Files
awesome-kubernetes/v2-docs/securityascode.md

152 lines
23 KiB
Markdown
Raw Blame History

This file contains invisible Unicode characters
This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
# Security Policy as Code
!!! info "Architectural Context"
Detailed reference for Security Policy as Code in the context of Hardened Infrastructure.
## Standard Reference
- [Docker Hardened Images for Every Developer](https://www.docker.com/blog/docker-hardened-images-for-every-developer) <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span>
- [IBM Vault 2.0 UI Enhancements and Reporting Improvements](https://t.co/cvOceuueCF) <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span>
- [Web-Check](https://web-check.xyz) <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span>
- [IBM IAM for AI Agents](https://t.co/EKsVgKA4xn) <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span>
- [Azure Network Security Perimeter Concepts](https://learn.microsoft.com/en-us/azure/private-link/network-security-perimeter-concepts) <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span>
- [amazon.com: Policy-based countermeasures for Kubernetes Part 1](https://aws.amazon.com/blogs/containers/policy-based-countermeasures-for-kubernetes-part-1) <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span>
- [medium: Automate policies enforcement with Policy-as-Code 🌟](https://medium.com/airwalk/automate-policies-enforcement-with-policy-as-code-2f20aac9e2b0) <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span>
- [blog.gitguardian.com: What is Policy-as-Code? An Introduction to Open Policy' Agent](https://blog.gitguardian.com/what-is-policy-as-code-an-introduction-to-open-policy-agent) <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span>
- [OPA Open Policy Agent 🌟](https://www.openpolicyagent.org) <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span>
- [magalix.com: Integrating Open Policy Agent (OPA) With Kubernetes 🌟](https://www.magalix.com/blog/integrating-open-policy-agent-opa-with-kubernetes-a-deep-dive-tutorial) <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span>
- [PolicyHub CLI, a CLI tool that makes Rego policies searchable 🌟](https://github.com/policy-hub/policy-hub-cli) <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span>
- [blog.styra.com: Integrating Identity: OAUTH2 and OPENID CONNECT in Open' Policy Agent](https://blog.styra.com/blog/integrating-identity-oauth2-and-openid-connect-in-open-policy-agent) <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span>
- [blog.styra.com: Rego Unit Testing](https://blog.styra.com/blog/rego-unit-testing) <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span>
- [github.com/instrumenta/policies: A set of shared policies for use with Conftest' and other Open Policy Agent tools](https://github.com/instrumenta/policies) <span class='md-tag md-tag--info'>⭐ 66</span> <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span>
- [blog.styra.com: Dynamic Policy Composition for OPA](https://blog.styra.com/blog/dynamic-policy-composition-for-opa) <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span>
- [blog.styra.com: 5 OPA Deployment Performance Models for Microservices](https://blog.styra.com/blog/5-opa-deployment-performance-models-for-microservices) <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span>
- [blog.styra.com: Open Policy Agent: The Top 5 Kubernetes Admission Control' Policies](https://blog.styra.com/blog/open-policy-agent-the-top-5-kubernetes-admission-control-policies) <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span>
- [thenewstack.io: Getting Open Policy Agent Up and Running](https://thenewstack.io/getting-open-policy-agent-up-and-running) <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span>
- [siegert-maximilian.medium.com: Ensure Content Trust on Kubernetes using' Notary and Open Policy Agent](https://siegert-maximilian.medium.com/ensure-content-trust-on-kubernetes-using-notary-and-open-policy-agent-485ab3a9423c) <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span>
- [blog.styra.com: Policy-based infrastructure guardrails with Terraform and' OPA 🌟](https://blog.styra.com/blog/policy-based-infrastructure-guardrails-with-terraform-and-opa) <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span>
- [medium: Automated Manifest File Validation Using Open Policy Agent and GitHub' Actions | Ravindu Sandeepa Rathugama](https://medium.com/@ravindursr/automated-manifest-file-validation-using-open-policy-agent-and-github-actions-697fa9fd74f0) <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span>
- [thenewstack.io: Weaveworks Adds Policy as Code to Secure Kubernetes Apps' (Magalix)](https://thenewstack.io/weaveworks-adds-policy-as-code-to-secure-kubernetes-apps) <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span>
