of
a
bunch
of
security
issues
on
moon-park
itself.
So
that's
my
bit
for
now
and
we
will
figure
out
who
they
have
to
say
here
next
meetings.
We.
L
That's
what
he
said.
Sorry,
that's
actually
why
the
Renzo's
on
the
call
so
I
actually
saw
Dan
had
shared
out
the
meeting
minutes
today
and
I
went
in
and
looked
at
the
meeting
minutes
and
saw
the
mention
about
Falco
and
so
I
feel
like
the
charters
kind
of
changed
from
when
we
were
safe
and
to
six
security.
Now,
and
so
Lorenzo
is
on
the
same
team
as
me
at
the
Cystic,
as
well
as
another
engineer
and
we're
all
dedicated
to
the
Falco
project
and
how
we
can
make
it
successful
within
the
ciencia.
L
I
A
So
I'm
sorry,
I,
said
I
I
think
that
we
in
becoming
SIG's
security,
that
goal
it
happened
to
coincide
with
a
burst
of
effort
around
the
security
assessments,
but
at
least
from
my
perspective
was
not
intended
to
completely
shift
our
focus
to
security,
and
we
are
still
have
a
big
policy
focus.
It's
just
a
little
quieter
now,
while
we're
getting
these
assessments
together,
but
Howard
and
a
bunch
of
other
people
have
been
working
on
a
policy
white
paper
and
and
we
have
another,
we
have
a
whole
lot
of
other
aspects
of
the
group.
A
Team
is
working
on
developing
processes
and
OPA
is
going
through,
is
the
first
to
formally
go
through
this
process
that
we
have
just
find
by
doing
the
in
toto
assessment,
you
know
to
kind
of
create
the
process,
so
so
good
timing
and
we're
excited
to
have
you
know
Falco
kind
of
help
us
through
this
and
be
able
to
come
up
with
artifacts
that
we
hope
will
be
very
useful
for
the
cloud
Native
community
in
assessment
security
of
dependencies
and
deciding
which
systems
to
use
in
securing
their
cloud
native
systems
so
chase
hit.
It.
A
C
I
You
may
need
to
push
star
six
Marcus
mute
girl,
no.
O
I
O
L
Sure
so,
we've
been
really
focused
on
the
project.
P
Yes,
I
was
actually
playing
around
a
little
bit
on
the
security
white
paper.
I'm
still
assuming
that
that
should
be
is
still
in
the
agenda
at
some
point,
I
have
not
done
too
much.
I
have
not
uploaded
anything
but
I
kind
of
started
playing
at
our
little
bit
drug
and
extending
some
of
the
things
that
are
already
put
there.
That's
about
it,
I,
don't
have
anything
else
to
report
right
now.
Yeah.
A
The
security
white
paper
is
definitely
something
that
is
often
asked
about,
and
I
think
that
I
think
we
started
a
draft
a
while
back
and
as
soon
as
we
finish
the
logistics
with
the
sig
process,
then
the
then
will
we
engage
with
the
writer
who
said
that
who's
gonna
help
us
kind
of
draft
and
do
the
editorial
around
that
but
yeah
whatever
anybody
wants
to
chime
in
on
the
Google
Doc.
It's
linked
from
an
issue
that'd
be
fabulous.
So
I'm
glad
you
thinking
about
that.
Kay.
P
A
P
I
know
I
was
thinking
like
you
know,
if
I'm
editing
offline
in
extending
that
thing
and
so
forth
and
I
don't
want
to
retype,
obviously
necessarily
in
the
Google
Doc
again
and
just
upload
it
and
just
for
the
record
purpose.
If
you
want
to
keep
previous
version
somehow
something
like
that,
then
we
may
have
to
have
it
some
sort
of
way
of
maintaining
that
without
confusing
people.
A
So
I
think
that
we
I
think
we
can
do
that
with
version
control.
If
there's
some
things
that
you
think
are
I
mean
I,
think
doing
things
with
suggested
edits
and
then
we'll
try
to
like
merge
things
that
are
not
contentious
or
a
great
debate.
And
you
know-
or
you
could
add
another
section
if
you
feel
like
it's
really
a
different
approach
but
I
think
keeping
it
in
one
doc
will
be
easier
for
people
to
scrub
in
on
ok,.
A
Please,
and
do
you
have
actually
a
link
to
your
slides,
not
right
now,
ok,
we'll
do
that
afterwards.
