OSCAL 2022 (Open Source Conference Albania)

Securing Kubernetes with Open Policy Agent
2022-06-19, 16:00–16:25, Main room

Kubernetes RBAC is limited because it only goes as far as whether a user can or cannot create new Kubernetes resources. Admission controllers solve this problem. They are a generic build-in security mechanism that allows you to write custom logic that determines whether or not a given resource can or cannot be created into the cluster. Open Policy Agent (OPA) implements this mechanism and allows you to write policies and rules on whether or not a given resource can or cannot be created in the Kubernetes cluster.


Kubernetes RBAC goes as far as whether a user can or cannot create new Kubernetes resources. However, it does not provide any capabilities for having more granular control on what resources can be created and what properties they might have. Admission controllers fix that problem. They allow the user to define custom logic that looks at the resource being created/edited and based on their fields to allow or deny the requests.

Open Policy Agent (OPA) is an implementation of an admission controller that allows you to define policies via the Rego language. These policies are applied to the Kube API server and live in Kubernetes as first-class citizens.

This presentation will go over what admission controllers are, how they work and how OPA leverages this functionality to protect your Kubernetes cluster. We will also dive into Rego and writing our custom OPA policies.

Attendees will get the most value out of this presentation if they already have some experience with Kubernetes.