\u064a\u0635\u0637\u062f\u0645 \u0643\u0644 \u0641\u0631\u064a\u0642 \u0647\u0646\u062f\u0633\u064a \u0641\u064a \u0627\u0644\u0646\u0647\u0627\u064a\u0629 \u0628\u0646\u0641\u0633 \u0627\u0644\u062c\u062f\u0627\u0631: \u0627\u0644\u0645\u0631\u0627\u062c\u0639\u0627\u062a \u0627\u0644\u0623\u0645\u0646\u064a\u0629 \u0627\u0644\u062a\u064a \u062a\u0639\u062a\u0645\u062f \u0639\u0644\u0649 \u0627\u0644\u0639\u064a\u0648\u0646 \u0627\u0644\u0628\u0634\u0631\u064a\u0629 \u0644\u0627 \u064a\u0645\u0643\u0646\u0647\u0627 \u0645\u0648\u0627\u0643\u0628\u0629 \u0633\u0631\u0639\u0629 \u0623\u0646\u0627\u0628\u064a\u0628 CI\/CD \u0627\u0644\u062d\u062f\u064a\u062b\u0629. \u0639\u0646\u062f\u0645\u0627 \u062a\u0646\u0634\u0631 \u0627\u0644\u0641\u0631\u0642 \u0639\u0634\u0631\u0627\u062a \u0623\u0648 \u0645\u0626\u0627\u062a \u0627\u0644\u0645\u0631\u0627\u062a \u064a\u0648\u0645\u064a\u0627\u064b\u060c \u0641\u0625\u0646 \u0645\u0637\u0627\u0644\u0628\u0629 \u0645\u0647\u0646\u062f\u0633 \u0623\u0645\u0646 \u0628\u0645\u0631\u0627\u062c\u0639\u0629 \u0643\u0644 \u062e\u0637\u0629 Terraform \u0623\u0648 \u0628\u064a\u0627\u0646 Kubernetes \u0623\u0648 Dockerfile \u064a\u062f\u0648\u064a\u0627\u064b \u062a\u0635\u0628\u062d \u0639\u0646\u0642 \u0632\u062c\u0627\u062c\u0629 \u0625\u0645\u0627 \u064a\u0628\u0637\u0626 \u0627\u0644\u062a\u0633\u0644\u064a\u0645 \u0628\u0634\u0643\u0644 \u0643\u0628\u064a\u0631 \u0623\u0648 \u064a\u062a\u0645 \u062a\u062c\u0627\u0648\u0632\u0647 \u0643\u0644\u064a\u0627\u064b.<\/p>\n
\u0627\u0644\u0646\u062a\u0627\u0626\u062c \u0645\u062a\u0648\u0642\u0639\u0629. \u062a\u062a\u0633\u0644\u0644 \u0627\u0644\u0623\u062e\u0637\u0627\u0621 \u0641\u064a \u0627\u0644\u062a\u0643\u0648\u064a\u0646. \u062a\u0639\u0645\u0644 \u0627\u0644\u062d\u0627\u0648\u064a\u0627\u062a \u0628\u0635\u0644\u0627\u062d\u064a\u0627\u062a root. \u062a\u0646\u062d\u0631\u0641 \u0627\u0644\u0635\u0648\u0631 \u0627\u0644\u0623\u0633\u0627\u0633\u064a\u0629 \u0625\u0644\u0649 \u0625\u0635\u062f\u0627\u0631\u0627\u062a \u063a\u064a\u0631 \u0645\u064f\u0631\u0642\u0651\u0639\u0629. \u064a\u064f\u0646\u0634\u0626 Terraform \u062d\u0627\u0648\u064a\u0627\u062a S3 \u0645\u062a\u0627\u062d\u0629 \u0644\u0644\u0639\u0627\u0645\u0629. \u0647\u0630\u0647 \u0644\u064a\u0633\u062a \u062b\u063a\u0631\u0627\u062a \u064a\u0648\u0645 \u0627\u0644\u0635\u0641\u0631 \u0627\u0644\u0646\u0627\u062f\u0631\u0629 \u2014 \u0625\u0646\u0647\u0627 \u0623\u0646\u0645\u0627\u0637 \u0645\u0639\u0631\u0648\u0641\u0629 \u0648\u062e\u0627\u0637\u0626\u0629 \u064a\u0645\u0643\u0646 \u0627\u0643\u062a\u0634\u0627\u0641\u0647\u0627 \u062a\u0644\u0642\u0627\u0626\u064a\u0627\u064b \u0644\u0648 \u0643\u0627\u0646\u062a \u0644\u062f\u064a\u0646\u0627 \u0637\u0631\u064a\u0642\u0629 \u0645\u0646\u0647\u062c\u064a\u0629 \u0644\u0644\u062a\u0639\u0628\u064a\u0631 \u0639\u0646 \u0642\u0648\u0627\u0639\u062f \u0627\u0644\u0623\u0645\u0627\u0646 \u0648\u0641\u0631\u0636\u0647\u0627.<\/p>\n
