Continuous Lifecycle: Enhance Your Compliance and Governance With Policy-Based CI/CD

0 likes•169 views

This document discusses using Open Policy Agent (OPA) to enhance compliance and governance in CI/CD pipelines. It introduces OPA as a general-purpose policy engine that uses a declarative policy language to decouple application logic from policy decisions. The document explains how OPA works, including its Rego policy language and built-in functions. It provides examples of using OPA for tasks like validating Kubernetes manifests and Terraform configuration changes.

Technology

Enhance Your Compliance and Governance
With Policy-Based CI/CD
Continuous Lifecycle & Container Conf 2021

Nico Meisenzahl
• Senior Cloud & DevOps Consultant at white duck
• Microsoft MVP, GitLab Hero
• Cloud Native, Kubernetes & Azure
© white duck GmbH 2021
Phone: +49 8031 230159 0
Email: nico.meisenzahl@whiteduck.de
Twitter: @nmeisenzahl
LinkedIn: https://www.linkedin.com/in/nicomeisenzahl
Blog: https://meisenzahl.org

Agenda
• Why do we need compliance and governance in CI/CD?
• What is Open Policy Agent and how does it work?
• How to get started – demo time
© white duck GmbH 2021

Why do we need governance?
• Regulatory compliance: comply with relevant laws,
policies, and regulations
• Standards: adhere to established and standard
requirements
• Contractual commitments: like vendor agreements,
customers contracts
• Corporate requirements: rules and policies defined by the
company to comply with its needs
© white duck GmbH 2021

Compliance and governance in CI/CD?
Shift Left!
• rises awareness
• defines the “how” around the “what” of the pipeline
• security and compliance gates
• ensures requirements are always met
© white duck GmbH 2021

Open Policy Agent (OPA)
“policy-based control for cloud native environments”
• general-purpose policy engine across your stack
• graduated CNCF project introduced by styra
• declarative policy language
• decoupled the application logic from policy decisions
• REST API with sidecar or daemon
• Golang library or Wasm module
• provides APIs for easy management
© white duck GmbH 2021

Ecosystem
• API and service authorization with Envoy, Kong, Traefik, …
• authorization policies for SQL, Kafka, …
• container network authorization with Istio and Linkerd
• test policies for Terraform infrastructure changes
• policies for SSH and sudo
• policy and governance for Kubernetes
• and many more
• https://www.openpolicyagent.org/docs/latest/ecosystem
© white duck GmbH 2021

Rego
• “ray-go”
• declarative Policy Language
• ”is Nico allowed to POST a payload to /api?”
• rules commonly return true/false
• but may return any value
• 140+ build-in functions
• date/time, string, ...
• Regex
• JWT validation
© white duck GmbH 2021

How to get started
• OPA playground
• https://play.openpolicyagent.org
• docs
• https://www.openpolicyagent.org/docs
• OPA CLI
• opa run (server)
• opa eval (swiss-army knife)

Demos
• Terraform change validation with GitLab CI/CD
• Kubernetes manifest security validation with GitHub Actions
• further samples
• dependency deny list
• https://play.openpolicyagent.org/p/b0n6CHElcw
• Kubernetes Ingress validation
• https://play.openpolicyagent.org/p/5o1UFjIl0S
© white duck GmbH 2021

Questions?
• Slides: https://www.slideshare.net/nmeisenzahl
• Demos:
• https://gitlab.com/nico-meisenzahl/demo-opa-terraform-validation
• https://github.com/nmeisenzahl/demo-opa-cicd-validation
© white duck GmbH 2021
Phone: +49 8031 230159 0
Email: nico.meisenzahl@whiteduck.de
Twitter: @nmeisenzahl
LinkedIn: https://www.linkedin.com/in/nicomeisenzahl
Blog: https://meisenzahl.org

More Related Content

PDF

Policy & Governance für KubernetesNico Meisenzahl

PDF

Hijack a Kubernetes Cluster - a WalkthroughNico Meisenzahl

PDF

azdevcom - Hijack a Kubernetes ClusterNico Meisenzahl

PDF

Azure Saturday Hamburg: Containerize Your .NET Microservice - the Right Way!Nico Meisenzahl

PDF

Die Evolution von Container Image BuildsNico Meisenzahl

PDF

Continuous Lifecycle: Hijack KubernetesNico Meisenzahl

PDF

GitLab Commit: Your Attackers Won't Be Happy! How GitLab Can Help You Secure ...Nico Meisenzahl

PDF

GitLab Commit DevOps: How GitLab Can Save your Kubernetes environment from Be...Nico Meisenzahl

Policy & Governance für KubernetesNico Meisenzahl

Hijack a Kubernetes Cluster - a WalkthroughNico Meisenzahl

azdevcom - Hijack a Kubernetes ClusterNico Meisenzahl

Azure Saturday Hamburg: Containerize Your .NET Microservice - the Right Way!Nico Meisenzahl

Die Evolution von Container Image BuildsNico Meisenzahl

Continuous Lifecycle: Hijack KubernetesNico Meisenzahl

GitLab Commit: Your Attackers Won't Be Happy! How GitLab Can Help You Secure ...Nico Meisenzahl

GitLab Commit DevOps: How GitLab Can Save your Kubernetes environment from Be...Nico Meisenzahl

What's hot (20)

PDF

Azure Meetup Hamburg: Production-Ready Terraform Deployments on AzureNico Meisenzahl

PDF

Cloud Native Day: Cloud-native Anwendungsentwicklung im Jahr 2021Nico Meisenzahl

PDF

GitLab Commit: Enhance your Compliance with Policy-Based CI/CDNico Meisenzahl

PDF

Azure Zürich User Group: Azure Kubernetes Service – more than just a managed ...Nico Meisenzahl

PDF

DevOpsCon Berlin: Helm vs Operators – Do I Need to Decide?Nico Meisenzahl

PDF

GitLab Remote Meetup: Enhance Your Kubernetes CI/CD Pipelines with GitLab & ...Nico Meisenzahl

PPTX

FestiveTechCalendar2021 - Have Yourself An Azure Container RegistryPhilip Welz

PDF

EVE Microservices PlatformAlaa Qutaish

PDF

Global Azure Bootcamp: Container, Docker & Kubernetes BasicsNico Meisenzahl

PDF

Dutchcontainerdays4bakker

PDF

KCD Guatemala - Abstracciones sobre AbstraccionesMauricio (Salaboy) Salatino

PDF

DevSecCon Singapore 2019: Preventative Security for KubernetesDevSecCon

PDF

MadridJug From Monolith to k8s with Jenkins X and ZeebeMauricio (Salaboy) Salatino

PDF

Orchestrating MicroservicesMauricio (Salaboy) Salatino

PDF

Developing and Deploying Microservices with Project TyeEran Stiller

PDF

Introduction to DockerSiu Tin

PDF

Create A Mapping Web PartTom Resing

PPTX

Secure Your Apps with NGINX Plus and the ModSecurity WAFNGINX, Inc.

PDF

TechWiseTV Workshop: Cisco Developer ProgramRobb Boyd

PPTX

[AzureCamp 24 Juin 2014] Témoignage de Conuxio par Arnaud LecoufleMicrosoft Technet France

Azure Meetup Hamburg: Production-Ready Terraform Deployments on AzureNico Meisenzahl

Cloud Native Day: Cloud-native Anwendungsentwicklung im Jahr 2021Nico Meisenzahl

GitLab Commit: Enhance your Compliance with Policy-Based CI/CDNico Meisenzahl

Azure Zürich User Group: Azure Kubernetes Service – more than just a managed ...Nico Meisenzahl

DevOpsCon Berlin: Helm vs Operators – Do I Need to Decide?Nico Meisenzahl

GitLab Remote Meetup: Enhance Your Kubernetes CI/CD Pipelines with GitLab & ...Nico Meisenzahl

FestiveTechCalendar2021 - Have Yourself An Azure Container RegistryPhilip Welz

EVE Microservices PlatformAlaa Qutaish

Global Azure Bootcamp: Container, Docker & Kubernetes BasicsNico Meisenzahl

Dutchcontainerdays4bakker

KCD Guatemala - Abstracciones sobre AbstraccionesMauricio (Salaboy) Salatino

DevSecCon Singapore 2019: Preventative Security for KubernetesDevSecCon

MadridJug From Monolith to k8s with Jenkins X and ZeebeMauricio (Salaboy) Salatino

Orchestrating MicroservicesMauricio (Salaboy) Salatino

Developing and Deploying Microservices with Project TyeEran Stiller

Introduction to DockerSiu Tin

Create A Mapping Web PartTom Resing

Secure Your Apps with NGINX Plus and the ModSecurity WAFNGINX, Inc.

TechWiseTV Workshop: Cisco Developer ProgramRobb Boyd

[AzureCamp 24 Juin 2014] Témoignage de Conuxio par Arnaud LecoufleMicrosoft Technet France

Similar to Continuous Lifecycle: Enhance Your Compliance and Governance With Policy-Based CI/CD (20)

PDF

Docker Rosenheim Meetup: Policy & Governance for KubernetesNico Meisenzahl

PDF

Dynamic Authorization & Policy Control for Docker EnvironmentsTorin Sandall

PDF

Addressing Cloud Security with OPADiemShin

PDF

Cloud Native User Group: Shift-Left Testing IaC With PaCsmalltown

PPTX

Open Policy Agent for governance as a code Alexander Tokarev

PDF

Dynamic Policy Enforcement for Microservice EnvironmentsNebulaworks

PDF

DSO-LG 2021 Reboot: Policy As Code (Anders Eknert)Michael Man

PPTX

Cloud native policy enforcement with Open Policy AgentLibbySchulze

PDF

Defining & Enforcing Policies the GitOps WayWeaveworks

PPTX

apidays LIVE New York 2021 - Simplify Open Policy Agent with Styra DAS by Tim...apidays

PPTX

OPA APIs and Use Case SurveyTorin Sandall

PDF

AWS Cloud Governance & Security through Automation - Atlanta AWS BuildersJames Strong

PDF

Open Policy AgentTorin Sandall

PDF

Ronen Levinson: Unified policy enforcement with opa - Architecture Next 20CodeValue

PDF

Engineering Continuous Security and ComplianceQAware GmbH

PDF

Continuous compliance using data and codeErkang Zheng

PDF

A DevOps Mario Developer Game Challenge with GRCBMK Lakshminarayanan

PDF

SOA Governance in Action REST and WS Architectures Jos Dirksenmpenaboyaro

PDF

Hardening Your CI/CD Pipelines with GitOps and Continuous SecurityWeaveworks

PDF

Optimizing the Ops in DevOpsGordon Haff

Docker Rosenheim Meetup: Policy & Governance for KubernetesNico Meisenzahl

Dynamic Authorization & Policy Control for Docker EnvironmentsTorin Sandall

Addressing Cloud Security with OPADiemShin

Cloud Native User Group: Shift-Left Testing IaC With PaCsmalltown

Open Policy Agent for governance as a code Alexander Tokarev

Dynamic Policy Enforcement for Microservice EnvironmentsNebulaworks

DSO-LG 2021 Reboot: Policy As Code (Anders Eknert)Michael Man

Cloud native policy enforcement with Open Policy AgentLibbySchulze

Defining & Enforcing Policies the GitOps WayWeaveworks

apidays LIVE New York 2021 - Simplify Open Policy Agent with Styra DAS by Tim...apidays

OPA APIs and Use Case SurveyTorin Sandall

AWS Cloud Governance & Security through Automation - Atlanta AWS BuildersJames Strong

Open Policy AgentTorin Sandall

Ronen Levinson: Unified policy enforcement with opa - Architecture Next 20CodeValue

Engineering Continuous Security and ComplianceQAware GmbH

Continuous compliance using data and codeErkang Zheng

A DevOps Mario Developer Game Challenge with GRCBMK Lakshminarayanan

SOA Governance in Action REST and WS Architectures Jos Dirksenmpenaboyaro

Hardening Your CI/CD Pipelines with GitOps and Continuous SecurityWeaveworks

Optimizing the Ops in DevOpsGordon Haff

More from Nico Meisenzahl (18)

PDF

Cloud-Native & Sustainability: How and Why to Build Sustainable WorkloadsNico Meisenzahl

PDF

Container Day Security: How to Prevent Your Kubernetes Cluster From Being HackedNico Meisenzahl

PDF

Festive Tech Calendar: Festive time with AKS networkingNico Meisenzahl

PDF

ContainerConf 2022: Hijack KubernetesNico Meisenzahl

PDF

ContainerConf 2022: Kubernetes is awesome - but...Nico Meisenzahl

PDF

KCD Munich 2022: How to Prevent Your Kubernetes Cluster From Being HackedNico Meisenzahl

PDF

KCD Munich 2022: Hijack a Kubernetes Cluster - a WalkthroughNico Meisenzahl

PDF

Cloud Love Conference: Kubernetes is awesome, but...Nico Meisenzahl

PDF

How to Prevent Your Kubernetes Cluster From Being HackedNico Meisenzahl

PDF

Container Days: Hijack a Kubernetes Cluster - a WalkthroughNico Meisenzahl

PPTX

Hijack a Kubernetes Cluster - a WalkthroughNico Meisenzahl

PDF

Hijack a Kubernetes Cluster - a WalkthroughNico Meisenzahl

PDF

Microsoft DevOps Forum 2021 – DevOps & SecurityNico Meisenzahl

PDF

GitHub Actions 101Nico Meisenzahl

PDF

Azure Rosenheim Meetup: Azure Service OperatorNico Meisenzahl

PDF

Azure Service Operator - Provision Your Resources in a Cloud-Native WayNico Meisenzahl

