Policy as Code

Policy as Code

by Jimmy Ray
Released July 2024
Publisher(s): O'Reilly Media, Inc.
ISBN: 9781098139186

Read it now on the O’Reilly learning platform with a 10-day free trial.

O’Reilly members get unlimited access to books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Buy on Amazon Buy on ebooks.com
Start your free trial

Book description

In today's cloud native world, where we automate as much as possible, everything is code. With this practical guide, you'll learn how Policy as Code (PaC) provides the means to manage the policies, related data, and responses to events that occur within the systems we maintain—Kubernetes, cloud security, software supply chain security, infrastructure as code, and microservices authorization, among others.

Author Jimmy Ray provides a practical approach to integrating PaC solutions into your systems, with plenty of real-world examples and important hands-on guidance. DevOps and DevSecOps engineers, Kubernetes developers, and cloud engineers will understand how to choose and then implement the most appropriate solutions.

  • Understand PaC theory, best practices, and use cases for security
  • Learn how to choose and use the correct PaC solution for your needs
  • Explore PaC tooling and deployment options for writing and managing PaC policies
  • Apply PaC to DevOps, IaC, Kubernetes, and AuthN/AuthZ
  • Examine how you can use PaC to implement security controls
  • Verify that your PaC solution is providing the desired result
  • Create auditable artifacts to satisfy internal and external regulatory requirements

