devocean
OPA 활용 - OPA를 사용해 ABAC 구현하기 (번역)
Kubernetes에서는 Pod Security Policy (psp)가 정책적으로 제거되면서 k8s 정책을 지원하는 툴을 외부에서 공급받아야 한다.
imply, pod
in Kubernetes is a set of mechanisms for ensuring validating controls over Pods and their attributes, as the name would imply, it only operates on Pods and nothing else. Further, PSP can only block their creation; it does not perform any remediation thereof. Contrast that with policy engines such as Gatekeeper and Kyverno, and the capabilities are far more broad (i.e., applicable to more than just Pods) and deep (i.e., more than just simple validation). Having a policy engine for Kubernetes can be thought of as a way to more holistically control the Kubernetes environment and not just a single domain.
https://www.openpolicyagent.org/docs/latest/policy-language/