Security Policy as Code¶
Architectural Context
Detailed reference for Security Policy as Code in the context of Hardened Infrastructure.
Standard Reference¶
- searchitoperations.techtarget.com: Kubernetes policy project takes enterprise IT by storm [COMMUNITY-TOOL]
- fugue.co: 5 tips for using the Rego language for Open Policy Agent (OPA) [COMMUNITY-TOOL]
- blog.openshift.com: Fine-Grained Policy Enforcement in OpenShift with Open Policy Agent π [COMMUNITY-TOOL]
- compile OpenPolicyAgent policies into WebAssembly and run them on the edge β 345 [COMMUNITY-TOOL]
- Fugue: Container and Kubernetes. Runtime infrastructure security [COMMUNITY-TOOL]
- searchitoperations.techtarget.com: CNCF policy-as-code project bridges Kubernetes security gaps [COMMUNITY-TOOL]
- cloud.redhat.com: Automate Your Security Practices and Policies on OpenShift With Kyverno π [COMMUNITY-TOOL]
- youtube: The Rise of Kubernetes Policy Engine | Ep 57 [COMMUNITY-TOOL]
- appsecengineer.com: Kubernetes Policy Management with Kyverno [COMMUNITY-TOOL]
- Apolicy [COMMUNITY-TOOL]
- sysdig.com: Sysdig and Apolicy join forces to help customers secure Infrastructure As Code and automate remediation [COMMUNITY-TOOL]
- Azure Network Security Perimeter Concepts [COMMUNITY-TOOL]
- MagTape β 152 [COMMUNITY-TOOL]
- Web-Check [COMMUNITY-TOOL]
- amazon.com: Policy-based countermeasures for Kubernetes β Part 1 [COMMUNITY-TOOL]
- medium: Automate policies enforcement with Policy-as-Code π [COMMUNITY-TOOL]
- blog.gitguardian.com: What is Policy-as-Code? An Introduction to Open Policy' Agent [COMMUNITY-TOOL]
- OPA Open Policy Agent π [COMMUNITY-TOOL]
- magalix.com: Integrating Open Policy Agent (OPA) With Kubernetes π [COMMUNITY-TOOL]
- PolicyHub CLI, a CLI tool that makes Rego policies searchable π [COMMUNITY-TOOL]
- blog.styra.com: Integrating Identity: OAUTH2 and OPENID CONNECT in Open' Policy Agent [COMMUNITY-TOOL]
- blog.styra.com: Rego Unit Testing [COMMUNITY-TOOL]
- github.com/instrumenta/policies: A set of shared policies for use with Conftest' and other Open Policy Agent tools β 66 [COMMUNITY-TOOL]
- blog.styra.com: Dynamic Policy Composition for OPA [COMMUNITY-TOOL]
- blog.styra.com: 5 OPA Deployment Performance Models for Microservices [COMMUNITY-TOOL]
- blog.styra.com: Open Policy Agent: The Top 5 Kubernetes Admission Control' Policies [COMMUNITY-TOOL]
- thenewstack.io: Getting Open Policy Agent Up and Running [COMMUNITY-TOOL]
- siegert-maximilian.medium.com: Ensure Content Trust on Kubernetes using' Notary and Open Policy Agent [COMMUNITY-TOOL]
- blog.styra.com: Policy-based infrastructure guardrails with Terraform and' OPA π [COMMUNITY-TOOL]
- medium: Automated Manifest File Validation Using Open Policy Agent and GitHub' Actions | Ravindu Sandeepa Rathugama [COMMUNITY-TOOL]
- thenewstack.io: Weaveworks Adds Policy as Code to Secure Kubernetes Apps' (Magalix) [COMMUNITY-TOOL]
- dev.to: Load external data into OPA: The Good, The Bad, and The Ugly [COMMUNITY-TOOL]
- inspektor.cloud: Evaluating open policy agent in rust using wasm [COMMUNITY-TOOL]
- medium.com/4th-coffee: What is Policy-as-Code? An Introduction to Open Policy' Agent [COMMUNITY-TOOL]
- banzaicloud.com: Istio and Kubernetes ft. OPA policies [COMMUNITY-TOOL]
- medium: Ensure Content Trust on Kubernetes using Notary and Open Policy' Agent [COMMUNITY-TOOL]
- kubermatic.com: Using Open Policy Agent With Kubermatic Kubernetes Platform [COMMUNITY-TOOL]
- k8s-security-policies β 177 [COMMUNITY-TOOL]
- medium: Deploying Open Policy Agent (OPA) on a GKE cluster β Step by Step [COMMUNITY-TOOL]
- blog.styra.com: Using OPA with GitOps to speed Cloud-Native development [COMMUNITY-TOOL]
- medium.com/gitguardian: What is Policy-as-Code? An Introduction to Open' Policy Agent [COMMUNITY-TOOL]
- hashicorp.com: Securing Infrastructure In Application Pipelines [COMMUNITY-TOOL]
- IBM IAM for AI Agents [COMMUNITY-TOOL]
- IBM Vault 2.0 UI Enhancements and Reporting Improvements [COMMUNITY-TOOL]
- Docker Hardened Images for Every Developer [COMMUNITY-TOOL]
- thenewstack.io: Yor Automates Tagging for Infrastructure as Code [COMMUNITY-TOOL]
- yor.io [COMMUNITY-TOOL]
- checkov.io [COMMUNITY-TOOL]
- aws.amazon.com: Policy-based countermeasures for Kubernetes β Part 1 [COMMUNITY-TOOL]
- Selefra: Selefra is an open-source policy-as-code software that provides' analytics for multi-cloud and SaaS. β 545 [COMMUNITY-TOOL]
- venturebeat.com: How Nirmata plans to βconquer Kubernetes complexityβ with' open source Kyverno [COMMUNITY-TOOL]
- neonmirrors.net: Kubernetes Policy Comparison: OPA/Gatekeeper vs Kyverno' π [COMMUNITY-TOOL]