I'll
put
a
link
to
the
doc
in
the
in
the
notes,
but
if
you
would
share
your
screen,
that'd
be
fabulous.
A
Yes,
oh,
and
also
by
for
the
new
people
here,
if
you
go
to
the
six
security
repo
in
CN
CF,
there
there's
a
process
we're
following
a
process
where
a
group
of
us
and
it
was
open
to
the
whole
sig
to
do
we.
You
know
Africa
a
document.
Justin
who's
leading
this
assessment.
Capo's
went
through
and
asked
a
lot
of,
like
you
know,
sort
of
quote
dumb
questions
of
clarification,
questions
and
then
offline.
A
F
F
I'm,
a
sniper
I'm,
a
software
engineer
at
steerer
and
I'm
a
core
contributor
to
the
open
policy
agent
project,
and
so
today
we
want
to
make
it
easy
to
enforce
fine-grain
authorization
in
your
systems.
So,
let's
get
started
in
this
talk.
I'll
cover
a
bit
about
opus
community,
a
background
about
policy,
introduce
the
open
policy
agent
talk
about
its
features,
integrations
use
cases,
and
then
we
will
see
a
demo
on
kubernetes
admission
control
and,
finally,
a
security
analysis
of
OPA.
F
So
the
project
was
started
in
2016
at
styro
and
the
goal
of
the
project
has
been
unified
policy
enforcement
across
the
stack
one
of
the
earliest
adopters
of
hoeper
was
Netflix
and
they
use
OPA
for
AP
authorization
for
their
HTTP
and
GRP
see
if
the
ice,
a
company
like
Medallia,
uses
OPA
for
risk
management
in
terraform,
Anna
Durham,
and
there
are
more
than
20
companies
using
open
production
for
use
cases
such
as
admission
control,
authorization,
data
protection,
data
filtering
and
so
on
a
little
more
about
the
project
itself.
It's
a
CN
CF
project.
F
We
have
around
59
contributors
on
kit.
We
have
a
healthy
slack
community
of
more
than
800
members
and
just
to
give
you
some
context.
At
the
beginning
of
the
year,
we
had
around
400
members
on
slack
and
so
it's
great
to
see
OPA
growing
and
people
liking,
OPA
and
which
is
why
we
have
more
than
2000
stars
and
github
for
the
project
and
OPA
is
integrated
with
more
than
20
of
the
top
most
open
source
projects
out
there,
including
a
lot
of
CN
CF
projects
which
we
will
cover
later
in
the
discussion.
F
So
what
is
policy
policy
is
a
set
of
rules
that
govern
the
behavior
of
your
service,
so
an
example
would
be
authorization
policies,
network
policies
and
so
on.
Every
organization
has
policies
and
policies
are
essential
for
the
long-term
success
of
an
organization
because
they
encode
important
knowledge
which
about
how
to
comply
with
legal
requirements.
Work
within
technical
constraints,
avoid
repeating
mistakes,
and
so
on,
and
so
policy
enforcement
becomes
a
really
important
problem
for
which
we
need
to
have
a
good
solution.
F
F
F
F
So
a
better
model
would
be
to
treat
policy
as
a
separate
concern.
Like
databases,
messaging
logging
monitoring.
It
would
be
better
to
think
about
policy
as
a
separate
component
in
your
architecture,
and
if
you
do
that,
if
you
decouple
your
policy
decisions
from
policy
enforcement,
you
gain
better
visibility
of
policy
and
security
throughout
your
system,
and
these
are
some
of
the
problems
that
the
open
policy
agent
of
OPA
was
created
to
solve.
F
F
It
can
be
anything
so
when
this
service
gets
an
incoming
request,
it's
going
to
ask
OPA
whether
this
request
is
allowed
or
not,
by
executing
a
query,
and
so
this
query
can
contain
the
request
path,
the
request
method,
the
request
user,
basically
any
JSON,
and
so
OPA
is
going
to
evaluate
this
query
based
on
the
policies
and
a
data.
It
has
access
to
and
send
a
decision
back
to
your
service
where
it
gets
enforced
and
again.
F
Liquor
was
allow
deny,
or
it
can
be,
any
other
JSON
value.
Actually
what
I
need
to
emphasize
here
is
that
OPA
is
not
died
to
any
data
model
or
to
any
domain.
As
long
as
you
give
it
some
structured
data,
you
can
write.
Policies
for
HTTP
API
is
for
SSA
sudo
Kafka,
because
to
OPA
it's
all.
