![Page 1: A Continuation of Devops Policy as Code - QCon London 2020€¦ · A Continuation of Devops Policy as Code March 2019 Gareth Rushgrove. @garethr Docker. This talk - A little history](https://reader034.vdocuments.us/reader034/viewer/2022042219/5ec55e82419eb03a8221962b/html5/thumbnails/1.jpg)
A Continuation of DevopsPolicy as Code
March 2019
Gareth Rushgrove
![Page 2: A Continuation of Devops Policy as Code - QCon London 2020€¦ · A Continuation of Devops Policy as Code March 2019 Gareth Rushgrove. @garethr Docker. This talk - A little history](https://reader034.vdocuments.us/reader034/viewer/2022042219/5ec55e82419eb03a8221962b/html5/thumbnails/2.jpg)
@garethrDocker
![Page 3: A Continuation of Devops Policy as Code - QCon London 2020€¦ · A Continuation of Devops Policy as Code March 2019 Gareth Rushgrove. @garethr Docker. This talk - A little history](https://reader034.vdocuments.us/reader034/viewer/2022042219/5ec55e82419eb03a8221962b/html5/thumbnails/3.jpg)
This talk
- A little historyInfrastructure, APIs and devops
- Parallels with securitySecurity as policy management
- Security tool examplesHow can tools facilitate sharing and collaboration
What to expect
![Page 4: A Continuation of Devops Policy as Code - QCon London 2020€¦ · A Continuation of Devops Policy as Code March 2019 Gareth Rushgrove. @garethr Docker. This talk - A little history](https://reader034.vdocuments.us/reader034/viewer/2022042219/5ec55e82419eb03a8221962b/html5/thumbnails/4.jpg)
A little history
![Page 5: A Continuation of Devops Policy as Code - QCon London 2020€¦ · A Continuation of Devops Policy as Code March 2019 Gareth Rushgrove. @garethr Docker. This talk - A little history](https://reader034.vdocuments.us/reader034/viewer/2022042219/5ec55e82419eb03a8221962b/html5/thumbnails/5.jpg)
“The API is the product”Todd Sampson, way back in 2008
![Page 6: A Continuation of Devops Policy as Code - QCon London 2020€¦ · A Continuation of Devops Policy as Code March 2019 Gareth Rushgrove. @garethr Docker. This talk - A little history](https://reader034.vdocuments.us/reader034/viewer/2022042219/5ec55e82419eb03a8221962b/html5/thumbnails/6.jpg)
Infrastructure as codeA banner for lots of tools and approaches
![Page 7: A Continuation of Devops Policy as Code - QCon London 2020€¦ · A Continuation of Devops Policy as Code March 2019 Gareth Rushgrove. @garethr Docker. This talk - A little history](https://reader034.vdocuments.us/reader034/viewer/2022042219/5ec55e82419eb03a8221962b/html5/thumbnails/7.jpg)
Just sysadmins solving problems
![Page 8: A Continuation of Devops Policy as Code - QCon London 2020€¦ · A Continuation of Devops Policy as Code March 2019 Gareth Rushgrove. @garethr Docker. This talk - A little history](https://reader034.vdocuments.us/reader034/viewer/2022042219/5ec55e82419eb03a8221962b/html5/thumbnails/8.jpg)
From adhoc to software$ sudo apt-get install some-package$ nano /etc/some-config-file.ini...$ nano /etc/some-other-config-file.xml...$ sudo service start some-service
class { 'apache': default_vhost => false,}
apache::vhost { 'vhost.example.com': port => '80', docroot => '/var/www/vhost',}
![Page 9: A Continuation of Devops Policy as Code - QCon London 2020€¦ · A Continuation of Devops Policy as Code March 2019 Gareth Rushgrove. @garethr Docker. This talk - A little history](https://reader034.vdocuments.us/reader034/viewer/2022042219/5ec55e82419eb03a8221962b/html5/thumbnails/9.jpg)
DSLs and the configuration clock
![Page 10: A Continuation of Devops Policy as Code - QCon London 2020€¦ · A Continuation of Devops Policy as Code March 2019 Gareth Rushgrove. @garethr Docker. This talk - A little history](https://reader034.vdocuments.us/reader034/viewer/2022042219/5ec55e82419eb03a8221962b/html5/thumbnails/10.jpg)
Enter Devops
![Page 11: A Continuation of Devops Policy as Code - QCon London 2020€¦ · A Continuation of Devops Policy as Code March 2019 Gareth Rushgrove. @garethr Docker. This talk - A little history](https://reader034.vdocuments.us/reader034/viewer/2022042219/5ec55e82419eb03a8221962b/html5/thumbnails/11.jpg)
- Culture- Automation- Measurements- Sharing
Still the best distillation of devops
![Page 12: A Continuation of Devops Policy as Code - QCon London 2020€¦ · A Continuation of Devops Policy as Code March 2019 Gareth Rushgrove. @garethr Docker. This talk - A little history](https://reader034.vdocuments.us/reader034/viewer/2022042219/5ec55e82419eb03a8221962b/html5/thumbnails/12.jpg)
Co-evolution of tools and practiceAdvancement in one begets the other insociotechnical systems
![Page 13: A Continuation of Devops Policy as Code - QCon London 2020€¦ · A Continuation of Devops Policy as Code March 2019 Gareth Rushgrove. @garethr Docker. This talk - A little history](https://reader034.vdocuments.us/reader034/viewer/2022042219/5ec55e82419eb03a8221962b/html5/thumbnails/13.jpg)
“Other people’s computers”Towards well defined APIs
![Page 14: A Continuation of Devops Policy as Code - QCon London 2020€¦ · A Continuation of Devops Policy as Code March 2019 Gareth Rushgrove. @garethr Docker. This talk - A little history](https://reader034.vdocuments.us/reader034/viewer/2022042219/5ec55e82419eb03a8221962b/html5/thumbnails/14.jpg)
24xfaster recovery from failures
Why all the fuss?
3xlower change failure rate
22%less time spent on unplanned work and rework
50%less time remediating security issues.
From State of Devops report 2017
![Page 15: A Continuation of Devops Policy as Code - QCon London 2020€¦ · A Continuation of Devops Policy as Code March 2019 Gareth Rushgrove. @garethr Docker. This talk - A little history](https://reader034.vdocuments.us/reader034/viewer/2022042219/5ec55e82419eb03a8221962b/html5/thumbnails/15.jpg)
What did we learn?
![Page 16: A Continuation of Devops Policy as Code - QCon London 2020€¦ · A Continuation of Devops Policy as Code March 2019 Gareth Rushgrove. @garethr Docker. This talk - A little history](https://reader034.vdocuments.us/reader034/viewer/2022042219/5ec55e82419eb03a8221962b/html5/thumbnails/16.jpg)
Not everyone needs to be an expertContent reuse scales
![Page 17: A Continuation of Devops Policy as Code - QCon London 2020€¦ · A Continuation of Devops Policy as Code March 2019 Gareth Rushgrove. @garethr Docker. This talk - A little history](https://reader034.vdocuments.us/reader034/viewer/2022042219/5ec55e82419eb03a8221962b/html5/thumbnails/17.jpg)
The utility of a marketplace
![Page 18: A Continuation of Devops Policy as Code - QCon London 2020€¦ · A Continuation of Devops Policy as Code March 2019 Gareth Rushgrove. @garethr Docker. This talk - A little history](https://reader034.vdocuments.us/reader034/viewer/2022042219/5ec55e82419eb03a8221962b/html5/thumbnails/18.jpg)
Version control as change control
![Page 19: A Continuation of Devops Policy as Code - QCon London 2020€¦ · A Continuation of Devops Policy as Code March 2019 Gareth Rushgrove. @garethr Docker. This talk - A little history](https://reader034.vdocuments.us/reader034/viewer/2022042219/5ec55e82419eb03a8221962b/html5/thumbnails/19.jpg)
Shared tooling emerges$ puppet-lint /etc/puppet/modulesfoo/manifests/bar.pp - ERROR: trailing whitespace found on line 1apache/manifests/server.pp - WARNING: variable not enclosed in {} on line 56...
require 'chefspec'
describe 'file::delete' do let(:chef_run) { ChefSpec::SoloRunner.new(platform: 'ub
it 'deletes a file' do expect(chef_run).to delete_file('/tmp/explicit_action expect(chef_run).to_not delete_file('/tmp/not_explici endend
![Page 20: A Continuation of Devops Policy as Code - QCon London 2020€¦ · A Continuation of Devops Policy as Code March 2019 Gareth Rushgrove. @garethr Docker. This talk - A little history](https://reader034.vdocuments.us/reader034/viewer/2022042219/5ec55e82419eb03a8221962b/html5/thumbnails/20.jpg)
The importance of community
![Page 21: A Continuation of Devops Policy as Code - QCon London 2020€¦ · A Continuation of Devops Policy as Code March 2019 Gareth Rushgrove. @garethr Docker. This talk - A little history](https://reader034.vdocuments.us/reader034/viewer/2022042219/5ec55e82419eb03a8221962b/html5/thumbnails/21.jpg)
Parallels with security
![Page 22: A Continuation of Devops Policy as Code - QCon London 2020€¦ · A Continuation of Devops Policy as Code March 2019 Gareth Rushgrove. @garethr Docker. This talk - A little history](https://reader034.vdocuments.us/reader034/viewer/2022042219/5ec55e82419eb03a8221962b/html5/thumbnails/22.jpg)
Lots of spreadsheetsAnd lots of manual processes
![Page 23: A Continuation of Devops Policy as Code - QCon London 2020€¦ · A Continuation of Devops Policy as Code March 2019 Gareth Rushgrove. @garethr Docker. This talk - A little history](https://reader034.vdocuments.us/reader034/viewer/2022042219/5ec55e82419eb03a8221962b/html5/thumbnails/23.jpg)
Silos abound
![Page 24: A Continuation of Devops Policy as Code - QCon London 2020€¦ · A Continuation of Devops Policy as Code March 2019 Gareth Rushgrove. @garethr Docker. This talk - A little history](https://reader034.vdocuments.us/reader034/viewer/2022042219/5ec55e82419eb03a8221962b/html5/thumbnails/24.jpg)
“Low performers take weeks to conduct security reviews and complete the changes identified.”
From Accelerate State of Devops report
![Page 25: A Continuation of Devops Policy as Code - QCon London 2020€¦ · A Continuation of Devops Policy as Code March 2019 Gareth Rushgrove. @garethr Docker. This talk - A little history](https://reader034.vdocuments.us/reader034/viewer/2022042219/5ec55e82419eb03a8221962b/html5/thumbnails/25.jpg)
“Probably the security teams would rather the policy docs not be published? Or doesn’t make sense to OSS it”Vincent Janelle, @randomfrequency
![Page 26: A Continuation of Devops Policy as Code - QCon London 2020€¦ · A Continuation of Devops Policy as Code March 2019 Gareth Rushgrove. @garethr Docker. This talk - A little history](https://reader034.vdocuments.us/reader034/viewer/2022042219/5ec55e82419eb03a8221962b/html5/thumbnails/26.jpg)
“The only way to really ensure software security is to put automated security controls in the pipelines”
Juanjo Torres, BBVAFrom DevSecOps Community Survey 2019
![Page 27: A Continuation of Devops Policy as Code - QCon London 2020€¦ · A Continuation of Devops Policy as Code March 2019 Gareth Rushgrove. @garethr Docker. This talk - A little history](https://reader034.vdocuments.us/reader034/viewer/2022042219/5ec55e82419eb03a8221962b/html5/thumbnails/27.jpg)
![Page 28: A Continuation of Devops Policy as Code - QCon London 2020€¦ · A Continuation of Devops Policy as Code March 2019 Gareth Rushgrove. @garethr Docker. This talk - A little history](https://reader034.vdocuments.us/reader034/viewer/2022042219/5ec55e82419eb03a8221962b/html5/thumbnails/28.jpg)
![Page 29: A Continuation of Devops Policy as Code - QCon London 2020€¦ · A Continuation of Devops Policy as Code March 2019 Gareth Rushgrove. @garethr Docker. This talk - A little history](https://reader034.vdocuments.us/reader034/viewer/2022042219/5ec55e82419eb03a8221962b/html5/thumbnails/29.jpg)
Security automation is not newNeither was using code to manage servers, or automated deployments or working across silos
![Page 30: A Continuation of Devops Policy as Code - QCon London 2020€¦ · A Continuation of Devops Policy as Code March 2019 Gareth Rushgrove. @garethr Docker. This talk - A little history](https://reader034.vdocuments.us/reader034/viewer/2022042219/5ec55e82419eb03a8221962b/html5/thumbnails/30.jpg)
“Elite performers build security in and can conduct security reviews and complete changes in days.”
From Accelerate State of Devops report
![Page 31: A Continuation of Devops Policy as Code - QCon London 2020€¦ · A Continuation of Devops Policy as Code March 2019 Gareth Rushgrove. @garethr Docker. This talk - A little history](https://reader034.vdocuments.us/reader034/viewer/2022042219/5ec55e82419eb03a8221962b/html5/thumbnails/31.jpg)
Security as policy managementPart of security is the definition andimplementation of controls
![Page 32: A Continuation of Devops Policy as Code - QCon London 2020€¦ · A Continuation of Devops Policy as Code March 2019 Gareth Rushgrove. @garethr Docker. This talk - A little history](https://reader034.vdocuments.us/reader034/viewer/2022042219/5ec55e82419eb03a8221962b/html5/thumbnails/32.jpg)
How do we get to policy as code?By which we mean controls which are machine readable and machine enforceable
![Page 33: A Continuation of Devops Policy as Code - QCon London 2020€¦ · A Continuation of Devops Policy as Code March 2019 Gareth Rushgrove. @garethr Docker. This talk - A little history](https://reader034.vdocuments.us/reader034/viewer/2022042219/5ec55e82419eb03a8221962b/html5/thumbnails/33.jpg)
Security tooling examples
![Page 34: A Continuation of Devops Policy as Code - QCon London 2020€¦ · A Continuation of Devops Policy as Code March 2019 Gareth Rushgrove. @garethr Docker. This talk - A little history](https://reader034.vdocuments.us/reader034/viewer/2022042219/5ec55e82419eb03a8221962b/html5/thumbnails/34.jpg)
ModSecurity: Web Application Firewall
![Page 35: A Continuation of Devops Policy as Code - QCon London 2020€¦ · A Continuation of Devops Policy as Code March 2019 Gareth Rushgrove. @garethr Docker. This talk - A little history](https://reader034.vdocuments.us/reader034/viewer/2022042219/5ec55e82419eb03a8221962b/html5/thumbnails/35.jpg)
Write application firewall rules in code# User login passwordSecRule REQUEST_FILENAME "@endsWith /wp-login.php" \
"id:9002100,\phase:2,\pass,\t:none,\nolog,\
ctl:ruleRemoveTargetByTag=CRS;ARGS:pwd"
![Page 36: A Continuation of Devops Policy as Code - QCon London 2020€¦ · A Continuation of Devops Policy as Code March 2019 Gareth Rushgrove. @garethr Docker. This talk - A little history](https://reader034.vdocuments.us/reader034/viewer/2022042219/5ec55e82419eb03a8221962b/html5/thumbnails/36.jpg)
OWASP Core Rule Set
![Page 37: A Continuation of Devops Policy as Code - QCon London 2020€¦ · A Continuation of Devops Policy as Code March 2019 Gareth Rushgrove. @garethr Docker. This talk - A little history](https://reader034.vdocuments.us/reader034/viewer/2022042219/5ec55e82419eb03a8221962b/html5/thumbnails/37.jpg)
Some ecosystem tooling
![Page 38: A Continuation of Devops Policy as Code - QCon London 2020€¦ · A Continuation of Devops Policy as Code March 2019 Gareth Rushgrove. @garethr Docker. This talk - A little history](https://reader034.vdocuments.us/reader034/viewer/2022042219/5ec55e82419eb03a8221962b/html5/thumbnails/38.jpg)
- ✘ A somewhat terse DSL- ✘ Terse may be an understatement- ✔ Some shared content, but no community sharing- ✘ Tied to Apache, and more recently Nginx- ✘ Rule based vs heuristic based
Some observations about ModSecurity
But...
