KubeCon + CloudNativeCon Europe 2023

Deployment is an important part of the software development life cycle. The New York Times had an even more ambitious goal: build a self-service platform that allowed developers to deploy with autonomy. But managing multi-tenant deployments securely is a difficult task. And while top-down checks were configured in Kubernetes and ArgoCD itself that disallowed certain resource creation or access, engineers wanted to ensure there were proper checks in place to make sure no excessive permissions or bad practices, such as latest images, got checked into the source code of the ArgoCD app-of-apps architecture itself. Enter OPA conftest. OPA conftest allows for policies and testing against structured configuration at the PR level, before any code is merged. By narrowing the scope of allowed declarative permissions, the CICD team at NYT was able to take a "trust, but verify" approach to deployment, safeguarding systems while also giving feature developers the autonomy they needed to self-service deploy their applications. In this presentation, the speakers will go through policy set-up, best practices, and implementation within a greater GitOps mindset.

Dates

Author

Conferences

Tags

Automating Configuration and Permissions Testing for GitOps with OPA Conftest

tldr - powered by Generative AI