»Building flexible policy with OPA and Kubernetes«
2019-05-18, 10:40–11:10, Main Hall

Have you ever been asked the question - “How do we make sure Kubernetes resources conform to our internal policies and procedures?”. In this session we introduce, how you can audit, validate and mutate Kubernetes resources based custom semantic rules during create, update, and delete operations without recompiling or reconfiguring the Kubernetes API server using Gatekeeper - a policy controller for Kubernetes.

Every organization has rules, whether it be that each resource needs to be labelled a specific way or to only use images from specific container repositories. Some of these rules or policies are essential to meet governance or legal requirements and may be based on learning from past experiences. In this session we introduce, how you can audit, validate and mutate Kubernetes resources based custom semantic rules during create, update, and delete operations without recompiling or reconfiguring the Kubernetes API server. These policies are all backed by the Open Policy Agent (OPA), which is a lightweight, general-purpose policy engine for cloud-native environments. We will also demonstrate the work that is being done in the upstream community and provide working samples to start your journey building scalable policy on Kubernetes.

Open Source Repository - https://github.com/open-policy-agent/gatekeeper