The presentation discusses the need for a secure software supply chain for Open Policy Agent (OPA) policies and how to achieve it using the policy CLI, Open Policy Containers project, OCI, and Cosign.
- OPA policies are becoming important application lifecycle artifacts and need to be secured
- The Open Container Initiative (OCI) can be used to contain OPA policies as OCI containers
- The Open Policy Containers project provides the Docker workflow for building, tagging, and pushing OPA policies
- Cosign can be used to sign and verify OPA policy container images
- To use OPA policy container images, a new service of type OCI needs to be created and the container image passed in as a resource
The presenter demonstrated how to use the policy CLI to create a sample OPA policy, build a policy image, and push it to a container registry. They also showed how to use Cosign to sign and verify the container image. Finally, they explained how to tell OPA to use the container image by creating a new service of type OCI and passing in the container image as a resource.
Open Policy Agent (OPA) is gaining widespread acceptance as a mature decision engine for enforcing policies in a variety of domains, including Kubernetes admission control (Gatekeeper), configuration file policies (Conftest), and application / API authorization (Topaz). Indeed, OPA policies are becoming an integral part of the cloud-native software supply chain. Security and operations teams have tools for packaging and signing application artifacts, and they need the same capabilities for OPA policies. This lighting talk will describe how to build, tag, and sign OPA policies as OCI containers using the policy CLI, an open source tool that is part of the Open Policy Registry (OPCR) project. The policy CLI can be used to pull and push OPA policies OCI-compliant registries, such as OPCR, GHCR, Docker, or AWS Container Registry. Finally, OPA can now natively pull policy bundles from OCI artifact registries.