Policy as Code Chorzów

In today's cloud native world, where we automate as much as possible, everything is code. With this practical guide, you'll learn how Policy as Code (PaC) provides the means to manage the policies, related data, and responses to events that occur within the systems we maintain-Kubernetes, cloud security, software supply chain security, infrastructure as code, and microservices authorization, among others.Author Jimmy Ray provides a practical approach to integrating PaC solutions into your systems, with plenty of real-world examples and important hands-on guidance. DevOps and DevSecOps engineers, Kubernetes developers, and cloud engineers will understand how to choose and then implement the most appropriate solutions.Understand PaC theory, best practices, and use cases for securityLearn how to choose and use the correct PaC solution for your needsExplore PaC tooling and deployment options for writing and managing PaC policiesApply PaC to DevOps, IaC, Kubernetes, and AuthN/AuthZExamine how you can use PaC to implement security controlsVerify that your PaC solution is providing the desired resultCreate auditable artifacts to satisfy internal and external regulatory requirements Spis treści: Preface I Needed Policy as Code Who Should Read This Book Conventions Used in This Book Using Code Examples OReilly Online Learning How to Contact Us Acknowledgments 1. Policy as Code: A Gentle Introduction What Is Policy? What Is Policy as Code? What Is a Policy? PaC Policy Characteristics The Role of JSON and YAML Guardrails: Preventing the Unwanted Plans: Reacting to the Unplanned Adopting Open Source Software Disadvantages of OSS The Care and Feeding of OSS Standards and Controls Policy as Code for Everything as Code Policy Engines and Languages Choosing the Right PaC Solution Example PaC Selection Factors PaC Selection Scorecard The Cloud Native Computing Foundation Summary 2. Open Policy Agent Hello World OPA Installation and Modes OPA Command-Line Interface OPA Read-Eval-Print Loop OPA Server Bundles Querying the server OPA REST API Ad hoc queries OPA eval OPA exec Rego Policy Language OPA Document Model Rego Syntax and Logic Rules Functions Functions are rules Built-in functions Objects, collections, and comprehensions Unification versus assignment and comparison Writing and Testing Rego The Rego Playground Advanced Bundling Topics Bundle Signing Bundles for Extension: WebAssembly Extending and Integrating with OPA Summary 3. Policy as Code and Access Control Privileged Access Management OPA Bearer Token AuthN and AuthZ Role-Based Access Control OPA and RBAC Attribute-Based Access Control OPA and ABAC Administering Policies and Data Bundle Server Styra DAS and Policy-Based Access Management Styra Run Open Policy Administration Layer Using OCI Images with OPA and Open Policy Containers Summary 4. Policy as Code and Kubernetes CNCF and Policy Management Implementing Security Controls and Controlling Behaviors API Server Requests Admission Controllers Dynamic Admission Controllers API server request payload Admission response Configuring dynamic admission controllers Mutating webhook configuration Validating webhook configuration Data beyond AdmissionReview Mutating Resources Validating Resources API Server Request Latency and Webhook Order Auditing and Background Scanning Existing Resources Generating Resources and Policies Kubernetes Native Policy Features Pod Security Pod Security Admission Validating Admission Policy AuthZ Webhook Mode AuthZ Decisions AuthZ Webhook and PaC Example Policy Policy Reporting Summary 5. Open Policy Agent and Kubernetes OPA Installation Validating Admission Webhook Automated install and uninstall Uninstalling OPA Kubernetes Management Sidecar Kubernetes Policy Management Kubernetes Data Management Data from Configmaps OPA AuthZ and kube-mgmt Kubernetes Policies Validation Policies OPA Policy Entry Point Custom Helper Libraries Mutating Configuration and Policies Centralized OPA Management with Styra DAS Policy Management Uninstalling Styra DAS Summary 6. MagTape and Kubernetes Installing and Uninstalling MagTape MagTape init Proxying OPA with MagTape Controlling Deny Volumes The Deny Volume Knob Slack Notifications Summary 7. OPA/Gatekeeper and Kubernetes Installation Ignoring Namespaces Config: Alpha Feature Uninstalling Gatekeeper Policies OPA Constraint Framework Validation Policies Enforcement Actions Mutation Policies Use Case: Multitenancy Isolation Audit Mode External Data Providers Policy Expansion Policy Testing Summary 8. Kyverno and Kubernetes Installation Ignoring Namespaces Dynamic Webhook Configurations Uninstalling Kyverno Policies Policy Lexicon Policy Composition Policy Types Mutate policies Validate policies Policy Auto-Gen Time-bound policies Common expression language policies VerifyImages policies Generate policies CleanUp policies Policy exceptions Policy Reporting Background Scans Policy Testing Summary 9. jsPolicy and Kubernetes Installation CRD Webhook Configuration Policy Webhook Configurations Uninstalling jsPolicy Policies Inline Policies Policy ingestion Mutating policies Controller policies Policy deletion Bundled Policies Summary 10. Cloud Custodian and Kubernetes CLI Mode Installation Cleanup Policies Policies with Actions Discovery with Policies Controller Mode Installation Validating Policies Mutating Policies c7n-kates Summary 11. PaC and Infrastructure as Code Infrastructure as Code Immutability Baking Versus Frying Imperative and Declarative IaC Applying PaC to IaC Preventive Controls Conftest Checkov and cfn-lint CFN Hooks Using PaC with Hooks Validating Terraform Terraform and Conftest OPA tfplan Summary 12. PaC and Terraform IaC HashiCorp Sentinel Terraform Artifacts Mocking Data Testing Terraform cloud and GCP Building and executing Sentinel tests Running Policies in TFC Additional Terraform Validation Checkov tflint Terrascan tfsec Snyk Summary 13. PaC and Infrastructure as a Service Prowler Prowler Checks Prowler CLI Cloud Custodian Installation Cleanup Cloud Custodian Policies Resources Filters Actions Describing policies Policy execution Pull mode policy execution CloudTrail mode policy execution Periodic mode policy execution FinOps with Custodian Summary 14. PaC and the Software Supply Chain Attacking Normal SSC Policy Enforcement Points Codebase and Pipeline PEPs Revisiting defense in depth with codebase PEPs Dont forget your Rego unit tests Enabling developers PaC and Trivy with Container Images Software Bill of Materials Evaluating SBOMs with PaC Detecting Vulnerabilities in SBOMs with PaC SBOM Promises SBOM Authenticity and Integrity SBOMs and SLSA Provenance with in-toto Summary 15. Retrospectives and Futures Characteristics of Successful PaC Adoption Momentum Domain-Specific Languages Usability Project Extensibility and Ecosystem Development Enterprise Solutions PaC Looking Forward Embracing Standards with OSCAL PaC and Generative AI Learning PaC with GenAI GenAI and outdated data GenAI insights and explanations Cedar Configure, Unify, Execute Conclusion Index