Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Upcoming SlideShare
What to Upload to SlideShare
Next
Download to read offline and view in fullscreen.

Share

GitLab Commit: Enhance your Compliance with Policy-Based CI/CD

Download to read offline

Whether you want to get started with Governance or improve your current process, this talk will show you how to improve your compliance by implementing policy-based CI/CD (Continuous Integration / Continuous Delivery) with GitLab CI and Open Policy Agent.

Philippe and Nico will tell you all the details about Open Policy Agent and how you can easily integrate it into your existing CI/CD pipelines. Join our session to learn how to improve compliance, from gating your dependencies to controlling your infrastructure.

Related Books

Free with a 30 day trial from Scribd

See all
  • Be the first to like this

GitLab Commit: Enhance your Compliance with Policy-Based CI/CD

  1. 1. 1 #GitLabCommit Enhance Your Compliance and Governance With Policy-Based CI/CD
  2. 2. 2 #GitLabCommit Philippe Lafoucrière Nico Meisenzahl Senior Cloud & DevOps Consultant white duck @nico-meisenzahl @nmeisenzahl Distinguished Security Engineer GitLab @plafoucriere @plafoucriere
  3. 3. 3 #GitLabCommit Agenda
  4. 4. 4 #GitLabCommit Agenda ● Why do we need compliance and governance in CI/CD? ● What is Open Policy Agent and how does it work? ● How to get started – some examples
  5. 5. 5 #GitLabCommit Why do we need compliance and governance in CI/CD?
  6. 6. 6 #GitLabCommit What is Compliance? “Adherence to standards, regulations, and other requirements” (wikipedia)
  7. 7. 7 #GitLabCommit Types of Software compliance ● Statutory/Regulatory compliance: comply with relevant laws, policies, and regulations. ● Standards: adhere to established and standard requirements ● Contractual obligations: Vendor agreements, customers contracts, ... ● Corporate: Set of rules and policies defined by the company to comply with the needs of HR, Security, Communication, ...
  8. 8. 8 #GitLabCommit Compliance frameworks Regulatory Compliance Frameworks are mandatory for some industries. Source: GitLab current Security Certifications and Attestations
  9. 9. 9 #GitLabCommit The way to Compliance You can do all of these without Compliance, but doing Compliance without them will turn out to be extremely hard. They are intimately tied together. Automation Testing Quality Compliance
  10. 10. 10 #GitLabCommit Compliance and Governance in CI/CD? - Define the “how” around the “what” of the pipelines - Security and Compliance gates - Ensure the requirements are always met, during all the lifecycle of the project - Iteration is key (start small!) - OPA to the rescue
  11. 11. 11 #GitLabCommit What is Open Policy Agent and how does it work?
  12. 12. 12 #GitLabCommit Open Policy Agent (OPA) “policy-based control for cloud native environments” ● general-purpose policy engine across your stack ● graduated CNCF project introduced by styra ● declarative policy language ● decoupled the application logic from policy decisions ○ REST API with sidecar or daemon ○ golang library ○ Wasm module ● provides APIs for easy management
  13. 13. 13 #GitLabCommit
  14. 14. 14 #GitLabCommit Ecosystem ● API and service authorization with Envoy, Kong, Traefik and others ● authorization policies for SQL, Kafka and others ● container network authorization with Istio and Linkerd ● test policies for Terraform infrastructure changes ● policies for SSH and sudo ● policy and Governance for Kubernetes ● and many more ○ https://www.openpolicyagent.org/docs/latest/ecosystem
  15. 15. 15 #GitLabCommit How OPA works
  16. 16. 16 #GitLabCommit How OPA works
  17. 17. 17 #GitLabCommit Rego ● “ray-go” ● declarative Policy Language ○ ”is Nico allowed to POST a payload to /api” ● rules commonly return true/false ○ but may return any ● 140+ build-in functions ○ date/time, string, ... ○ Regex ○ JWT validation ○ ...
  18. 18. 18 #GitLabCommit How OPA works
  19. 19. 19 #GitLabCommit How to get started? ● OPA playground ○ https://play.openpolicyagent.org ● docs ○ https://www.openpolicyagent.org/docs ● OPA CLI ○ opa run ○ opa test ○ opa eval
  20. 20. 20 #GitLabCommit How to get started – some examples
  21. 21. 21 #GitLabCommit Demo: Policy-Based CI/CD with OPA ● Infrastructure-As-Code change validation (Terraform) ○ https://gitlab.com/nico-meisenzahl/terraform-opa-policy-demo ● GitLab project validation ○ https://gitlab.com/gitlab-com/gl-security/engineering-and-rese arch/inventory-example/-/merge_requests/7
  22. 22. 22 #GitLabCommit Further examples ● Kubernetes manifest validation ● Allow/Deny Lists for library dependencies ● Docker Authorization ● Envoy Authorization ● And more
  23. 23. 23 #GitLabCommit Philippe Lafoucrière Nico Meisenzahl Senior Cloud & DevOps Consultant white duck @nico-meisenzahl @nmeisenzahl Distinguished Security Engineer GitLab @plafoucriere @plafoucriere
  24. 24. 24 #GitLabCommit Thank You!

Whether you want to get started with Governance or improve your current process, this talk will show you how to improve your compliance by implementing policy-based CI/CD (Continuous Integration / Continuous Delivery) with GitLab CI and Open Policy Agent. Philippe and Nico will tell you all the details about Open Policy Agent and how you can easily integrate it into your existing CI/CD pipelines. Join our session to learn how to improve compliance, from gating your dependencies to controlling your infrastructure.

Views

Total views

172

On Slideshare

0

From embeds

0

Number of embeds

16

Actions

Downloads

4

Shares

0

Comments

0

Likes

0

×