- dev.to: Using Kyverno To Enforce EKS Best Practices [COMMUNITY-TOOL]
- kyverno.io: Mutating Resources [COMMUNITY-TOOL]
- squadcast.com: Kyverno - Policy Management in Kubernetes π [COMMUNITY-TOOL]
- neonmirrors.net: Exploring Kyverno: Part 3, Generation [COMMUNITY-TOOL]
- kyverno.io: Check deprecated APIs π [COMMUNITY-TOOL]
- kyverno.io: Generating resources into existing namespaces [COMMUNITY-TOOL]
- kyverno.io: Add Pod Proxies [COMMUNITY-TOOL]
- kyverno.io: Auto-Gen Rules for Pod Controllers [COMMUNITY-TOOL]
- kyverno.io: Require PodDisruptionBudget [COMMUNITY-TOOL]
- nirmata.com: Kubernetes Supply Chain Policy Management with Cosign and Kyverno [COMMUNITY-TOOL]
- neonmirrors.net: Exploring Kyverno: Introduction π [COMMUNITY-TOOL]
- nirmata.com: Introducing Kyverno 1.4.2: Trusted And More Efficient! [COMMUNITY-TOOL]
- Policy Reporter π β 368 [COMMUNITY-TOOL]
- sesin.at: Securing Kubernetes with Kyverno: How to Protect Your Users From' Themselves by Ritesh Patel [COMMUNITY-TOOL]
- movi.hashnode.dev: Simplify Kubernetes Cluster Management with Kyverno [COMMUNITY-TOOL]
- arun-sisodiya.medium.com: KyvernoβββA Kubernetes native policy manager (Policy' as Code) [COMMUNITY-TOOL]
- dev.to: Default Kyverno Policies for OpenEBS [COMMUNITY-TOOL]
- kyverno.io: Restrict Image Registries [COMMUNITY-TOOL]
- dev.to: Using Kyverno Policies for Kubernetes Governance [COMMUNITY-TOOL]
- kyverno.io: Implementing your best practices is simple with kyverno [COMMUNITY-TOOL]
- medium.com/compass-true-north: Governing Multi-Tenant Kubernetes Clusters' with Kyverno [COMMUNITY-TOOL]
- medium.com/@haseebshaukat2: Kyverno β Policy Engine for Kubernetes | Muhammad' Haseeb Shaukat [COMMUNITY-TOOL]
- blog.sigstore.dev: How to verify container images with Kyverno using KMS,' Cosign, and Workload Identity [COMMUNITY-TOOL]
- medium.com/@glen.yu: Why I prefer Kyverno over Gatekeeper for native Kubernetes' policy management [COMMUNITY-TOOL]
- Cloud Custodian β 5988 [ENTERPRISE-STABLE]
Cloud Infrastructure¶
Kubernetes¶
Policy-as-Code¶
-
Kyverno π [DE FACTO STANDARD] β A CNCF graduated Kubernetes-native policy engine.
-
Allows policy definition as standard Kubernetes resources (YAML).
- Eliminates the need for complex DSLs like Rego.
- Simplifies admission control, generation, mutation, and validation of workloads.
- kyverno.io: 56 sample policies π [DOCUMENTATION] [ENTERPRISE-STABLE] β A rich library of ready-to-use Kyverno policy definitions. These templates address common cloud security standards (Pod Security Standards, multi-tenancy constraints, best practices, and resource optimization parameters) for instant cluster hardening.
Cloud Native Security¶
Policy Enforcement¶
Open Policy Agent¶
- (2021) infracloud.io: Kubernetes Pod Security Policies with Open Policy Agent [EN CONTENT] [ADVANCED LEVEL] [COMMUNITY-TOOL] β Addresses the transition from obsolete Kubernetes Pod Security Policies (PSPs) to Open Policy Agent (OPA) Gatekeeper. Explores how to leverage declarative constraints using the Rego engine to strictly manage admission control actions.
Identity and Access Management¶
Cloud IAM¶
Microsoft Entra¶
- Configure Microsoft Entra for Increased Security [DOCUMENTATION] [ENTERPRISE-STABLE] β Official documentation outlines hardening parameters for Microsoft Entra ID. Features prescriptive blueprints for setting up conditional access, continuous access evaluation, Multi-Factor Authentication (MFA), and role-based identity management.
Platform Engineering¶
Site Reliability Engineering¶
Foundations¶
- (2024) itprotoday.com: Why Site Reliability Engineering Is Key to Modern DevOps π [COMMUNITY-TOOL] β An executive analysis examining why SRE architecture is a vital component of any modern, high-density DevOps delivery system trying to limit service down-time.
Public Cloud Platforms¶
AWS¶
EKS Security and Isolation¶
Policy Management¶
- aws.amazon.com: Easy as one-two-three policy management with Kyverno on' Amazon EKS π [ENTERPRISE-STABLE] [GUIDE] β Walkthrough detailing how to manage native policy rules on EKS clusters using Kyverno instead of raw Rego. Illustrates automated resource validation, generation, and mutation patterns to enforce corporate configuration compliance.
Security¶
DevSecOps¶
SAST¶
- GitHub Code Security Risk Assessment: Free Vulnerability Scanning [EN CONTENT] [COMMUNITY-TOOL] β An introduction to GitHub's native, free vulnerability scanning tools designed to locate security regressions, secrets, and supply chain threats directly within the code repository. It highlights automated security alerts and quick enablement configurations.