⚡ Lightning Talk: A Secure Software Supply Chain for Open Policy Agency (OPA) Policies
Conference: Cloud Native SecurityCon North America 2023
Authors: Omri Gazitt
Summary
The presentation discusses the need for a secure software supply chain for Open Policy Agent (OPA) policies and how to achieve it using the policy CLI, Open Policy Containers project, OCI, and Cosign.
- OPA policies are becoming important application lifecycle artifacts and need to be secured
- The Open Container Initiative (OCI) can be used to contain OPA policies as OCI containers
- The Open Policy Containers project provides the Docker workflow for building, tagging, and pushing OPA policies
- Cosign can be used to sign and verify OPA policy container images
- To use OPA policy container images, a new service of type OCI needs to be created and the container image passed in as a resource
Abstract
Open Policy Agent (OPA) is gaining widespread acceptance as a mature decision engine for enforcing policies in a variety of domains, including Kubernetes admission control (Gatekeeper), configuration file policies (Conftest), and application / API authorization (Topaz). Indeed, OPA policies are becoming an integral part of the cloud-native software supply chain. Security and operations teams have tools for packaging and signing application artifacts, and they need the same capabilities for OPA policies. This lighting talk will describe how to build, tag, and sign OPA policies as OCI containers using the policy CLI, an open source tool that is part of the Open Policy Registry (OPCR) project. The policy CLI can be used to pull and push OPA policies OCI-compliant registries, such as OPCR, GHCR, Docker, or AWS Container Registry. Finally, OPA can now natively pull policy bundles from OCI artifact registries.
Materials:
Tags: