Policy as Code - Helion
ebook
Autor: Jimmy RayISBN: 9781098139148
stron: 556, Format: ebook
Data wydania: 2024-07-02
Księgarnia: Helion
Cena książki: 29,90 zł (poprzednio: 299,00 zł)
Oszczędzasz: 90% (-269,10 zł)
In today's cloud native world, where we automate as much as possible, everything is code. With this practical guide, you'll learn how Policy as Code (PaC) provides the means to manage the policies, related data, and responses to events that occur within the systems we maintain—Kubernetes, cloud security, software supply chain security, infrastructure as code, and microservices authorization, among others.
Author Jimmy Ray provides a practical approach to integrating PaC solutions into your systems, with plenty of real-world examples and important hands-on guidance. DevOps and DevSecOps engineers, Kubernetes developers, and cloud engineers will understand how to choose and then implement the most appropriate solutions.
- Understand PaC theory, best practices, and use cases for security
- Learn how to choose and use the correct PaC solution for your needs
- Explore PaC tooling and deployment options for writing and managing PaC policies
- Apply PaC to DevOps, IaC, Kubernetes, and AuthN/AuthZ
- Examine how you can use PaC to implement security controls
- Verify that your PaC solution is providing the desired result
- Create auditable artifacts to satisfy internal and external regulatory requirements
Osoby które kupowały "Policy as Code", wybierały także:
- Cisco CCNA 200-301. Kurs video. Administrowanie bezpieczeństwem sieci. Część 3 665,00 zł, (39,90 zł -94%)
- Cisco CCNA 200-301. Kurs video. Administrowanie urządzeniami Cisco. Część 2 665,00 zł, (39,90 zł -94%)
- Cisco CCNA 200-301. Kurs video. Podstawy sieci komputerowych i konfiguracji. Część 1 665,00 zł, (39,90 zł -94%)
- Impact of P2P and Free Distribution on Book Sales 427,14 zł, (29,90 zł -93%)
- Cisco CCNP Enterprise 350-401 ENCOR. Kurs video. Programowanie i automatyzacja sieci 443,33 zł, (39,90 zł -91%)
Spis treści
Policy as Code. Improving Cloud Native Security eBook -- spis treści
- Preface
- I Needed Policy as Code
- Who Should Read This Book
- Conventions Used in This Book
- Using Code Examples
- OReilly Online Learning
- How to Contact Us
- Acknowledgments
- 1. Policy as Code: A Gentle Introduction
- What Is Policy?
- What Is Policy as Code?
- What Is a Policy?
- PaC Policy Characteristics
- The Role of JSON and YAML
- Guardrails: Preventing the Unwanted
- Plans: Reacting to the Unplanned
- Adopting Open Source Software
- Disadvantages of OSS
- The Care and Feeding of OSS
- Standards and Controls
- Policy as Code for Everything as Code
- Policy Engines and Languages
- Choosing the Right PaC Solution
- Example PaC Selection Factors
- PaC Selection Scorecard
- The Cloud Native Computing Foundation
- Summary
- 2. Open Policy Agent
- Hello World
- OPA Installation and Modes
- OPA Command-Line Interface
- OPA Read-Eval-Print Loop
- OPA Server
- Bundles
- Querying the server
- OPA REST API
- Ad hoc queries
- OPA eval
- OPA exec
- Rego Policy Language
- OPA Document Model
- Rego Syntax and Logic
- Rules
- Functions
- Functions are rules
- Built-in functions
- Objects, collections, and comprehensions
- Unification versus assignment and comparison
- Writing and Testing Rego
- The Rego Playground
- Advanced Bundling Topics
- Bundle Signing
- Bundles for Extension: WebAssembly
- Extending and Integrating with OPA
- Summary
- 3. Policy as Code and Access Control
- Privileged Access Management
- OPA Bearer Token AuthN and AuthZ
- Role-Based Access Control
- OPA and RBAC
- Attribute-Based Access Control
- OPA and ABAC
- Administering Policies and Data
- Bundle Server
- Styra DAS and Policy-Based Access Management
- Styra Run
- Open Policy Administration Layer
- Using OCI Images with OPA and Open Policy Containers
- Summary
- Privileged Access Management
- 4. Policy as Code and Kubernetes
- CNCF and Policy Management
- Implementing Security Controls and Controlling Behaviors
- API Server Requests
- Admission Controllers
- Dynamic Admission Controllers
- API server request payload
- Admission response
- Configuring dynamic admission controllers
- Mutating webhook configuration
- Validating webhook configuration
- Data beyond AdmissionReview
- Mutating Resources
- Validating Resources
- API Server Request Latency and Webhook Order
- Auditing and Background Scanning Existing Resources
- Generating Resources and Policies
- Kubernetes Native Policy Features
- Pod Security
- Pod Security Admission
- Validating Admission Policy
- AuthZ Webhook Mode
- AuthZ Decisions
- AuthZ Webhook and PaC
- Example Policy
- Policy Reporting
- Summary
- 5. Open Policy Agent and Kubernetes
- OPA Installation
- Validating Admission Webhook
- Automated install and uninstall
- Uninstalling OPA
- Validating Admission Webhook
- Kubernetes Management Sidecar
- Kubernetes Policy Management
- Kubernetes Data Management
- Data from Configmaps
- OPA AuthZ and kube-mgmt
- Kubernetes Policies
- Validation Policies
- OPA Policy Entry Point
- Custom Helper Libraries
- Mutating Configuration and Policies
- Centralized OPA Management with Styra DAS
- Policy Management
- Uninstalling Styra DAS
- Summary
- OPA Installation
- 6. MagTape and Kubernetes
- Installing and Uninstalling MagTape
- MagTape init
- Proxying OPA with MagTape
- Controlling Deny Volumes
- The Deny Volume Knob
- Slack Notifications
- Summary
- 7. OPA/Gatekeeper and Kubernetes
- Installation
- Ignoring Namespaces
- Config: Alpha Feature
- Uninstalling Gatekeeper
- Policies
- OPA Constraint Framework
- Validation Policies
- Enforcement Actions
- Mutation Policies
- Use Case: Multitenancy Isolation
- Audit Mode
- External Data Providers
- Policy Expansion
- Policy Testing
- Summary
- Installation
- 8. Kyverno and Kubernetes
- Installation
- Ignoring Namespaces
- Dynamic Webhook Configurations
- Uninstalling Kyverno
- Policies
- Policy Lexicon
- Policy Composition
- Policy Types
- Mutate policies
- Validate policies
- Policy Auto-Gen
- Time-bound policies
- Common expression language policies
- VerifyImages policies
- Generate policies
- CleanUp policies
- Policy exceptions
- Policy Reporting
- Background Scans
- Policy Testing
- Summary
- Installation
- 9. jsPolicy and Kubernetes
- Installation
- CRD Webhook Configuration
- Policy Webhook Configurations
- Uninstalling jsPolicy
- Policies
- Inline Policies
- Policy ingestion
- Mutating policies
- Controller policies
- Policy deletion
- Bundled Policies
- Inline Policies
- Summary
- Installation
- 10. Cloud Custodian and Kubernetes
- CLI Mode
- Installation
- Cleanup
- Policies
- Policies with Actions
- Discovery with Policies
- Controller Mode
- Installation
- Validating Policies
- Mutating Policies
- c7n-kates
- Summary
- CLI Mode
- 11. PaC and Infrastructure as Code
- Infrastructure as Code
- Immutability
- Baking Versus Frying
- Imperative and Declarative IaC
- Applying PaC to IaC
- Preventive Controls
- Conftest
- Checkov and cfn-lint
- CFN Hooks
- Using PaC with Hooks
- Validating Terraform
- Terraform and Conftest
- OPA tfplan
- Summary
- Infrastructure as Code
- 12. PaC and Terraform IaC
- HashiCorp Sentinel
- Terraform Artifacts
- Mocking Data
- Testing
- Terraform cloud and GCP
- Building and executing Sentinel tests
- Running Policies in TFC
- Additional Terraform Validation
- Checkov
- tflint
- Terrascan
- tfsec
- Snyk
- Summary
- HashiCorp Sentinel
- 13. PaC and Infrastructure as a Service
- Prowler
- Prowler Checks
- Prowler CLI
- Cloud Custodian
- Installation
- Cleanup
- Cloud Custodian Policies
- Resources
- Filters
- Actions
- Describing policies
- Policy execution
- Pull mode policy execution
- CloudTrail mode policy execution
- Periodic mode policy execution
- FinOps with Custodian
- Summary
- Prowler
- 14. PaC and the Software Supply Chain
- Attacking Normal
- SSC Policy Enforcement Points
- Codebase and Pipeline PEPs
- Revisiting defense in depth with codebase PEPs
- Dont forget your Rego unit tests
- Enabling developers
- PaC and Trivy with Container Images
- Codebase and Pipeline PEPs
- Software Bill of Materials
- Evaluating SBOMs with PaC
- Detecting Vulnerabilities in SBOMs with PaC
- SBOM Promises
- SBOM Authenticity and Integrity
- SBOMs and SLSA
- Provenance with in-toto
- Summary
- 15. Retrospectives and Futures
- Characteristics of Successful PaC Adoption
- Momentum
- Domain-Specific Languages
- Usability
- Project Extensibility and Ecosystem Development
- Enterprise Solutions
- PaC Looking Forward
- Embracing Standards with OSCAL
- PaC and Generative AI
- Learning PaC with GenAI
- GenAI and outdated data
- GenAI insights and explanations
- Cedar
- Configure, Unify, Execute
- Conclusion
- Characteristics of Successful PaC Adoption
- Index