![Page 39: A Continuation of Devops Policy as Code - QCon London 2020€¦ · A Continuation of Devops Policy as Code March 2019 Gareth Rushgrove. @garethr Docker. This talk - A little history](https://reader034.vdocuments.us/reader034/viewer/2022042219/5ec55e82419eb03a8221962b/html5/thumbnails/39.jpg)
Inspec: compliance as code
![Page 40: A Continuation of Devops Policy as Code - QCon London 2020€¦ · A Continuation of Devops Policy as Code March 2019 Gareth Rushgrove. @garethr Docker. This talk - A little history](https://reader034.vdocuments.us/reader034/viewer/2022042219/5ec55e82419eb03a8221962b/html5/thumbnails/40.jpg)
Helpers for writing controls with rspeccontrol 'cis-ubuntu-lts-5.4.4' do impact 0.7 title 'Ensure default user umask is 027 or more restrictive' desc 'The default umask determines the permissions of files created by users.' describe file('/etc/bash.bashrc') do its('content') { should match /^umask 027/ } end describe file('/etc/profile') do its('content') { should match /^umask 027/ } endend
![Page 41: A Continuation of Devops Policy as Code - QCon London 2020€¦ · A Continuation of Devops Policy as Code March 2019 Gareth Rushgrove. @garethr Docker. This talk - A little history](https://reader034.vdocuments.us/reader034/viewer/2022042219/5ec55e82419eb03a8221962b/html5/thumbnails/41.jpg)
Extended for other types of policy describe aws_eks_cluster('my-eks') do it { is_expected.to exist } expect(subject.status).to eq 'ACTIVE' expect(subject.subnet_counts).to be > 1end
describe aws_s3_bucket('test_bucket') do it { is_expected.to exist } it { is_expected.not_to be_public }end
![Page 42: A Continuation of Devops Policy as Code - QCon London 2020€¦ · A Continuation of Devops Policy as Code March 2019 Gareth Rushgrove. @garethr Docker. This talk - A little history](https://reader034.vdocuments.us/reader034/viewer/2022042219/5ec55e82419eb03a8221962b/html5/thumbnails/42.jpg)
A supermarket of shared profiles$ inspec supermarket profiles
──────────────────────────── Available profiles: ────────────────────────────
• Ansible Fashion Police brucellino/ansible-fashion-police • apache2-compliance-test-tthompson thompsontelmate/apache2-compliance-test-tthompson • Apache DISA STIG som3guy/apache-disa-stig • Black Panther brucellino/black-panther • chef-alfresco-inspec-mysql alfresco/chef-alfresco-inspec-mysql • chef-alfresco-inspec-tomcat alfresco/chef-alfresco-inspec-tomcat • chef-client-hardening sliim/chef-client-hardening • CIS Distribution Independent Linux Benchmark dev-sec/cis-linux-benchmark • CIS Docker Benchmark dev-sec/cis-docker-benchmark • CIS Kubernetes Benchmark dev-sec/cis-kubernetes-benchmark • CVE-2016-5195 ndobson/cve-2016-5195 • DevSec Apache Baseline dev-sec/apache-baseline • DevSec Linux Baseline dev-sec/linux-baseline • DevSec Linux Patch Baseline dev-sec/linux-patch-baseline
![Page 43: A Continuation of Devops Policy as Code - QCon London 2020€¦ · A Continuation of Devops Policy as Code March 2019 Gareth Rushgrove. @garethr Docker. This talk - A little history](https://reader034.vdocuments.us/reader034/viewer/2022042219/5ec55e82419eb03a8221962b/html5/thumbnails/43.jpg)
A community building content
![Page 44: A Continuation of Devops Policy as Code - QCon London 2020€¦ · A Continuation of Devops Policy as Code March 2019 Gareth Rushgrove. @garethr Docker. This talk - A little history](https://reader034.vdocuments.us/reader034/viewer/2022042219/5ec55e82419eb03a8221962b/html5/thumbnails/44.jpg)
Easy to use without expertise$ inspec supermarket exec dev-sec/linux-baseline
× Kernel Parameter kernel.core_pattern value should match /^\/.*/ expected "|/usr/share/apport/apport %p %s %c %d %P" to match /^\/.*/ Diff: @@ -1,2 +1,2 @@ -/^\/.*/ +"|/usr/share/apport/apport %p %s %c %d %P"
✔ sysctl-32: kernel.randomize_va_space ✔ Kernel Parameter kernel.randomize_va_space value should eq 2 ✔ sysctl-33: CPU No execution Flag or Kernel ExecShield ✔ /proc/cpuinfo Flags should include NX
Profile Summary: 25 successful controls, 28 control failures, 1 control skippedTest Summary: 67 successful, 42 failures, 2 skipped
![Page 45: A Continuation of Devops Policy as Code - QCon London 2020€¦ · A Continuation of Devops Policy as Code March 2019 Gareth Rushgrove. @garethr Docker. This talk - A little history](https://reader034.vdocuments.us/reader034/viewer/2022042219/5ec55e82419eb03a8221962b/html5/thumbnails/45.jpg)
- ✘ Ruby and programming language fashion- ✔ High-quality shared content- ✔ Chef supermarket as a central repository- ✘ No tools for non-programmers
Some observations about Inspec
But...