Just
data
hey.
N
F
N
And
so
there'll
be
different
security
concerns
in
different
potential
risks,
depending
on
which
way
this
happens,
but
there's
flexibility
in
the
OPA
model
with
this,
which
means
that
there's
you
know
there.
There
are
also
like
sort
of
different
attack
services,
depending
on
which
of
those
models
is
used.
Sure.
F
So
yeah
so,
depending
on
open,
returns,
a
decision
back
to
your
service,
and
so
it
does
not
matter
the
kind
of
policies
of
trying
to
enforce
as
long
as
it
gives
a
purpose,
some
structured
data,
it's
going
to
make
a
decision
for
you,
and
that
is
why
we
say
oppa
is
a
general
purpose
policy
engine
now.
So
let's
look
at
some
of
opus
features.
So
at
the
core
of
oppa
is
a
high-level
decorative
language
called
as
read
go
and
so
with
reg
go.
You
can
answer.
Questions
like
can
use
the
x2
operation.
F
F
Oppa
is
written
in
Co
and
you
can
embed
it
as
a
library
you
can
deploy
it
as
a
sidecar
at
the
host
level.
Daemon,
it's
designed
to
be
as
lightweight
as
possible.
So
all
the
policies
and
the
data
it
needs
for
evaluation
is
stored
in
memory,
and
so
you
can
think
of
oppa
as
a
host
level.
Cache
for
your
policy
decisions.
Your
oppa
and
your
service
normally
run
on
the
same
machine,
and
this
is
done
so
that
you
have
no
latency
on
the
request
pad
and
you
have
high
availability
once
oppa
is
deployed.
F
N
B
B
F
B
F
So
oppa
will
report
this
via
a
status
API
and
it
will
report
it
in
its
logs,
but
it
won't
do
anything
like
actively
to
stop
it
from
downloading
the
policies.
So
it's
gonna
tell
the
users.
We
know
that
you
know
I'm
having
a
problem
connecting
to
your
external
service
and
you
need
to
do
something
about
it
so,
but
it
won't
do
it
won't
stop
like
download.
It's
gonna
keep
on
trying
to
download
policies
from
your
from
your
server
unless
you
do
something
about
it.
So.
F
So
there
is
if
the
API
which
the
user
can
use
to
check,
what's
going
on
with
oh
by
itself,
was
the
status
of
those
bundles
or
pies
downloading.
So
it's
gonna
provide
all
that
information
to
the
user
and
then
the
user
can,
you
know,
do
what
they
want
from
their
using
that
information,
okay
and
so
see
how
it
does
not
have
these
dependencies
for
evaluation.
But
you
can
always
extend
OPA
to
talk
to
external
services
and
speaking
of
which,
so
it
does
provide
you,
some
management
api's
to
download
policies
and
data
from
a
remote
server.
F
It
also
allows
you
to
update
status
logs
to
a
remote
server
and
he
started
log
status
logs
include
information
about
OPA
itself,
as
well
as
the
status
of
the
bundles
it
has
downloaded
and
also
it
allows
you
to
upload
decision
logs
to
a
remote
server
and
his
decision
logs
contain
the
policy
that
was
20.
The
input
that
was
given
to
that
policy
and
the
result
of
that
policy.
Query
and
much
more
information
which
you
can
use
for:
debugging
your
policies
and
for
offline
auditing
of
your
policies
and
so
along.
F
Finally,
along
with
the
core
policy
engine,
OPA
provides
a
rich
set
of
tooling
that
you
can
use
to
build
test
and
debug
your
policies.
Opa
provides
a
unit
test
framework
which
you
can
use
to
test
your
policies
so
that
you
are
confident
about.
What's
what
you're
doing
in
the
policies
is
what
you
want.
It
provides
a
trace
functionality
which
you
can
use
to
see
the
steps
involved
in
policy
evaluation
and
also
to
make
it
easy
to
author
policies.
Opa
provides
integrations
with
editors
like
vs
code
and
whims,
and
so
just
to
recap.
F
F
One
of
the
hottest
use
cases
for
OPA
right
now
is
admission
control
in
kubernetes,
and
we
will
see
a
demo
of
this
later
and
so
with
admission
control,
you
can
enforce
policies
like
restrict
container
images
from
coming
from
public
repositories,
so
you
can
do
policies
like
that
with
open
admission
control,
OPA
also
has
an
integration
with
terraform,
in
which
you
can
JUnit
test
terraform
plans
before
they
are
actually
implemented
with
OPA
and
Tocco.
