The security posture and configuration of our Kubernetes resources are essential if we care about our Kubernetes cluster (and workloads inside) being secure.

Kubernetes gives us the building blocks for implementing this security via extensible admission control and the ability to deploy custom checks for our resources.

However, writing everything from scratch is tedious, error-prone, and unnecessary, where there are open-source projects that can do the job for us.

Two such projects are Open Policy Agent and Gatekeeper.

Open Policy Agent (OPA) is an open-source policy agent that utilizes the powerful Rego language to implement policies and check for our data(resources).

Gatekeeper is an open-source implementation of a validating webhook that uses OPA as a policy agent and CRDs for storing our configuration (policies).

These two combined give us a powerful, flexible, Kubernetes-native way to implement admission control for the resources in our cluster.

This presentation will go over this theory in bigger detail, showing how these things fit together and why they are important in the first place. It will also include a practical demonstration of deploying and enforcing a policy.

Attendees will get the most value out of this presentation if they already have some experience with Kubernetes.