September 27-30, 2021
Seattle, Washington, USA + Virtual
View More Details & Registration

The Sched app allows you to build your schedule but is not a substitute for your event registration. You must be registered for Open Source Summit + Embedded Linux Conference + OSPOCon 2021 to participate in the sessions. If you have not registered but would like to join us, please go to the event registration page to purchase a registration.

This schedule is automatically displayed in Pacific Daylight Time (UTC -7). To see the schedule in your preferred timezone, please select from the drop-down menu to the right, above "Filter by Date." The schedule is subject to change.

IMPORTANT NOTE: Timing of sessions and room locations are subject to change.

Back To Schedule
Monday, September 27 • 3:50pm - 4:40pm
(VIRTUAL) Dynamic Authorization and Policy Control for Your Kubernetes Cluster - Ash Narkar, Styra, Inc

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

Feedback form is now closed.
When you adopt Kubernetes for production, how do you, a cluster administrator, enforce requirements from security and compliance teams? Like most systems, you put guardrails on the cluster to limit how teams (ab)use the cluster, but with Kubernetes those guardrails look quite different because Kubernetes differentiates runtime-state (what is actually happening) and desired-state (what is supposed to happen). Treating desired-state as separate from runtime enables you to put guardrails on the instructions developers give to Kubernetes and in so doing avoid runtime problems even before they happen. Kubernetes is simply too flexible to hand over to even relatively small teams without basic guardrails like ensuring images are pulled from trusted repositories. We discuss the mechanism the Kubernetes team developed to make it feasible to add desired-state security policies: Admission Control and we will also show how the Open Policy Agent(OPA) provides a declarative approach to Admission Control to enforce custom policies on Kubernetes objects without modifying any Kubernetes components. Finally, we will end with a list of architectural best practices and we hope that our audience will be able to leverage OPA for implementing desired-state security policies for the Kubernetes API.

avatar for Ash Narkar

Ash Narkar

Software Engineer, Styra
Ash Narkar is a maintainer of the Open Policy Agent project. Ash has over 5 years of experience working on large-scale distributed systems. Ash is a Senior Software Engineer at Styra, Inc. working on OPA development and integrations. Previously he was a Principal Engineer at Verizon... Read More →

Monday September 27, 2021 3:50pm - 4:40pm PDT
MeetingPlay Platform + Virtual Learning Lab