You
can
prevent
users
from
running
in
secure
containers.
F
F
This
also
an
integration
with
SEF
in
which
you're
protecting
the
data
stored
in
the
safes
object.
Storage.
In
the
cafe
use
case,
there
are
certain
topics
which
have
high
fan
out
and
you
want
to
prevent
corrupt
data
from
being
written
on
those
topics,
because
it
will
be
read
by
many
consumers.
So
with
oppa
you
can
authorize
which
users
are
allowed
to
write
on
such
out
topics.
F
N
Have
a
question
here
so
looking
at
the
example
of
data
protection
is
opis
stateful
in
a
way,
so
can
it
tell
if
I
put
in
two
transactions
for
9
million
dollars
within
a
second
of
each
other?
Does
it
have
this
open
understand
that
that
violates
that
rule,
or
is
it
just
there's
a
single
transaction
that
you
need
to
authorize
with
your
local
information,
so.
F
It's
going
to
be
a
single
transaction,
it's
not
going
to
be
stateful,
but
oppa
can
take
external
context
into
account
when
making
a
decision.
So
if
you
have
like
this
context,
stored
somewhere
about
the
transactions
being
made
per
second
or
like
the
frequency
of
those
oppa
can
take
those
into
account
to
make
the
decision
for
you.
But
it's
not
gonna
maintain
a
state
for
you.
B
B
I'm
just
wondering
because
it
seems
based
on
the
dance
elites
or
my
understanding
is
that
you
are
taking
the
data
from
this
endpoint
yo,
making
the
decisions
as
they
come
in.
So
if
you
are
relying
on
certain
state
because
you
do
not
control
the
store,
it
may
take
some
time
to
propagate
the
inflammation.
So
decisions
may
may
not
take
into
account
the
most
recent
state
so.
F
Yeah,
that's
true!
It's
based
on
the
eventual
consistency
model,
so
yeah
you
want
some
time,
depending
on
the
frequency
of
how
we
are
downloading
those
that
information,
how
you're
passing
it
to
oppa.
It
may
be
eventually
consistent,
but
what
you
can
do
is
that
you
can
also
run
oppa
in
your
existing
cluster
with
some
policies
and
you
can
find
out
the
violations
in
your
cluster.
So
you
can
counter
that
using
audit
strategy
or,
if
because
because
it's
by
design
it's
a
exist,
it's
a
eventually
consistent
model.
B
F
Yeah,
you
can
also
do
auditing
with
oppa,
so
you
can
have
certain
policies
which
you
can
then
inform
who's
on
your
plaster
and
and
then
the
way
you
write
those
policies.
It's
probably
return
the
violations
in
your
existing
cluster
based
on
the
policies
you've
written.
So
in
that
way
you
can
kind
of
order
to
your
existing
cluster.
If
something
we
shouldn't
catch,
probably
before
enforcement.
F
N
I
just
want
to
kind
of
like
tie
it
back
to
my
original
question
here
for
a
minute.
So
what
what
can
someone
meaningfully
say
about
the
the
trade
succeeding
a
certain
amount?
They
can
say
that
an
individual
trade
can
exceed
that
amount.
But
do
you
feel
that
you
know
that
that
oppa
can
provide
meaningful
guarantees
to
say
that
the
volume
of
trades
executed
between
5:00
p.m.
and
9:00
a.m.
F
Old
buck
and
do
that,
given
the
right
context,
so,
like
I
said,
you
can
feed
any
kind
of
context
into
oppa
and
it
can
make
a
decision
on
that.
So,
if
you
have
like
information
about
this
specific
trader
and
what
he's
been
doing
over
a
specific
time,
and
if
you
give
that
to
open,
it
can
use
that
to
make
a
policy
decision.
But
oppa
itself
is
not
gonna
know
what
that
trade
has
been
doing
over
the
last
given
hours
or
between
9:00
to
5:00.
You.
N
F
N
H
B
B
B
Just
thinking
with
because
III
feel
like
this,
the
situation
that
Justin
Capas
mentioned
it
could
be
Bo
so
soft.
If
you
could
make
a
query
externally,
don't
man
your
decision
that
you're
making
so
the
case
where
you
could
query
the
the
trading
platform
and
say
that
if
I
do
a
trial
run
of
this
trade,
will
it
still.
F
Work
right,
so
this
is
just
a
simple
example,
but
you
can
imagine
writing
more
complex
policies
which
you
probably
won't
want
to
do
where
in
code.
So
this
is
just
a
simple
example
of
like
accumulating
the
policies,
but
you
wanna
do
something
which
is
more
concrete
or
more
fine-grained.
I,
think
that
is
where
OPA
really
shines.
B
F
A
I
think
that
maybe
I'll
just
restate
it
and
you
can
tell
me
whether
I'm
restating
it
correctly,
that
OPA
can
take
into
account
any
inputs
like
it.
Yet
it's
all
within
the
context
of
a
single
trends.
I
have
a
single
call
or
query
right.
There's
a
single
transaction
that
or
call
that
OPA
is
given
context
for,
and
it
evaluates
all
of
the
data
at
that
time.
And
if
you
wanted
to
say,
do
things
over
a
time
window,
then
you
need
to
keep
that
state.
A
H
A
F
F
F
Okay,
so
so
these
are
some
of
oppas
integrations
and
you
can
start
using
OPA,
but
any
of
these
integrations
out
of
the
box
without
having
to
write
any
piece
of
code.
So
let's
look
at
how
OPA
actually
works,
so
we
seen
this
figure
before
so.
Basically,
your
service
gets
a
request.
Your
service
queries
over
for
a
decision.
Opa
looks
at
the
policy
and
data
it
has
access
to
and
evaluates.
Our
query
sends
a
decision
back
to
your
service
for
enforcement.
F
Now,
let's
say
you
have
a
salary
service
and
this
salary
service
is
going
to
provide
information
about
salaries
of
employees
in
a
company,
and
the
policy
that
you
want
to
enforce
in
English
says
that
employees
can
read
their
own
salary
and
the
salary
of
anyone
they
manage.
Now,
let's
see
how
we
can
take
this
policy
in
English
and
write
it
in
Borrego
and
implement
it
in
OPA.
F
So,
like
I
said
before,
your
service
provides
OPA
some
input,
and
in
this
case
it
could
be
the
request
method.
It
could
be
the
path
it
could
be:
the
authenticated
user
who's,
making
the
request,
and
so
now,
let's
see
how
we
can
take
this
policy
and
we
can
write
some
Reiko
so
to
make
it
easy
to
getting
started
OPA
and
to
pediment,
which
lego
policy.
We
recently
launched
the
regulator
on.
A
Someone
typing-
oh
sorry,
I
was
should
have
been
on
mute
I
think
that
we
only
have
we
have
like
seven
minutes
left
of
our
official
work
time.
I
wasn't
keeping
an
eye
on
the
check-ins
and
I
was
wondering
whether
we
should
pause
the
presentation
and
you
know,
and
then
you
can
kind
of
look
forward
when
it
comes
to
questions
or
any
like
to
shift
gears
a
little
bit
to
make
use
of
that
last
seven
minutes.
Well:
okay,.
F
N
I
A
F
Sure
so
let
me
just
give
a
quick
example
of
policy,
and
then
we
can
go
to
the
security
analysis
so
yeah,
so
we
launched
the
regu
playground
and
the
way
you
write.
This
is
what
the
playground
looks
like.
You
can
see
some
syntax
highlighting
for
Lego
code
to
make
it
easy
to
read
and
deed
and
debug
your
code.
So
the
way
you
read
this
policy
is
that
a
love
is
through.
F
And
so
the
way
you
provide
input
to
this
policy
is
by
clicking
the
input
button
and
now
the
question
you're
is:
can
Bob
access
his
own
salary,
and
so
now,
if
I
check
the
output,
allow
is
through,
which
means
Bob
can
access
his
own
salary,
because
all
the
statements
in
the
body
of
the
rule
evaluated
to
true
so
now,
if
say,
Alice
wanted
to
access
Bob
salary.
In
that
case,
if
I
say
Alice,
and
if
I
evaluate
this
policy,
now
it's
going
to
be
false
because
like
and
it
is
not
going
to
hold
through.
F
So
this
is
how
you
can
write
like
a
simple
policy
that
says
that
an
employee
can
see
his
own
salary.
The
second
part
was
about
the
managers
seeing
the
salary
of
their
employees.
So
you
can
imagine
this.
You
need
to
tell
oppa
about
this
information
like
I,
said
external
can
or
context,
so
you
can
store
this
information
in
your
LDAP
server
and
hope
and
have
over
put
it
from
there
or
you
can
provide
it
as
a
jot
token
to
Oprah
as
well.