- [dev.to: Load external data into OPA: The Good, The Bad, and The Ugly](https://dev.to/permit_io/load-external-data-into-opa-the-good-the-bad-and-the-ugly-26lc) <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span>
- [inspektor.cloud: Evaluating open policy agent in rust using wasm](https://inspektor.cloud/blog/evaluating-open-policy-agent-in-rust-using-wasm) <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span>
- [medium.com/4th-coffee: What is Policy-as-Code? An Introduction to Open Policy' Agent](https://medium.com/4th-coffee/what-is-policy-as-code-an-introduction-to-open-policy-agent-6098463f8461) <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span>
- [banzaicloud.com: Istio and Kubernetes ft. OPA policies](https://banzaicloud.com/blog/istio-opa) <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span>
- [medium: Ensure Content Trust on Kubernetes using Notary and Open Policy' Agent](https://medium.com/@siegert.maximilian/ensure-content-trust-on-kubernetes-using-notary-and-open-policy-agent-485ab3a9423c) <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span>
- [kubermatic.com: Using Open Policy Agent With Kubermatic Kubernetes Platform](https://www.kubermatic.com/blog/using-open-policy-agent-with-kubermatic) <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span>
- [k8s-security-policies](https://github.com/raspbernetes/k8s-security-policies) <span class='md-tag md-tag--info'>⭐ 177</span> <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span>
- [medium: Deploying Open Policy Agent (OPA) on a GKE cluster — Step by Step](https://medium.com/linkbynet/deploying-opa-on-a-gke-cluster-da4d3d77812c) <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span>
- [blog.styra.com: Using OPA with GitOps to speed Cloud-Native development](https://blog.styra.com/blog/using-opa-with-gitops-to-speed-cloud-native-development) <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span>
- [medium.com/gitguardian: What is Policy-as-Code? An Introduction to Open' Policy Agent](https://medium.com/gitguardian/what-is-policy-as-code-an-introduction-to-open-policy-agent-dba1400bb030) <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span>
- [hashicorp.com: Securing Infrastructure In Application Pipelines](https://www.hashicorp.com/resources/securing-infrastructure-in-application-pipelines) <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span>
- [thenewstack.io: Yor Automates Tagging for Infrastructure as Code](https://thenewstack.io/yor-automates-tagging-for-infrastructure-as-code) <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span>
- [yor.io](https://yor.io) <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span>
- [checkov.io](https://www.checkov.io) <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span>
- [aws.amazon.com: Policy-based countermeasures for Kubernetes Part 1](https://aws.amazon.com/es/blogs/containers/policy-based-countermeasures-for-kubernetes-part-1) <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span>
- [MagTape](https://github.com/tmobile/magtape) <span class='md-tag md-tag--info'>⭐ 152</span> <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span>
- [Selefra: Selefra is an open-source policy-as-code software that provides' analytics for multi-cloud and SaaS.](https://github.com/selefra/selefra) <span class='md-tag md-tag--info'>⭐ 545</span> <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span>
- [venturebeat.com: How Nirmata plans to conquer Kubernetes complexity with' open source Kyverno](https://venturebeat.com/2021/08/10/how-nirmata-plans-to-conquer-kubernetes-complexity-with-open-source-kyverno) <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span>
- [neonmirrors.net: Kubernetes Policy Comparison: OPA/Gatekeeper vs Kyverno' 🌟](https://neonmirrors.net/post/2021-02/kubernetes-policy-comparison-opa-gatekeeper-vs-kyverno) <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span>
- [dev.to: Using Kyverno To Enforce EKS Best Practices](https://dev.to/rinkiyakedad/using-kyverno-to-enforce-eks-best-practices-cad) <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span>
- [kyverno.io: Mutating Resources](https://kyverno.io/docs/writing-policies/mutate) <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span>
- [squadcast.com: Kyverno - Policy Management in Kubernetes 🌟](https://www.squadcast.com/blog/kyverno-policy-management-in-kubernetes) <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span>
- [neonmirrors.net: Exploring Kyverno: Part 3, Generation](https://neonmirrors.net/post/2020-12/exploring-kyverno-part3) <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span>
- [kyverno.io: Check deprecated APIs 🌟](https://kyverno.io/policies/best-practices/check_deprecated_apis) <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span>
- [kyverno.io: Generating resources into existing namespaces](https://kyverno.io/docs/writing-policies/generate/#generating-resources-into-existing-namespaces) <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span>
- [kyverno.io: Add Pod Proxies](https://kyverno.io/policies/other/add-pod-proxies) <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span>
- [kyverno.io: Auto-Gen Rules for Pod Controllers](https://kyverno.io/docs/writing-policies/autogen) <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span>
- [kyverno.io: Require PodDisruptionBudget](https://kyverno.io/policies/other/require_pdb) <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span>
- [nirmata.com: Kubernetes Supply Chain Policy Management with Cosign and Kyverno](https://nirmata.com/2021/08/12/kubernetes-supply-chain-policy-management-with-cosign-and-kyverno) <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span>
- [neonmirrors.net: Exploring Kyverno: Introduction 🌟](https://neonmirrors.net/post/2020-11/exploring-kyverno-intro) <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span>
- [nirmata.com: Introducing Kyverno 1.4.2: Trusted And More Efficient!](https://nirmata.com/2021/08/18/introducing-kyverno-1-4-2-trusted-and-more-efficient) <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span>
- [Policy Reporter 🌟](https://github.com/kyverno/policy-reporter) <span class='md-tag md-tag--info'>⭐ 368</span> <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span>
- [sesin.at: Securing Kubernetes with Kyverno: How to Protect Your Users From' Themselves by Ritesh Patel](https://www.sesin.at/2021/08/28/securing-kubernetes-with-kyverno-how-to-protect-your-users-from-themselves-by-ritesh-patel) <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span>
- [movi.hashnode.dev: Simplify Kubernetes Cluster Management with Kyverno](https://movi.hashnode.dev/simplify-kubernetes-cluster-management-with-kyverno-ckt6yxjqy0duy95s14groe7h4) <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span>
- [arun-sisodiya.medium.com: KyvernoA Kubernetes native policy manager (Policy' as Code)](https://arun-sisodiya.medium.com/kyverno-a-policy-manager-for-kubernetes-286f6e082062) <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span>
- [dev.to: Default Kyverno Policies for OpenEBS](https://dev.to/niveditacoder/default-kyverno-policies-for-openebs-4abf) <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span>
- [kyverno.io: Restrict Image Registries](https://kyverno.io/policies/best-practices/restrict_image_registries/restrict_image_registries) <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span>
- [dev.to: Using Kyverno Policies for Kubernetes Governance](https://dev.to/mda590/using-kyverno-policies-for-kubernetes-governance-3e17) <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span>
- [kyverno.io: Implementing your best practices is simple with kyverno](https://kyverno.io/policies/best-practices/require_probes/require_probes) <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span>
- [medium.com/compass-true-north: Governing Multi-Tenant Kubernetes Clusters' with Kyverno](https://medium.com/compass-true-north/governing-multi-tenant-kubernetes-clusters-with-kyverno-3e11ba4a64ad) <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span>
- [medium.com/@haseebshaukat2: Kyverno — Policy Engine for Kubernetes | Muhammad' Haseeb Shaukat](https://medium.com/@haseebshaukat2/kyverno-policy-engine-for-kubernetes-b49f3fac43b9) <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span>
- [blog.sigstore.dev: How to verify container images with Kyverno using KMS,' Cosign, and Workload Identity](https://blog.sigstore.dev/how-to-verify-container-images-with-kyverno-using-kms-cosign-and-workload-identity-1e07d2b85061) <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span>
- [medium.com/@glen.yu: Why I prefer Kyverno over Gatekeeper for native Kubernetes' policy management](https://medium.com/@glen.yu/why-i-prefer-kyverno-over-gatekeeper-for-native-kubernetes-policy-management-35a05bb94964) <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span>
- [Cloud Custodian](https://github.com/cloud-custodian/cloud-custodian) <span class='md-tag md-tag--info'>⭐ 5988</span> <span class='md-tag md-tag--info'>[ENTERPRISE-STABLE]</span>
## Cloud Infrastructure
### Kubernetes
#### Policy-as-Code
- [Kyverno 🌟](https://kyverno.io) <span class='md-tag md-tag--success'>[DE FACTO STANDARD]</span> — A CNCF graduated Kubernetes-native policy engine.
* Allows policy definition as standard Kubernetes resources (YAML).
* Eliminates the need for complex DSLs like Rego.
* Simplifies admission control, generation, mutation, and validation of workloads.
- [kyverno.io: 56 sample policies 🌟](https://kyverno.io/policies) <span class='md-tag md-tag--primary'>[DOCUMENTATION]</span> <span class='md-tag md-tag--info'>[ENTERPRISE-STABLE]</span> — A rich library of ready-to-use Kyverno policy definitions. These templates address common cloud security standards (Pod Security Standards, multi-tenancy constraints, best practices, and resource optimization parameters) for instant cluster hardening.
## Cloud Native Security
### Infrastructure Security
#### IaC Scanning
- **(2021)** [Apolicy](https://www.sysdig.com) <span class='md-tag md-tag--warning'>[NONE CONTENT]</span> <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span> — Apolicy (acquired by Sysdig) provides advanced policy-as-code governance designed for shifting cloud security left. Scans Infrastructure-as-Code (IaC) templates and automatically matches security rules to production deployment settings.
#### Mergers and Acquisitions
- **(2021)** [sysdig.com: Sysdig and Apolicy join forces to help customers secure Infrastructure As Code and automate remediation](https://www.sysdig.com/blog/sysdig-and-apolicy-join-forces-to-help-customer-secure-infrastructure-as-code) <span class='md-tag md-tag--warning'>[NONE CONTENT]</span> <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span> — An industry announcement detailing Sysdig's acquisition of Apolicy. Highlights the integration of IaC security analysis with runtime monitoring to establish unified, end-to-end security loops from Git commits to production containers.
#### Runtime Analysis
- **(2024)** [Fugue: Container and Kubernetes. Runtime infrastructure security](https://snyk.io/product/container-vulnerability-management) <span class='md-tag md-tag--warning'>[NONE CONTENT]</span> <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span> — Fugue (now integrated under Snyk Container security suite) delivers continuous compliance and automated infrastructure monitoring for AWS, Azure, and Google Cloud alongside Kubernetes runtime configurations, mapping live states to CIS Benchmarks and SOC 2 frameworks.
### Policy-as-Code (1)
#### Educational Video
- **(2021)** [youtube: The Rise of Kubernetes Policy Engine | Ep 57](https://www.youtube.com/watch?v=0TvhTXddRGE&t=12s) <span class='md-tag md-tag--warning'>[NONE CONTENT]</span> <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span> — An informative panel discussion examining the rise of Kubernetes policy engines. Tracks the evolution from manual auditing workflows to declarative, automated gatekeeping systems using OPA Gatekeeper and Kyverno.
#### Governance
- **(2021)** [searchitoperations.techtarget.com: CNCF policy-as-code project bridges Kubernetes security gaps](https://www.techtarget.com/searchitoperations/news/252505548/CNCF-policy-as-code-project-bridges-Kubernetes-security-gaps) <span class='md-tag md-tag--warning'>[NONE CONTENT]</span> <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span> — An industry report outlining CNCF policy-as-code initiatives designed to patch security deficiencies within container orchestration. Compares the operational paradigms of Rego-based OPA and YAML-native Kyverno for policy-driven environments.
#### Kyverno
- **(2024)** [==A Kyverno policy to block custom snippet configurations for Kubernetes Nginx ingress (CVE-2021-25742==](https://github.com/kubernetes/kubernetes/issues/126811) <span class='md-tag md-tag--info'>⭐ 122403</span> <span class='md-tag md-tag--warning'>[YAML CONTENT]</span> <span class='md-tag md-tag--critical'>[ADVANCED LEVEL]</span> 🌟🌟🌟🌟🌟 <span class='md-tag md-tag--success'>[DE FACTO STANDARD]</span> — A critical Kyverno security policy designed to block custom Nginx Ingress snippet configurations, preventing exploitation of CVE-2021-25742. Demonstrates the practical power of declarative security rules in blocking ingress privilege escalations.
- **(2021)** [cloud.redhat.com: Automate Your Security Practices and Policies on OpenShift With Kyverno 🌟](https://www.redhat.com/en/blog/automate-your-security-practices-and-policies-on-openshift-with-kyverno) <span class='md-tag md-tag--warning'>[YAML CONTENT]</span> <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span> — Illustrates automated security practice implementation inside OpenShift clusters utilizing Kyverno. Explores Kyverno's YAML-native approach, highlighting how platform engineers write policies using standard Kubernetes resource models without learning new programming languages.
#### Kyverno Training
- **(2023)** [appsecengineer.com: Kubernetes Policy Management with Kyverno](https://www.appsecengineer.com/courses-collection/kubernetes-policy-management-with-kyverno) <span class='md-tag md-tag--warning'>[YAML CONTENT]</span> <span class='md-tag md-tag--critical'>[ADVANCED LEVEL]</span> <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span> <span class='md-tag md-tag--secondary'>[GUIDE]</span> — An educational course focusing on Kyverno-driven Kubernetes policy engineering. Walks developers and SREs through writing advanced manifest mutation, generation, and validation policies with real-world scenarios.
