logo

Automating Configuration and Permissions Testing for GitOps with OPA Conftest

2023-04-20

Authors:   Eve Ben Ezra


Summary

The presentation discusses the importance of continuous feedback and policies in DevOps and cybersecurity using openconf test and Rego.
  • Continuous feedback is crucial in the development life cycle to ensure compliance and prevent drift from the declarative state.
  • Policies should be easy to access and start giving feedback early and continuously.
  • Openconf test and Rego can be used to write policies and enforce compliance.
  • An example policy is prohibiting the use of latest tags for container images in non-dev environments.
  • An anecdote is given about the difficulty of convincing developers to onboard a shared cluster if the process is too complicated.
Prior to the internal developer platform at the New York Times, teams were deploying to and managing their own infrastructure. If the process of implementing policies and receiving feedback was too complicated, it would be harder to convince them to onboard and give the shared cluster a shot.

Abstract

Deployment is an important part of the software development life cycle. The New York Times had an even more ambitious goal: build a self-service platform that allowed developers to deploy with autonomy. But managing multi-tenant deployments securely is a difficult task. And while top-down checks were configured in Kubernetes and ArgoCD itself that disallowed certain resource creation or access, engineers wanted to ensure there were proper checks in place to make sure no excessive permissions or bad practices, such as latest images, got checked into the source code of the ArgoCD app-of-apps architecture itself. Enter OPA conftest. OPA conftest allows for policies and testing against structured configuration at the PR level, before any code is merged. By narrowing the scope of allowed declarative permissions, the CICD team at NYT was able to take a "trust, but verify" approach to deployment, safeguarding systems while also giving feature developers the autonomy they needed to self-service deploy their applications. In this presentation, the speakers will go through policy set-up, best practices, and implementation within a greater GitOps mindset.

Materials: