The Open Policy Agent Summit is a half-day event, co-located with KubeCon North America.
We’re bringing together new and current OPA users and contributors to connect and share best practices, key learnings, and new ideas. The founders and maintainers of the project will be on hand to field 1:1 questions and provide live-coding demos—and we’ll feature proven real-world implementations from various OPA adopters.
OPA users presenting best practices, innovations, and experience
Live-coding sessions and Q&A with policy and security experts across fields
Networking with the best community in the CNCF :D
Lunch & Coffee
OPA at Scale: How Pinterest Manages Policy DistributionSession Abstract
OPA at Scale: How Pinterest Manages Policy Distribution
At Pinterest we have decided not to use the bundle API of OPA (pull model) and instead adopted a push-based approach. In this talk we will cover how policies are authored, distributed, and utilized at Pinterest (service mesh, kafka, internal tools). We will also cover lessons learned in the process.
TripAdvisor: Building a Testing Framework for Integrating OPA into K8sSession Abstract
TripAdvisor: Building a Testing Framework for Integrating OPA into K8s
We leveraged OPA’s API and unit test framework to build a system in which you write k8s admission policy alongside some mock changes to the cluster, some of which should be accepted and some of which should not be, and then run code that tells you whether your policy matches your expectation.
Deploying OPA at AtlassianSession Abstract
Deploying OPA at Atlassian
Atlassian provides a number of cloud products including Jira, Confluence, and BitBucket which requires building and hosting 1000+ services distributed around the world. As is often the case, authorization was not initially seen as platform concern. This lead many of the services to implement their own authorization mechanisms. The end result was individually secure services, but a difficult environment for security teams to centrally audit and control. To continue to scale the business this had to change.
In this talk the team from Atlassian will walk through their journey with building a global authorization platform with the Open Policy Agent and the help of Fluentd, S3, CDN's, Amazon Kinesis, and many more. Attendees can expect to take away battle tested and scalable strategies for how to architect authorization and management systems around OPA.
High Performance Rego at Scale with FugueSession Abstract
High Performance Rego at Scale with Fugue
Fugue provides a large amount of built-in Rego controls for well-known compliance suites such as SOC2 and NIST, but it is possible for customers to provide their own custom rules written in Rego as well. This is exciting because we can offer a standard and open source language to our users rather than a proprietary DSL.
This means that we have a lot of Rego code that we need to write, test and maintain. We give an overview of our experiences using Rego and how we scale it up to handle large workloads. We have also developed and open sourced an alternative Rego REPL called Fregot. We will give a short demo of how we can use this for debugging.
OPA in Practice: Exploring the Full Stack of TurtlesSession Abstract
OPA in Practice: Exploring the Full Stack of Turtles
Let’s face it: understanding and using OPA takes work. This talk helps make it real starting at the top with Chef Automate, the web-based entry to all things Chef. This includes not just authorization but also pre-authorization, a concept that streamlines both our code and our UX.
Policy Enabled Kubernetes and CICDSession Abstract
Policy Enabled Kubernetes and CICD
Compliance, Governance, and Security are nonfunctional requirements that every system needs to satisfy. Kubernetes clusters are no different. Come see how you can satisfy these requirements effectively with OPA. With OPA we can build preventative controls to stop unwanted changes in our clusters. We can also shift the controls left, into the our CICD automation, evaluating changes before they are pushed.
Additional end-user sessions TBA
Wrap-up and prep for evening reception
Nearby evening reception for drinks and games
Tim Hinrichs is a co-founder of the Open Policy Agent project and CTO of Styra. Before that he co-founded the OpenStack Congress project and was a software engineer at VMware. Tim spent the last 18 years developing declarative languages for different domains such as cloud-computing, software-defined networking, configuration management, web security, and access-control. He received his PhD in Computer Science from Stanford University in 2008.
Torin Sandall is the co-founder and technical lead of the Open Policy Agent project. Torin has spent over 10 years working as a software engineer on large-scale distributed systems projects.
Previously, Torin was a senior engineer at Cyan, Inc. where he designed and developed core components of their NFV platform. Torin has spoken on policy-related topics at conferences such
as KubeCon, LinuxCon, Velocity, and more.
Chris Stivers is an architect for the Cloud Platform team at Atlassian. Chris has twenty-three years of experience developing large scale and high performance systems and infrastructure. Currently, he works on security related projects that enable Atlassian to builds scalable secure cloud platforms and solutions for their family of products.
I’ve been in the operations group at TripAdvisor as a software engineer for the past six years. I really like math and live in Cambridge, MA with my boyfriend and our cat, Chester.
Will is an infrastructure security engineer at Pinterest. He works heavily on distributing service mesh frameworks across Pinterest for standardized authentication and authorization controls. Will attended the the University of Maryland and likes to play basketball, fly fish, and travel in his free time.
Jeremy is an infrastructure security engineer for Pinterest. At Pinterest, Jeremy works on problems like service authentication, authorization policy management, Kubernetes, Docker, and CI/CD. Before Pinterest Jeremy attended the University of Maryland where he studied Computer Science and security as a part of the cybersecurity honors program ACES.
Michael Sorens is passionate about productivity, process, and quality. Besides working at a variety of companies from Fortune 500 firms to Silicon Valley startups, he enjoys spreading the seeds of good design wherever possible, having written over 100 articles, more than a dozen wallcharts, created several open source projects, and posted in excess of 200 answers on StackOverflow. More highlights on the full brand page.
Josh is the co-founder and CTO of Fugue, and has been a programmer, software architect and CTO since vim was vi (but uses Emacs). Josh has numerous patents in cloud security, programming language application to cloud, automated visualization, and network security. Fugue applies all of these areas of research to cloud security as a SaaS product. Prior to Fugue, Josh was a Principal Solution Architect at AWS, and his career has spanned startup, tech, and National Security projects from developer to CTO roles. Josh loves Unix, Lisp, and extended trips into the back country with his Great Dane, Sherlock. When AFK, he can often be found in the kitchen listening to Wendy Carlos while cooking vegetables from his garden, or recording unusual music on strange instruments.
All my career I have have worked in software, as a programmer and technology leader, on a variety of platforms, with a variety of languages and frameworks. All along, I have been sharing my knowledge and experiences in articles, and conferences in the US and Europe; I have even taught technology and business topics as an adjunct professor and consultant.