awesome-kubernetes/docs/securityascode.md

Security Policy as Code

• Introduction
• Open Policy Agent (OPA)
  • Open Policy Agent in Kubernetes
  • Open Policy Agent in OpenShift
  • Open Policy Agent in Cloudflare Workers
  • Policy as Code in Terraform Cloud
• Other Policy as Code Scanning Tools
• Kyverno
• Cloud Custodian

Introduction

• Dzone: DevOps Security at Scale - Security Policy as Code
• searchitoperations.techtarget.com: Kubernetes policy project takes enterprise IT by storm A Kubernetes-friendly compliance as code project hosted by the CNCF has caught on among large enterprises in the first half of 2019, largely through word of mouth.
• amazon.com: Policy-based countermeasures for Kubernetes – Part 1

Open Policy Agent (OPA)

• OPA Open Policy Agent 🌟
• magalix.com: Integrating Open Policy Agent (OPA) With Kubernetes 🌟
• fugue.co: 5 tips for using the Rego language for Open Policy Agent (OPA)
• PolicyHub CLI, a CLI tool that makes Rego policies searchable 🌟 a list of community OPA policies
• blog.styra.com: Integrating Identity: OAUTH2 and OPENID CONNECT in Open Policy Agent
• blog.styra.com: Rego Unit Testing
• github.com/instrumenta/policies: A set of shared policies for use with Conftest and other Open Policy Agent tools
• itprotoday.com: Who Needs Open Policy Agent? Open Policy Agent makes it possible to create a single set of configuration rules and deploy them automatically across a large-scale environment.
• blog.styra.com: Dynamic Policy Composition for OPA
• blog.styra.com: 5 OPA Deployment Performance Models for Microservices
• blog.styra.com: Open Policy Agent: The Top 5 Kubernetes Admission Control Policies
• thenewstack.io: Getting Open Policy Agent Up and Running

Open Policy Agent in Kubernetes

• infracloud.io: Kubernetes Pod Security Policies with Open Policy Agent
• banzaicloud.com: Istio and Kubernetes ft. OPA policies
• fugue.co: 5 tips for using the Rego language for Open Policy Agent (OPA)
• medium: Ensure Content Trust on Kubernetes using Notary and Open Policy Agent A detailed guide to help you to ensure that only signed images can get deployed on the cluster. In this blog post you will learn how to enforce image trust on your Kubernetes Cluster by fully relying on two well known CNCF hosted open source solutions: Notary and Open Policy Agent (OPA).
• kubermatic.com: Using Open Policy Agent With Kubermatic Kubernetes Platform
• k8s-security-policies This repository provides a security policies library that is used for securing Kubernetes clusters configurations. The security policies are created based on CIS Kubernetes benchmark and rules defined in Kubesec.io. The policies are written in Rego, a high-level declarative language, its purpose-built for expressing policies over complex hierarchical data structures. For detailed information on Rego see the Policy Language documentation.
• medium: Deploying Open Policy Agent (OPA) on a GKE cluster — Step by Step
• github.com/instrumenta/policies: A set of shared policies for use with Conftest and other Open Policy Agent tools 🌟
• blog.styra.com: Using OPA with GitOps to speed Cloud-Native development

Open Policy Agent in OpenShift

• blog.openshift.com: Fine-Grained Policy Enforcement in OpenShift with Open Policy Agent 🌟

Open Policy Agent in Cloudflare Workers

• compile OpenPolicyAgent policies into WebAssembly and run them on the edge

Policy as Code in Terraform Cloud

• hashicorp.com: Securing Infrastructure In Application Pipelines Learn how to use policy as code in Terraform Cloud to securely deliver applications.

Other Policy as Code Scanning Tools

• thenewstack.io: Yor Automates Tagging for Infrastructure as Code
• yor.io Automated IaC tag and trace. Yor is an open-source tool that automatically tags infrastructure as code (IaC) templates with attribution and ownership details, unique IDs that get carried across to cloud resources, and any other need-to-know information. Run Yor as a pre-commit hook or in your CI/CD pipeline for code to cloud traceability and auditability.
• checkov.io policy as code scanning tool
• aws.amazon.com: Policy-based countermeasures for Kubernetes – Part 1 Choosing the right policy-as-code solution for your Kubernetes cluster:
  • OPA
  • Gatekeeper
  • Kyverno
  • k-rail
  • MagTape

Kyverno

• Kyverno 🌟 Kubernetes Native Policy Management. Open Policy Agent? That’s old school. Securely manage workloads on your kubernetesio clusters with this handy new tool, Kyverno.Kyverno is a policy engine designed for Kubernetes. With Kyverno, policies are managed as Kubernetes resources and no new language is required to write policies. This allows using familiar tools such as kubectl, git, and kustomize to manage policies. Kyverno policies can validate, mutate, and generate Kubernetes resources. The Kyverno CLI can be used to test policies and validate resources as part of a CI/CD pipeline. youtube: The Way of the Future | Kubernetes Policy Management with Kyverno
• neonmirrors.net: Kubernetes Policy Comparison: OPA/Gatekeeper vs Kyverno 🌟
• kyverno.io: 56 sample policies 🌟

Cloud Custodian

• Cloud Custodian is a rules engine for managing public cloud accounts and resources. It allows users to define policies to enable a well managed cloud infrastructure, that's both secure and cost optimized.