Publisher resources

View/Submit Errata

Table of contents

  1. Preface
    1. I Needed Policy as Code
    2. Who Should Read This Book
    3. Conventions Used in This Book
    4. Using Code Examples
    5. O’Reilly Online Learning
    6. How to Contact Us
    7. Acknowledgments
  2. 1. Policy as Code: A Gentle Introduction
    1. What Is Policy?
    2. What Is Policy as Code?
      1. What Is a Policy?
      2. PaC Policy Characteristics
      3. The Role of JSON and YAML
      4. Guardrails: Preventing the Unwanted
      5. Plans: Reacting to the Unplanned
    3. Adopting Open Source Software
      1. Disadvantages of OSS
      2. The Care and Feeding of OSS
    4. Standards and Controls
    5. Policy as Code for Everything as Code
    6. Policy Engines and Languages
    7. Choosing the Right PaC Solution
      1. Example PaC Selection Factors
      2. PaC Selection Scorecard
    8. The Cloud Native Computing Foundation
    9. Summary
  3. 2. Open Policy Agent
    1. Hello World
    2. OPA Installation and Modes
      1. OPA Command-Line Interface
      2. OPA Read-Eval-Print Loop
      3. OPA Server
      4. OPA eval
      5. OPA exec
    3. Rego Policy Language
      1. OPA Document Model
      2. Rego Syntax and Logic
      3. Writing and Testing Rego
      4. The Rego Playground
    4. Advanced Bundling Topics
      1. Bundle Signing
      2. Bundles for Extension: WebAssembly
    5. Extending and Integrating with OPA
    6. Summary
  4. 3. Policy as Code and Access Control
    1. Privileged Access Management
      1. OPA Bearer Token AuthN and AuthZ
      2. Role-Based Access Control
      3. OPA and RBAC
      4. Attribute-Based Access Control
      5. OPA and ABAC
    2. Administering Policies and Data
      1. Bundle Server
      2. Styra DAS and Policy-Based Access Management
      3. Styra Run
      4. Open Policy Administration Layer
      5. Using OCI Images with OPA and Open Policy Containers
    3. Summary
  5. 4. Policy as Code and Kubernetes
    1. CNCF and Policy Management
    2. Implementing Security Controls and Controlling Behaviors
      1. API Server Requests
      2. Admission Controllers
      3. Dynamic Admission Controllers
      4. Mutating Resources
      5. Validating Resources
      6. API Server Request Latency and Webhook Order
    3. Auditing and Background Scanning Existing Resources
    4. Generating Resources and Policies
    5. Kubernetes Native Policy Features
      1. Pod Security
      2. Pod Security Admission
      3. Validating Admission Policy
    6. AuthZ Webhook Mode
      1. AuthZ Decisions
      2. AuthZ Webhook and PaC
      3. Example Policy
    7. Policy Reporting
    8. Summary
  6. 5. Open Policy Agent and Kubernetes
    1. OPA Installation
      1. Validating Admission Webhook
    2. Kubernetes Management Sidecar
      1. Kubernetes Policy Management
      2. Kubernetes Data Management
      3. Data from Configmaps
      4. OPA AuthZ and kube-mgmt
    3. Kubernetes Policies
      1. Validation Policies
      2. OPA Policy Entry Point
      3. Custom Helper Libraries
      4. Mutating Configuration and Policies
    4. Centralized OPA Management with Styra DAS
      1. Policy Management
      2. Uninstalling Styra DAS
    5. Summary
  7. 6. MagTape and Kubernetes
    1. Installing and Uninstalling MagTape
    2. MagTape init
    3. Proxying OPA with MagTape
      1. Controlling Deny Volumes
      2. The Deny Volume Knob
      3. Slack Notifications
    4. Summary
  8. 7. OPA/Gatekeeper and Kubernetes
    1. Installation
      1. Ignoring Namespaces
      2. Config: Alpha Feature
      3. Uninstalling Gatekeeper
    2. Policies
      1. OPA Constraint Framework
      2. Validation Policies
      3. Enforcement Actions
      4. Mutation Policies
      5. Use Case: Multitenancy Isolation
    3. Audit Mode
    4. External Data Providers
    5. Policy Expansion
    6. Policy Testing
    7. Summary
  9. 8. Kyverno and Kubernetes
    1. Installation
      1. Ignoring Namespaces
      2. Dynamic Webhook Configurations
      3. Uninstalling Kyverno
    2. Policies
      1. Policy Lexicon
      2. Policy Composition
      3. Policy Types
      4. Policy Reporting
      5. Background Scans
      6. Policy Testing
    3. Summary
  10. 9. jsPolicy and Kubernetes
    1. Installation
      1. CRD Webhook Configuration
      2. Policy Webhook Configurations
      3. Uninstalling jsPolicy
    2. Policies
      1. Inline Policies
      2. Bundled Policies
    3. Summary
  11. 10. Cloud Custodian and Kubernetes
    1. CLI Mode
      1. Installation
      2. Cleanup
    2. Policies
      1. Policies with Actions
      2. Discovery with Policies
    3. Controller Mode
      1. Installation
      2. Validating Policies
      3. Mutating Policies
      4. c7n-kates
    4. Summary
  12. 11. PaC and Infrastructure as Code
    1. Infrastructure as Code
      1. Immutability
      2. Baking Versus Frying
      3. Imperative and Declarative IaC
    2. Applying PaC to IaC
      1. Preventive Controls
      2. Conftest
      3. Checkov and cfn-lint
      4. CFN Hooks
      5. Using PaC with Hooks
      6. Validating Terraform
      7. Terraform and Conftest
      8. OPA tfplan
    3. Summary
  13. 12. PaC and Terraform IaC
    1. HashiCorp Sentinel
      1. Terraform Artifacts
      2. Mocking Data
      3. Testing
      4. Running Policies in TFC
    2. Additional Terraform Validation
      1. Checkov
      2. tflint
      3. Terrascan
      4. tfsec
      5. Snyk
    3. Summary
  14. 13. PaC and Infrastructure as a Service
    1. Prowler
      1. Prowler Checks
      2. Prowler CLI
    2. Cloud Custodian
      1. Installation
      2. Cleanup
      3. Cloud Custodian Policies
      4. FinOps with Custodian
    3. Summary
  15. 14. PaC and the Software Supply Chain
    1. Attacking Normal
    2. SSC Policy Enforcement Points
      1. Codebase and Pipeline PEPs
      2. PaC and Trivy with Container Images
    3. Software Bill of Materials
      1. Evaluating SBOMs with PaC
      2. Detecting Vulnerabilities in SBOMs with PaC
      3. SBOM Promises
      4. SBOM Authenticity and Integrity
    4. Summary
  16. 15. Retrospectives and Futures
    1. Characteristics of Successful PaC Adoption
      1. Momentum
      2. Domain-Specific Languages
      3. Usability
      4. Project Extensibility and Ecosystem Development
      5. Enterprise Solutions
    2. PaC Looking Forward
      1. Embracing Standards with OSCAL
      2. PaC and Generative AI
      3. Cedar
      4. Configure, Unify, Execute
    3. Conclusion
  17. Index
  18. About the Author

Product information

  • Title: Policy as Code
  • Author(s): Jimmy Ray
  • Release date: July 2024
  • Publisher(s): O'Reilly Media, Inc.
  • ISBN: 9781098139186