PDF

Effiziente CI/CD-Pipelines – mit den richtigen Tools klappt dasNico Meisenzahl

PDF

DevOpsCon London: How containerized Pipelines can boost your CI/CDNico Meisenzahl

Cloud-Native & Sustainability: How and Why to Build Sustainable WorkloadsNico Meisenzahl

Container Day Security: How to Prevent Your Kubernetes Cluster From Being HackedNico Meisenzahl

Festive Tech Calendar: Festive time with AKS networkingNico Meisenzahl

ContainerConf 2022: Hijack KubernetesNico Meisenzahl

ContainerConf 2022: Kubernetes is awesome - but...Nico Meisenzahl

KCD Munich 2022: How to Prevent Your Kubernetes Cluster From Being HackedNico Meisenzahl

KCD Munich 2022: Hijack a Kubernetes Cluster - a WalkthroughNico Meisenzahl

Cloud Love Conference: Kubernetes is awesome, but...Nico Meisenzahl

How to Prevent Your Kubernetes Cluster From Being HackedNico Meisenzahl

Container Days: Hijack a Kubernetes Cluster - a WalkthroughNico Meisenzahl

Hijack a Kubernetes Cluster - a WalkthroughNico Meisenzahl

Microsoft DevOps Forum 2021 – DevOps & SecurityNico Meisenzahl

GitHub Actions 101Nico Meisenzahl

Azure Rosenheim Meetup: Azure Service OperatorNico Meisenzahl

Azure Service Operator - Provision Your Resources in a Cloud-Native WayNico Meisenzahl

Effiziente CI/CD-Pipelines – mit den richtigen Tools klappt dasNico Meisenzahl

DevOpsCon London: How containerized Pipelines can boost your CI/CDNico Meisenzahl

Recently uploaded (20)

PPTX

What-is-the-World-Wide-Web -- Introductiontonifi9488

PPTX

The Future of AI & Machine Learning.pptxpritsen4700

PDF

NewMind AI Weekly Chronicles - July'25 - Week IVNewMind AI

PDF

Make GenAI investments go further with the Dell AI FactoryPrincipled Technologies

PDF

Get More from Fiori Automation - What’s New, What Works, and What’s Next.pdfPrecisely

PDF

Brief History of Internet - Early Days of Internetsutharharshit158

PDF

SparkLabs Primer on Artificial Intelligence 2025SparkLabs Group

PDF

OFFOFFBOX™ – A New Era for African Film | Startup Presentationambaicciwalkerbrian

PDF

Using Anchore and DefectDojo to Stand Up Your DevSecOps FunctionAnchore

PDF

Structs to JSON: How Go Powers REST APIsEmily Achieng

PDF

AI Unleashed - Shaping the Future -Starting Today - AIOUG Yatra 2025 - For Co...Sandesh Rao

PDF

Economic Impact of Data Centres to the Malaysian Economyflintglobalapac

PDF

MASTERDECK GRAPHSUMMIT SYDNEY (Public).pdfNeo4j

PDF

Accelerating Oracle Database 23ai Troubleshooting with Oracle AHF Fleet Insig...Sandesh Rao

PPTX

Agile Chennai 18-19 July 2025 Ideathon | AI Powered Microfinance Literacy Gui...AgileNetwork

PDF

Orbitly Pitch Deck｜A Mission-Driven Platform for Side Project Collaboration (...zz41354899

PDF

CIFDAQ's Market Wrap : Bears Back in Control?CIFDAQ

PDF

Tea4chat - another LLM Project by Kerem Atama0m0rajab1

PDF

Doc9.....................................SofiaCollazos

PDF

Peak of Data & AI Encore - Real-Time Insights & Scalable Editing with ArcGISSafe Software

What-is-the-World-Wide-Web -- Introductiontonifi9488

The Future of AI & Machine Learning.pptxpritsen4700

NewMind AI Weekly Chronicles - July'25 - Week IVNewMind AI

Make GenAI investments go further with the Dell AI FactoryPrincipled Technologies

Get More from Fiori Automation - What’s New, What Works, and What’s Next.pdfPrecisely

