OPA ate my image scanning
2020-03-28, 16:20–16:50, Room 2

Image scanning is a cornerstone to keep your Kubernetes cluster secured. You don't want to open the door to attacks by deploying a pod from an image with vulnerabilities, or that doesn't follow your policies.

This talk will show attendees how to use Open Policy Agent as an Admission Controller and integrated with image scanning from Anchore. With this you can determine if an image can be scheduled into Kubernetes, based on the scanning results.


Vulnerabilities in the images can open the door to attackers to compromise the integrity of the cluster. If we block vulnerable images from being deployed in the cluster, we ensure that at least we’ve covered a known path.

Open Policy Agent is able to enforce admission policies on container images in Kubernetes.
You can use this project to enforce simple admission policies on images such as naming conventions, version pinning (no latest) and registry usage (production environments must use an internal registry).
Attendees will leave the talk knowing how to integrate Open Policy Agent as an admission controller with Anchore to block images that are vulnerable or do not follow their security policies.