F
So
this
is
how
you
can
write
a
simple
policy
in
OPA,
indirect
or
using
the
playground.
I'm
just
gonna
skip
the
use
cases
so,
like
I
mentioned
before
it's
a
general
purpose
policy
engine
used
for
these
use
cases
and
you
can
use
it
at
different
layers
of
the
stack
I'm
gonna
skip
over
the
admission
control
use
case
and
the
demo
and
I'm
gonna
go
directly
to
the
security
analysis.
F
So
we
are
going
to
talk
about
some
attack
surfaces
for
OPA,
and
so
one
of
them
is
the
vulnerability
on
initial
startup.
So
when
OPA
starts
up
for
the
first
time,
it
does
not
contain
any
policies
or
data,
and
you
can
imagine
an
attacker-
can
access
an
unauthorized
service
while
OPA
is
still
loading
to
protect
against
this,
we
would
recommend
your
services
should
fail
close
if
it
does
not
get
a
200
reply
from
OPA,
it
doesn't
get
it
right
reply
from
OPA.
That
would
be
one
way
to.
H
F
And
so
we
hope
that,
like
we
recommend
that
your
poll,
your
service,
should
basically
fail
close
in
such
scenarios
and
I.
Think
that
way
you
can
counter
this
initial
startup
of
initial
startup.
Vulnerability
for
Oh
per
second
is
opens
API
security
itself,
so
by
default,
OPA
does
not
restrict
access
to
any
of
its
rest.
Api
endpoints
that
are
used
to
fetch,
create
and
update
policy
and
data,
and
it's
possible
that
an
attacker
can
corrupt
the
policy
and
data
loaded
into
OPA,
thereby
bypassing
opaz
authorization
checks
altogether.
F
F
F
The
attack
surface
could
be
the
bundle
feature
compromised,
so
yeah,
as
you
guys
know,
oppa
can
be
configured
to
fetch
policy
and
data
from
remote
HTTP
servers
using
its
bundle
feature
now.
The
files
inside
that
bundle
are
tar.gz
compressed
and
an
attacker
who
has
access
to
that
remote
server
can
cause
a
denial
of
service
by
providing
a
bundle
file
that
will
consume
oppa's
servers
memory
and
therefore
crash
oppa.
F
N
Think
there's
there's
bigger
problems
here,
because
I
think
we
talked
about
this
earlier
but
as
I
understand
it
the
if,
if
the
party
gets
here,
they
can
also
add
change,
remove
to
anything
they
like
with
oppa
policies,
which
presumably
is
very
bad.
If
I'm,
if
I'm
getting
this
unless
I'm
misunderstanding,
something
sure.
F
So,
that's
why
that's
why
we,
you
can
protect
it,
Oh
buzz
API
itself.
So
when
you
have
that
start
of
authorization
policy
in
oppa,
you
can
prevent
access
to
certain
parts
of
the
policy
and
action
certain
users
can
take.
So
in
this
way
you
can
prevent
like
a
bob
from
updating
a
policy
like
you
know,
for
example.
Basically,
so
I
would
assume
that
if
you
want
to
secure
oppa,
if
you
want
to
secure
the
deep
the
deployment
itself,
you
would
have
like
an
authorization
policy
which
prevents
a
certain
api's
and
that's.
N
F
So
again,
like
oppa
does
not
oppa
assumes
that
the
user
is
authenticated
right
opens
not
trying
to
solve
the
problem
of
authentication.
So
it's
going
to
verify
the
identity
that
you
provide
for
Bob
and
it's
gonna
give
Bob
the
roles
that
you
have
said
in
the
authorization
policy.
So
it's
fun
the
user
of
how
they
define
this
authorization
policy.
Oprah
is
not
gonna,
make
any
kind
of
assumptions
about
Bob.
So
it's
how
you
define
that
authorization
policy
and
it's
how
you
provide
the
identity
of
Bob
to
oppa
to
make
that
decision.
N
H
I
A
F
A
F
N
Yeah
we're
in
kind
of
a
sticky
situation
here,
I,
don't
really
know
the
best
way
to
handle
this.
We
could
try
to
continue
for
a
bit
I.
Think
of
those
who
have
had
questions.
Are
there
people
doing
the
assessment?
Are
there
people
that
are
that
have
like
burning
questions
that
they
have
yet
to
ask?
