12:00 - 12:45


stanislav kolenkin
Senior Software Engineer (DevOps)
SoftServe/Critical Services


16+ years of professional experience in the Information Technologies (IT) industry.

I have received much experience in quick problem solving and not standard issues ( last 4 year in DevOps/Deployment engineer). I have done many Kubernetes projects with different plugins on OpenStack, AWS, GCP, and Bare-Metal. Last 4 years I am working with Docker, Kubernetes, Calico, etc.

Speech: Microservice Security: Open Policy Agent (OPA)

OPA is a general-purpose policy engine that makes policy a first-class citizen within the cloud-native ecosystem, putting it on par with servers, networks, and storage. Its uses range from authorization and admission control to data filtering. The community uses OPA for Kubernetes admission control across all major cloud providers, as well as on on-premises deployments, along with HTTP API authorization, remote access policy, and data filtering. Since OPA’s RESTful APIs use JSON over HTTP, OPA can be integrated with any programming language, making it extremely flexible across services.

In a best-practice Kubernetes cluster every request to the Kubernetes APIServer is authenticated and authorized. Authorization is usually implemented by the RBAC authorization module.

Most requirements regarding Authorization can be implemented by simply using the RBAC authorization module via Roles and RoleBindings, which are explained in Using RBAC Authorization. But RBAC is by design limited to whitelisting, i.e. for every requests it’s checked if one of the Roles and RoleBindings apply and in that case the request is approved. Requests are only denied if there is no match, there is no way to deny requests explicitly. At first this doesn’t sound like a big limitation, but some specific use cases require more flexibility.

Also Open Policy Agent makes it also very easy to write unit tests for all our policies.