►
Description
Executing Policies within CD Pipelines with OPA - AbdulBasit Kabir, Interswitch
It is common for organizations to have policies guiding their SDLC. Policies like who can deploy & approve, deployment windows, allowed artifact source, mandatory approval steps, and much more. These policies are most often hardcoded during tools setup or enforced through reliance on the goodwill people following "standard" practices. We all know that's not always the case. Policy engines like OPA (Open Policy Agent) help automate the enforcement of policies (defined as code). This talk covers some basics of OPA and policy enforcement within Continuous Delivery
For more Continuous Delivery Foundation content, check out our blog: https://cd.foundation/blog/
A
A
A
Every
delivery
is
done
in
line
with
some
certain
practice
and
that
and
those
practices
are
well
known
within
the
group
that
engages
in
the
delivery.
This
is
what
we
refer
to
as
tribal
knowledge,
but
as
any
group
grows
in
frequency
and
size,
private
knowledge
gets
pushed
to
its
limits.
It
doesn't
scale.
Well,
it
doesn't
it
driver
knowledge
doesn't
have
any
guarantees
and
also
it's
difficult
to
maintain.
A
When
these
principles
are
formalized
in
a
wiki
or
a
document,
a
policy
document,
then
you
have
something:
that's
more
structured,
something
that's
it's
easy
to
maintain,
but
at
the
same
time,
policies
defined
in
a
wiki
or
in
a
policy
document
are
not
they're.
Not
they
don't
have
any
enforcement
guarantees.
A
A
A
Basically,
what
we
need
is
a
decision
engine
as
we
move
from
private
knowledge,
which
is
less
structured
and
has
less
control
and
will
most
likely
need
to
be
enforced
manually.
So
that's
relying
on
everybody
to
do
the
right
thing
or
making
someone
else
go
and
check
whether
the
right
things
have
been
done.
A
We
move
through
wiki,
creating
your
wiki,
creating
a
policy
document
that
defines
all
the
policies.
So
at
least
now
the
policies
are
well
defined,
they're
easy
to
maintain,
but
enforcement's
us
also
has
to
be
manual.
We
put
hard
code
the
policies
into
the
tool
into
the
setup
of
the
tool
or
into
our
pipelines.
A
A
A
A
A
A
A
A
A
A
That
applications
must
not
be
deployed
on
weekdays
between
9am
and
4pm,
so
no
deploy
between
that
window
between
the
9am
and
4pm
window
on
weekdays,
only
fully
approved
service
request
tickets
can
be
deployed
if
you
are
using
a
ticketing
system
to
log
your
changes.
Only
a
fully
approved
ticket
can
be
used
in
a
deployment
and
terraform
plans
by
developers
must
not
have
a
delete
action
on
any
resource
other
than
a
vm.
A
A
A
There
you
go,
you
would
have
this
policy
something
like
this,
and
you
can
check
there's
a
lot
of
documentation
on
the
openpolicyagent.org
website
on
how
to
write
up
your
your
policy.
Your
regular
files,
a
policy
that
enforces
no
deployments
between
9
am
to
4
pm
on
weekdays
needs
to
know
whether
whether
today
is
a
weekday,
so
it
basically
chooses
the
current
timing
needs
to
know
whether
today
is
a
weekday.
So
as
long
as
it's
not
a
saturday,
it's
not
a
sunday,
then
it's
a
weekday
also
it
needs
to
it
needs
to
know
the
time.
A
So
there's
a
there's:
this
cool
tool
called
the
regular
playground
where
you
can
test
any
and
validate
any
of
your
policies
before
you
apply
it.
It's
at
play.openpolicyagent.org,
so
just
copy
it
and
paste.
It
here
paste
your
policy
here.
If
you
need
any
inputs
and
for
this
particular
policy
we
don't
need
any
input.
You
can
evaluate
it.
A
A
A
A
A
A
A
So,
let's
see
the
policy,
so
if
you
follow
the
documentation
on
setting
up
your
as
a
pod
running
early
as
a
part
in
the
kubernetes,
then
you
can
easily
add
the
policies
via
config
files
and
that's
what
I
have
here
so
the
same
the
time
slot
policy
that
we
had
we
saw
in
rego
file.
That's
what
we
have
here
in
as
a
config
file.
A
A
A
A
A
A
A
So
how
do
we
get
the
policy
decision
to
get
the
policy
decision?