Are
there
a
lot
of
them?
N
H
So,
for
example,
I
mean
I
know
that
AWS
have
had
a
low
experience
where
their
iron
policies-
people
write
a
large
number
of
bugs,
and
they
can
tell
this
because
people
have
policies
that
can
have
large
measure
statements
and
that
can
never
be
true,
for
example.
So
they
know
they
must
be
buggy,
because
people,
people
don't
tend
to
write
dead,
Cajun
policies
and
Oprah
is
very
unabated
about
your
policies.
It
doesn't
even
have
a
difficult
deny
Clarys
or
anything
along
those
lines
and
therefore
it's
very
prone
to
potentially
people
writing.
H
Buggy
policies,
because
I
mean
also
the
Jason
is,
is
untyped.
So
you
have
no
idea
if
you've
actually
chosen
the
right
bit
of
the
input
data
to
match
against
it'll,
just
kind
of
potentially
just
give
you
an
emptiness
which
could
lead
to
a
sort
of
cascading
fate
here
as
well,
and
the
and
I
understand
it
does
have
tests,
which
is
great
as
a
built-in
thing,
which
kind
of
helps.
But
this
has
definitely
been
an
area
which
other
which
another
remarks
has
been
a
very
large
problem.
H
M
G
H
M
N
Also
like
to
say,
I'm
skeptical,
that
formal
verification
is
the
right
tool
for
what
you're
doing
now.
I
even
think.
There's
a
lot
of
usability
things
that
I
saw
when
the
oh
gosh
I've
forgotten
his
name
again.
That
fellow
did
the
very
nice
talk
in
the
panel
that
a
lot
of
us
were
in
in
the
security
session
at
docker
con
that
yeah
they.
N
Okay,
so
he
did
a
very
nice
demo
and
I
think
there
were
a
lot
of
areas
there
in
things
he
did
and
even
just
like,
watching
that
as
an
outsider,
there's
a
lot
of
sort
of
usability
things
in
areas
where
it's
like
oops
I
made
this
error
and
oops.
Oh,
this
happened
because
of
this
sort
of
thing,
so
I
even
think
that
kind
of
shoulder
surfing
exercises
to
pick
out
fix
a
lot
of
the
more
obvious
and
initial
pitfalls.
N
F
Erectus
one
thing
we
normally
recommend,
along
with
unit
testing,
to
be
confident
of
your
policies,
is
that
you
have
like
a
denial
rules,
and
then
you
do
a
bunch
of
white
lists,
so
you
have
like
a
top-level
denial
or
something
like
that.
We
would
deny
everything
by
default,
and
then
you
have
specific
of
these
lease
privilege
tools
that
you
put
in
the
policy.
F
N
It
can
help
like
recommendations
are
nice,
but
but
like
giving
people
like
giving
people
access
to
go
off
the
rails
right
away,
and
just
saying
oh
yeah,
you
know
it's.
Yes,
it
looks
really
pretty
here
and
whatever
else,
but
you
can
just
fall
right
off
the
edge.
Putting
some
safety
rails
in
place.
Making
it
hard
for
people
to
shoot
themselves
in
the
foot
is
I,
think
would
help
and
I
don't
think
it
would
necessarily
be
that
hard
to
do
because
I,
I,
Justin
or
Mac's
concerned
that
there
are
a
lot
of.
F
N
It's
it's
like
PHP
versus
rust,
like
you,
can
blame
PHP
programmers
for
writing.
Buggy
code
and
you
can
say
well,
you
know
rust,
like
this.
Joe
who
writes
rust
code
must
be
a
much
better
security
person
because
he
doesn't
have
a
lot
of
the
same
problems,
but
the
languages
themselves
make
such
a
big
difference
that
yeah.
That
I
think
there's
some
meaningful
things
here,
and
so
there
there
are
some
things
that
could
make
oppa
less
less
PHP
and
more
rusty
in
ways,
and
so.
A
F
That's
a
one
thing
that
we
are
gonna
come
up
soon
is
with
a
library
of
policies
which
users
can
use
like
these
bunch
of
common
policies
that
we've
seen
users
ask
for,
and
they
can
then
just
parameterize
those
policies
based
on
their
specific
use
case,
so
I
think
that
can
kind
of
help
in
making
those
making
the
errors
less.
During
writing
policy
by
the
user
itself
just
for
getting
started,
I
guess
yeah.