#### OPA
- **(2020)** [searchitoperations.techtarget.com: Kubernetes policy project takes enterprise IT by storm](https://www.techtarget.com/searchitoperations/news/252467102/Kubernetes-policy-project-takes-enterprise-IT-by-storm) <span class='md-tag md-tag--warning'>[REGO CONTENT]</span> <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span> — Highlights the massive industry shift toward Open Policy Agent (OPA) for centralized, policy-as-code enforcement. Emphasizes OPA's ability to unify policy layers across different tools like Kubernetes admission controllers, API gateways, and CI/CD pipelines.
- **(2020)** [blog.openshift.com: Fine-Grained Policy Enforcement in OpenShift with Open Policy Agent 🌟](https://www.redhat.com/en/blog/fine-grained-policy-enforcement-in-openshift-with-open-policy-agent) <span class='md-tag md-tag--warning'>[REGO CONTENT]</span> <span class='md-tag md-tag--critical'>[ADVANCED LEVEL]</span> <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span> — A deep-dive technical article by Red Hat showcasing fine-grained policy enforcement in OpenShift using Open Policy Agent. Details how to intercept Kubernetes API requests via admission controllers to block non-compliant resource deployments programmatically.
#### OPA Wasm
- **(2025)** [==compile OpenPolicyAgent policies into WebAssembly and run them on the edge==](https://github.com/open-policy-agent/contrib/tree/main/wasm/cloudflare-worker) <span class='md-tag md-tag--info'>⭐ 345</span> <span class='md-tag md-tag--warning'>[WEBASSEMBLY CONTENT]</span> <span class='md-tag md-tag--critical'>[ADVANCED LEVEL]</span> 🌟🌟🌟🌟🌟 <span class='md-tag md-tag--success'>[DE FACTO STANDARD]</span> — An open-source utility that compiles declarative Open Policy Agent (Rego) policies into high-performance WebAssembly (Wasm) modules. Designed for lightning-fast security and routing decisions at edge platforms like Cloudflare Workers and Envoy proxies.
#### Rego
- **(2021)** [fugue.co: 5 tips for using the Rego language for Open Policy Agent (OPA)](https://snyk.io/blog) <span class='md-tag md-tag--warning'>[REGO CONTENT]</span> <span class='md-tag md-tag--critical'>[ADVANCED LEVEL]</span> <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span> — An additional collection of advanced Rego development practices, focusing on unit-testing frameworks, mock injections, and playground emulator tools to ensure policy robustness and security governance.
## Identity and Access Management
### Cloud IAM
#### Microsoft Entra
- [Configure Microsoft Entra for Increased Security](https://learn.microsoft.com/en-us/entra/fundamentals/configure-security) <span class='md-tag md-tag--primary'>[DOCUMENTATION]</span> <span class='md-tag md-tag--info'>[ENTERPRISE-STABLE]</span> — Official documentation outlines hardening parameters for Microsoft Entra ID. Features prescriptive blueprints for setting up conditional access, continuous access evaluation, Multi-Factor Authentication (MFA), and role-based identity management.
## Public Cloud Platforms
### AWS
#### EKS Security and Isolation
##### Policy Management
- [aws.amazon.com: Easy as one-two-three policy management with Kyverno on' Amazon EKS 🌟](https://aws.amazon.com/blogs/containers/easy-as-one-two-three-policy-management-with-kyverno-on-amazon-eks) <span class='md-tag md-tag--info'>[ENTERPRISE-STABLE]</span> <span class='md-tag md-tag--secondary'>[GUIDE]</span> — Walkthrough detailing how to manage native policy rules on EKS clusters using Kyverno instead of raw Rego. Illustrates automated resource validation, generation, and mutation patterns to enforce corporate configuration compliance.
## Security
### DevSecOps
#### SAST
- [GitHub Code Security Risk Assessment: Free Vulnerability Scanning](https://github.blog/security/application-security/how-exposed-is-your-code-find-out-in-minutes-for-free) <span class='md-tag md-tag--warning'>[EN CONTENT]</span> <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span> — An introduction to GitHub's native, free vulnerability scanning tools designed to locate security regressions, secrets, and supply chain threats directly within the code repository. It highlights automated security alerts and quick enablement configurations.
---
💡 **Explore Related:** [IaC](./iac.md) | [Terraform](./terraform.md) | [Oauth](./oauth.md)