EVAPorating Kubernetes Security Risk: Adopting Validating Admission Policy at Scale - Kaitlyn Lee & Jordan Conard, Datadog
Abstract
Is the cost and operational toil of security policy enforcement raining on your parade? Learn how Datadog is simplifying its internal security policies across its dozens of clusters using Validating Admission Policy. We’ll cover our motivations for adopting VAP, detailing its features and contrasts with webhook-based admission controllers, like OPA Gatekeeper. We will dive into the design of our policy that restricts the use of additional capabilities on containers, sharing tips on Common Expression Language, the use of multiple types of VAP parameters, and how we provide helpful validation error messages to our engineers. Lastly, we will outline our migration from OPA and how we ensure the health and reliability of our API servers by monitoring metrics and validation cost budgets. Discover VAP’s features, scalable policy design, and our migration insights to help enhance your security posture, streamline policy enforcement, and safeguard your environments against abuse and bypass.