We
can
also
use
the
curl,
so
this
is
using
the
curve.
You
can
basically
use
any
tool
and
just
add
a
web
hook
stage
that
makes
the
policy
call
to
oper
to
get
the
policy
decision.
Once
you
have
that
policy
decision,
then
you
can
decide
what
to
do
with
it.
A
So
using
a
call
command
to
get
the
policy
decision
for
the
same
policy
we
just
added-
and
this
is
exactly
what
we
had
when
we
had
when
we
tried
to
get
the
policy
decision
on
the
regular
playground
or
deny
using
the
nine
to
using
the
nine
to
four.
So
let's
make
a
modification
and
change
it
to
and
and
change
it
to
well,
two.
A
A
A
A
A
A
Okay
policy:
now
we
can
deploy
so
now
to
add
the
policy
to
to
the
to
a
pipeline,
and
that
can
be
done
still
on
the
enterprise
platform.
So
you
go
to
setup
here.
You'll
see
a
list
of
several
pipelines,
several
applications,
sorry
and
you
edit,
a
particular
application.
So
we'll
use
the
test
pipeline.
A
A
A
A
A
A
And
this
will
pass
here
success,
so
this
is
something
you
can
easily
do
in
your
pipeline.
Make
this
stage
a
pretty
precise
understate
so,
except
if
until
this
stage
passes
the
next
stage,
wouldn't
we
wouldn't
run
at
all
and
you
can
easily
block
all
policy
violations
using
this.
So
you
can
see
we've
described,
we've
explained
how
you
can
use
policy,
add
policies
to
your
pipelines
and
hopefully
you'll,
go
out
check
the
open
policy
documentation
and
explore
more
on
what
you
can
do
with
policies
that
the
possibilities
are
limitless.
B
So,
thank
you,
everyone
for
joining
joining
the
session.
If
you
have
any
questions
I'll
be
here
to
answer
so
there
are
some
charts
that
were
going
on
in
some
discussions
going
on
the
chat.
But
let
me
start
first
by
answering
the
question:
the
q,
a
tab
hi.
Thank
you
for
your
talk.
Is
there
a
way
to
use
oppa
to
limit
the
origin
of
docker
images
that
are
allowed
to
running
inside
the
kubernetes
cluster.
A
Yes,
you
could
use
opera
as
gatekeeper,
so
there's
this.
What
I
called
so
opera
can
be
deployed
as
an
admission
workbook
using
the
gatekeeper
project
and
that
will
limit.
What's
with
that,
you
can
set
limit
on
what
can
run
in
your
kubernetes
clusters.
However,
the
parts
of
the
focus
of
this
talk
was
to
look
at
where
opera
fits
in
in
the
ci
cd
pipeline,
your
cd
pipeline,
and
to
so
you
can,
instead
of
just
stop
stopping
the
docker
images
at
the
end.
A
At
the
point
of
deployment,
you
could
stop
them
all
the
way
at
the
beginning,
when
the
code
is
committed
to
to
your
git
repository
and
you
you
can,
you
can
use
this
there's
another
project.
I
think
it's
conf
test
I'll
put
that
in
chat
so
confidence.
You
can
use
that
to
to
check
what
gets
them
pushed
into
your
kits
repository
and
you
run
them
against
some
policies.
A
Github's,
it's
something
that
I've!
That's
that's!
That's
very
interesting
and
I've
looked
into
it,
but
currently
you
are
not
adopting
that
so
ops
mx
doesn't
have
a
way
to
load
open
policies
directly
from
git.
If
I'm
getting
leave,
ui
is
this
manual
or
do
you
have
any
recommendation,
a
recommended
way
to
manage
this
with
fashion
control
and
automatically
so
I've
discussed
with
the
object
max
team
and
I
knew
them
having
policy
from
your
policy
version
in
any,
maybe
a
triple
it's
something
that
they're
looking
into
as
part
of
the.
A
A
So
one
more
minute,
do
you
deploy
outside
cuba
interest
clusters
right
now?
Yes,
we
deploy
the
psyche
ventures,
clusters
and
what
I
should
which
opera,
with
our
policy
with
our
pipelines.
That
would
work
whether
or
not
we're
deploying
to
cabinets
or
not.
So
basically,
it
works
on
the
pipeline,
not
not
not
where
you're
deploying.