Brief History of Internet - Early Days of Internetsutharharshit158

SparkLabs Primer on Artificial Intelligence 2025SparkLabs Group

OFFOFFBOX™ – A New Era for African Film | Startup Presentationambaicciwalkerbrian

Using Anchore and DefectDojo to Stand Up Your DevSecOps FunctionAnchore

Structs to JSON: How Go Powers REST APIsEmily Achieng

AI Unleashed - Shaping the Future -Starting Today - AIOUG Yatra 2025 - For Co...Sandesh Rao

Economic Impact of Data Centres to the Malaysian Economyflintglobalapac

MASTERDECK GRAPHSUMMIT SYDNEY (Public).pdfNeo4j

Accelerating Oracle Database 23ai Troubleshooting with Oracle AHF Fleet Insig...Sandesh Rao

Agile Chennai 18-19 July 2025 Ideathon | AI Powered Microfinance Literacy Gui...AgileNetwork

Orbitly Pitch Deck｜A Mission-Driven Platform for Side Project Collaboration (...zz41354899

CIFDAQ's Market Wrap : Bears Back in Control?CIFDAQ

Tea4chat - another LLM Project by Kerem Atama0m0rajab1

Doc9.....................................SofiaCollazos

Peak of Data & AI Encore - Real-Time Insights & Scalable Editing with ArcGISSafe Software

Continuous Lifecycle: Enhance Your Compliance and Governance With Policy-Based CI/CD

1. Enhance Your Compliance and Governance With Policy-Based CI/CD Continuous Lifecycle & Container Conf 2021

2. Nico Meisenzahl • Senior Cloud & DevOps Consultant at white duck • Microsoft MVP, GitLab Hero • Cloud Native, Kubernetes & Azure © white duck GmbH 2021 Phone: +49 8031 230159 0 Email: [email protected] Twitter: @nmeisenzahl LinkedIn: https://www.linkedin.com/in/nicomeisenzahl Blog: https://meisenzahl.org

3. Agenda • Why do we need compliance and governance in CI/CD? • What is Open Policy Agent and how does it work? • How to get started – demo time © white duck GmbH 2021

4. Why do we need governance? • Regulatory compliance: comply with relevant laws, policies, and regulations • Standards: adhere to established and standard requirements • Contractual commitments: like vendor agreements, customers contracts • Corporate requirements: rules and policies defined by the company to comply with its needs © white duck GmbH 2021

5. Compliance and governance in CI/CD? Shift Left! • rises awareness • defines the “how” around the “what” of the pipeline • security and compliance gates • ensures requirements are always met © white duck GmbH 2021

6. Open Policy Agent (OPA) “policy-based control for cloud native environments” • general-purpose policy engine across your stack • graduated CNCF project introduced by styra • declarative policy language • decoupled the application logic from policy decisions • REST API with sidecar or daemon • Golang library or Wasm module • provides APIs for easy management © white duck GmbH 2021

8. Ecosystem • API and service authorization with Envoy, Kong, Traefik, … • authorization policies for SQL, Kafka, … • container network authorization with Istio and Linkerd • test policies for Terraform infrastructure changes • policies for SSH and sudo • policy and governance for Kubernetes • and many more • https://www.openpolicyagent.org/docs/latest/ecosystem © white duck GmbH 2021

9. How OPA works

10. How OPA works

11. Rego • “ray-go” • declarative Policy Language • ”is Nico allowed to POST a payload to /api?” • rules commonly return true/false • but may return any value • 140+ build-in functions • date/time, string, ... • Regex • JWT validation © white duck GmbH 2021

12. How OPA works

13. How to get started • OPA playground • https://play.openpolicyagent.org • docs • https://www.openpolicyagent.org/docs • OPA CLI • opa run (server) • opa eval (swiss-army knife)

14. Demos • Terraform change validation with GitLab CI/CD • Kubernetes manifest security validation with GitHub Actions • further samples • dependency deny list • https://play.openpolicyagent.org/p/b0n6CHElcw • Kubernetes Ingress validation • https://play.openpolicyagent.org/p/5o1UFjIl0S © white duck GmbH 2021

15. Questions? • Slides: https://www.slideshare.net/nmeisenzahl • Demos: • https://gitlab.com/nico-meisenzahl/demo-opa-terraform-validation • https://github.com/nmeisenzahl/demo-opa-cicd-validation © white duck GmbH 2021 Phone: +49 8031 230159 0 Email: [email protected] Twitter: @nmeisenzahl LinkedIn: https://www.linkedin.com/in/nicomeisenzahl Blog: https://meisenzahl.org