Utilize OPA/rego for rules #82
Comments
|
Hi @nstogner! You are correct, and this is the direction of travel for Kubesec. We'll update progress in this ticket. |
|
If rego is used, in what ways would be different kubesec to OPA? |
|
@alexppg KubeSec is risk-based, and so opinionated and scored. Rules can fail without denying the request, and many small rules can fail which may tip the risk score below the threshold and fail the request for some configuration. OPA could be used in this way with additional rego but more generally is used in PSP-esque manner. |
|
I see, thanks. It seems pretty cool, the risk based way is easier to adopt. And if both of them use the same language it would be easier to choose this with the option to migrate to OPA if you want to. |
|
👋 is there any work going on on this? OPA would be awesome, I was thinking of starting a repo, but wouldn't want to duplicate work :) |
|
Nothing yet, we'd welcome a PR! I believe the migration can happen incrementally, a single rule can be migrated to OPA and the test suite used to support a refactor. The OPA rules should probably be externalised from the source in a dedicated directory for easy reuse. Any thoughts on this @stefanprodan @06kellyjac @ipedrazas ? |
|
@sublimino @yannh I saw your conversation, and just wanted to chime in that there has been some effort in this space: https://github.com/instrumenta/policies/blob/master/kubernetes/security.rego There hasn't been a whole lot of activity on that repository, so I don't think it's firmly decided that's where they should live. Wanted to start the discussion regardless :) |
|
Thanks @jpreese this is exactly what I was looking for :) |
Seems like OPA/rego is becoming the de-facto policy language for Kubernetes. Gatekeeper seems to be gaining traction and there is talk of Pod Security Policies being deprecated in favor of something like Gatekeeper.
Redefining the kubesec rules in rego may better position the tool for the future.
The text was updated successfully, but these errors were encountered: