Awesome
Pulumi Open Policy Agent (OPA) Bridge for CrossGuard
This project allows Open Policy Agent (OPA) rules to be run in the context of Pulumi's policy system, CrossGuard.
How it works
Pulumi can enforce policies during a deployment. This includes during a "preview" -- before a deployment is attempted -- in addition to afterwards -- when certain other properties are known.
The OPA integration implements the Pulumi plugin interface for policies. Unlike Pulumi's standard approach to
implementing policy rules using an SDK in a general purpose language
this bridge lets you author Pulumi Crossguard policies using OPA and .rego
syntax.
How to use OPA with Pulumi CrossGuard
First, install the OPA policy analyzer plugin.
$ pulumi plugin install analyzer policy-opa v0.0.2
[analyzer plugin policy-opa-0.0.2] installing
Downloading plugin: 6.11 MiB / 6.11 MiB [===========================] 100.00% 0s
Moving plugin... done.
You can now use OPA policy packs. Create a folder that contains two files - a PulumiPolicy.yaml
and one or more .rego
files.
$ cat PulumiPolicy.yaml
description: A minimal Policy Pack for Kubernetes using OPA.
runtime: opa
$ cat labels.rego
package kubernetes
name = input.metadata.name
labels {
input.metadata.labels["app.kubernetes.io/name"]
input.metadata.labels["app.kubernetes.io/instance"]
input.metadata.labels["app.kubernetes.io/version"]
input.metadata.labels["app.kubernetes.io/component"]
input.metadata.labels["app.kubernetes.io/part-of"]
input.metadata.labels["app.kubernetes.io/managed-by"]
}
deny[msg] {
input.kind = "Deployment"
not labels
msg = sprintf("%s must include Kubernetes recommended labels: https://kubernetes.io/docs/concepts/overview/working-with-objects/common-labels/#labels ", [name])
}
You can now run an update on a Pulumi program locally using pulumi up --policy-pack <path_to_policy_folder>
passing the path to the folder you created in the previous step.
$ pulumi up --policy-pack ../policy-kubernetes
Previewing update (dev):
Type Name Plan Info
+ pulumi:pulumi:Stack simple-kubernetes-dev create 1 error
+ └─ kubernetes:apps:Deployment nginx create
Diagnostics:
pulumi:pulumi:Stack (simple-kubernetes-dev):
error: preview failed
Policy Violations:
[mandatory] kubernetes v0.0.1 deny (nginx: kubernetes:apps/v1:Deployment)
nginx-me0llhgr must include Kubernetes recommended labels: https://kubernetes.io/docs/concepts/overview/working-with-objects/common-labels/#labels
Note that the policy above was implemented in labels.rego
using the Rego language, but applied to the deployment of a Pulumi program written in TypeScript. Note also that the policy was run before the resource was deployed, and failed the preview stage. This allows OPA policies to be enforced very early in the development and deployment process - close to the developers creating the infrastructure - allowing for a quicker security and policy feedback loop for the cloud engineering team.
This policy pack can also be published to the Pulumi Service so that it will be enforced across your Organization.
$ pulumi policy publish
Obtaining policy metadata from policy plugin
Compressing policy pack
Uploading policy pack to Pulumi service
Publishing "kubernetes" to "myorg"
Published as version 1
Permalink: https://app.pulumi.com/myorg/policypacks/kubernetes/1
For more details on working with Policy as Code in Pulumi, see the CrossGuard documentation at https://www.pulumi.com/docs/guides/crossguard/.