![Page 46: A Continuation of Devops Policy as Code - QCon London 2020€¦ · A Continuation of Devops Policy as Code March 2019 Gareth Rushgrove. @garethr Docker. This talk - A little history](https://reader034.vdocuments.us/reader034/viewer/2022042219/5ec55e82419eb03a8221962b/html5/thumbnails/46.jpg)
Open Policy Agent
![Page 47: A Continuation of Devops Policy as Code - QCon London 2020€¦ · A Continuation of Devops Policy as Code March 2019 Gareth Rushgrove. @garethr Docker. This talk - A little history](https://reader034.vdocuments.us/reader034/viewer/2022042219/5ec55e82419eb03a8221962b/html5/thumbnails/47.jpg)
Open Policy Agent allows you to express policies in a high-level declarative language that promotes safe, fine-grained logic.
![Page 48: A Continuation of Devops Policy as Code - QCon London 2020€¦ · A Continuation of Devops Policy as Code March 2019 Gareth Rushgrove. @garethr Docker. This talk - A little history](https://reader034.vdocuments.us/reader034/viewer/2022042219/5ec55e82419eb03a8221962b/html5/thumbnails/48.jpg)
Prohibit changes to AWS IAM rulespackage terraform.analysis
import input as tfplan
default authz = falseauthz { not touches_iam}
touches_iam { all := instance_names["aws_iam"] count(all) > 0}
# list of all resources of a given typeinstance_names[resource_type] = all { resource_types[resource_type] all := [name | tfplan[name] = _ startswith(name, resource_type) ]}
![Page 49: A Continuation of Devops Policy as Code - QCon London 2020€¦ · A Continuation of Devops Policy as Code March 2019 Gareth Rushgrove. @garethr Docker. This talk - A little history](https://reader034.vdocuments.us/reader034/viewer/2022042219/5ec55e82419eb03a8221962b/html5/thumbnails/49.jpg)
Block images from other registriespackage admission
import data.k8s.matches
deny[{"id": "container-image-whitelist", # identifies type of violation"resource": {
"kind": "pods", # identifies kind of resource "namespace": namespace, # identifies namespace of resource "name": name # identifies name of resource
},"resolution": {"message": msg}, # provides human-readable message to display
}] {matches[["pods", namespace, name, matched_pod]]container = matched_pod.spec.containers[_]not re_match("^registry.acmecorp.com/.+$", container.image)msg := sprintf("invalid container registry image %q", [container.image])
}
![Page 50: A Continuation of Devops Policy as Code - QCon London 2020€¦ · A Continuation of Devops Policy as Code March 2019 Gareth Rushgrove. @garethr Docker. This talk - A little history](https://reader034.vdocuments.us/reader034/viewer/2022042219/5ec55e82419eb03a8221962b/html5/thumbnails/50.jpg)
Test Kubernetes Helm chartsdeny[msg] { input.kind = "Deployment" not input.spec.template.spec.securityContext.runAsNonRoot = true msg = "Containers must not run as root"}
$ helm opa CHARTProcessing file deployment.yamlViolations:- Containers must not run as rootProcessing file ingress.yamlProcessing file service.yaml===Result: Chart is not compliant
![Page 51: A Continuation of Devops Policy as Code - QCon London 2020€¦ · A Continuation of Devops Policy as Code March 2019 Gareth Rushgrove. @garethr Docker. This talk - A little history](https://reader034.vdocuments.us/reader034/viewer/2022042219/5ec55e82419eb03a8221962b/html5/thumbnails/51.jpg)
- New- ✔ Built-in tools for testing- ✔ Widely applicable to different problems- ✘ Limited examples outside use with Kubernetes- ✘ No built-in sharing or central repository (yet)
Some observations about Open Policy Agent
But...
![Page 52: A Continuation of Devops Policy as Code - QCon London 2020€¦ · A Continuation of Devops Policy as Code March 2019 Gareth Rushgrove. @garethr Docker. This talk - A little history](https://reader034.vdocuments.us/reader034/viewer/2022042219/5ec55e82419eb03a8221962b/html5/thumbnails/52.jpg)
Conclusions
![Page 53: A Continuation of Devops Policy as Code - QCon London 2020€¦ · A Continuation of Devops Policy as Code March 2019 Gareth Rushgrove. @garethr Docker. This talk - A little history](https://reader034.vdocuments.us/reader034/viewer/2022042219/5ec55e82419eb03a8221962b/html5/thumbnails/53.jpg)
Crossing the chasm
![Page 54: A Continuation of Devops Policy as Code - QCon London 2020€¦ · A Continuation of Devops Policy as Code March 2019 Gareth Rushgrove. @garethr Docker. This talk - A little history](https://reader034.vdocuments.us/reader034/viewer/2022042219/5ec55e82419eb03a8221962b/html5/thumbnails/54.jpg)
Puppet manifests 1.4million
Dockerfiles 1.16million
Compose files 229,000
Helm Charts 36,000
ModSecurity configs 3207
Inspec profiles 1736
.rego files 361
A way to go still
![Page 55: A Continuation of Devops Policy as Code - QCon London 2020€¦ · A Continuation of Devops Policy as Code March 2019 Gareth Rushgrove. @garethr Docker. This talk - A little history](https://reader034.vdocuments.us/reader034/viewer/2022042219/5ec55e82419eb03a8221962b/html5/thumbnails/55.jpg)
Policy as code is a powerful ideaBut we’re not there yet in terms of tools and ecosystems
![Page 56: A Continuation of Devops Policy as Code - QCon London 2020€¦ · A Continuation of Devops Policy as Code March 2019 Gareth Rushgrove. @garethr Docker. This talk - A little history](https://reader034.vdocuments.us/reader034/viewer/2022042219/5ec55e82419eb03a8221962b/html5/thumbnails/56.jpg)
Build for communityDon’t just write code, think about enabling an ecosystem
For tool builders
![Page 57: A Continuation of Devops Policy as Code - QCon London 2020€¦ · A Continuation of Devops Policy as Code March 2019 Gareth Rushgrove. @garethr Docker. This talk - A little history](https://reader034.vdocuments.us/reader034/viewer/2022042219/5ec55e82419eb03a8221962b/html5/thumbnails/57.jpg)
Follow Adam and SFOSC
![Page 58: A Continuation of Devops Policy as Code - QCon London 2020€¦ · A Continuation of Devops Policy as Code March 2019 Gareth Rushgrove. @garethr Docker. This talk - A little history](https://reader034.vdocuments.us/reader034/viewer/2022042219/5ec55e82419eb03a8221962b/html5/thumbnails/58.jpg)
Build for sharingBlog posts, examples, tools, talks, everything helps
For end users
![Page 59: A Continuation of Devops Policy as Code - QCon London 2020€¦ · A Continuation of Devops Policy as Code March 2019 Gareth Rushgrove. @garethr Docker. This talk - A little history](https://reader034.vdocuments.us/reader034/viewer/2022042219/5ec55e82419eb03a8221962b/html5/thumbnails/59.jpg)
Put this in your own contextEmphasise sharing, reuse and community when adopting new tools and practices in your own organisation
![Page 60: A Continuation of Devops Policy as Code - QCon London 2020€¦ · A Continuation of Devops Policy as Code March 2019 Gareth Rushgrove. @garethr Docker. This talk - A little history](https://reader034.vdocuments.us/reader034/viewer/2022042219/5ec55e82419eb03a8221962b/html5/thumbnails/60.jpg)
Thanksand any questions?