\u0647\u0646\u0627 \u064a\u062f\u062e\u0644 Policy as Code<\/strong> \u0625\u0644\u0649 \u0627\u0644\u0635\u0648\u0631\u0629. \u0628\u062f\u0644\u0627\u064b \u0645\u0646 \u062a\u0636\u0645\u064a\u0646 \u0641\u062d\u0648\u0635\u0627\u062a \u0627\u0644\u0623\u0645\u0627\u0646 \u0643\u0646\u0635\u0648\u0635 shell \u0647\u0634\u0629 \u0645\u0646\u062a\u0634\u0631\u0629 \u0639\u0628\u0631 \u062a\u0639\u0631\u064a\u0641\u0627\u062a \u0627\u0644\u0623\u0646\u0627\u0628\u064a\u0628\u060c \u064a\u0639\u0627\u0645\u0644 Policy as Code \u0642\u0648\u0627\u0639\u062f \u0627\u0644\u0623\u0645\u0627\u0646 \u0643\u0639\u0646\u0627\u0635\u0631 \u0645\u0646 \u0627\u0644\u062f\u0631\u062c\u0629 \u0627\u0644\u0623\u0648\u0644\u0649: \u062a\u0635\u0631\u064a\u062d\u064a\u0629\u060c \u062e\u0627\u0636\u0639\u0629 \u0644\u0644\u062a\u062d\u0643\u0645 \u0641\u064a \u0627\u0644\u0625\u0635\u062f\u0627\u0631\u0627\u062a\u060c \u0642\u0627\u0628\u0644\u0629 \u0644\u0644\u0627\u062e\u062a\u0628\u0627\u0631\u060c \u0648\u0642\u0627\u0628\u0644\u0629 \u0644\u0644\u062a\u0637\u0628\u064a\u0642 \u0641\u064a \u0643\u0644 \u0645\u0631\u062d\u0644\u0629 \u0645\u0646 \u062f\u0648\u0631\u0629 \u062d\u064a\u0627\u0629 CI\/CD.<\/p>\n \u0641\u064a \u0647\u0630\u0627 \u0627\u0644\u062f\u0644\u064a\u0644\u060c \u0633\u0646\u0633\u062a\u0643\u0634\u0641 \u0643\u064a\u0641\u064a\u0629 \u0627\u0633\u062a\u062e\u062f\u0627\u0645 Open Policy Agent (OPA)<\/strong> \u0648\u0644\u063a\u0629 \u0627\u0644\u0633\u064a\u0627\u0633\u0627\u062a \u0627\u0644\u062e\u0627\u0635\u0629 \u0628\u0647 Rego<\/strong> \u0644\u0628\u0646\u0627\u0621 \u0628\u0648\u0627\u0628\u0627\u062a \u0623\u0645\u0627\u0646 \u0622\u0644\u064a\u0629 \u0648\u0642\u0627\u0628\u0644\u0629 \u0644\u0644\u062a\u062f\u0642\u064a\u0642 \u0641\u064a \u0623\u0646\u0627\u0628\u064a\u0628 CI\/CD \u0627\u0644\u062e\u0627\u0635\u0629 \u0628\u0643 \u2014 \u0628\u0648\u0627\u0628\u0627\u062a \u062a\u062a\u0648\u0633\u0639 \u0645\u0639 \u0633\u0631\u0639\u0629 \u0627\u0644\u0646\u0634\u0631 \u0628\u062f\u0644\u0627\u064b \u0645\u0646 \u0623\u0646 \u062a\u0639\u064a\u0642\u0647\u0627.<\/p>\n Policy as Code \u0647\u0648 \u0645\u0646\u0647\u062c\u064a\u0629 \u0644\u062a\u0639\u0631\u064a\u0641 \u0648\u0625\u062f\u0627\u0631\u0629 \u0648\u0641\u0631\u0636 \u0627\u0644\u0642\u0648\u0627\u0639\u062f \u0628\u0627\u0633\u062a\u062e\u062f\u0627\u0645 \u0627\u0644\u0643\u0648\u062f \u0628\u062f\u0644\u0627\u064b \u0645\u0646 \u0627\u0644\u0639\u0645\u0644\u064a\u0627\u062a \u0627\u0644\u064a\u062f\u0648\u064a\u0629 \u0623\u0648 \u0627\u0644\u0646\u0635\u0648\u0635 \u0627\u0644\u0628\u0631\u0645\u062c\u064a\u0629 \u0627\u0644\u0645\u062e\u0635\u0635\u0629. \u0641\u064a \u062c\u0648\u0647\u0631\u0647\u060c \u064a\u062a\u0636\u0645\u0646 \u0643\u062a\u0627\u0628\u0629 \u0642\u0648\u0627\u0639\u062f \u062a\u0635\u0631\u064a\u062d\u064a\u0629<\/strong> \u064a\u062a\u0645 \u062a\u0642\u064a\u064a\u0645\u0647\u0627 \u0645\u0642\u0627\u0628\u0644 \u0628\u064a\u0627\u0646\u0627\u062a \u0645\u064f\u0647\u064a\u0643\u0644\u0629<\/strong> \u0644\u0625\u0646\u062a\u0627\u062c \u0642\u0631\u0627\u0631\u0627\u062a<\/strong> \u2014 \u0633\u0645\u0627\u062d\u060c \u0623\u0648 \u0631\u0641\u0636\u060c \u0623\u0648 \u062a\u062d\u0630\u064a\u0631.<\/p>\n \u062a\u0628\u062f\u0623 \u0627\u0644\u0639\u062f\u064a\u062f \u0645\u0646 \u0627\u0644\u0641\u0631\u0642 \u0628\u0646\u0635\u0648\u0635 shell \u0641\u064a \u0623\u0646\u0627\u0628\u064a\u0628\u0647\u0627 \u2014 \u0623\u0645\u0631 \u064a\u062d\u0644 Policy as Code \u0643\u0644 \u0647\u0630\u0647 \u0627\u0644\u0645\u0634\u0627\u0643\u0644 \u0645\u0646 \u062e\u0644\u0627\u0644 \u062a\u0648\u0641\u064a\u0631 \u0625\u0637\u0627\u0631 \u0639\u0645\u0644 \u0645\u064f\u0647\u064a\u0643\u0644 \u0648\u062a\u0635\u0631\u064a\u062d\u064a \u0645\u0639 \u0645\u062d\u0631\u0643 \u062a\u0642\u064a\u064a\u0645 \u0645\u062e\u0635\u0635.<\/p>\n Open Policy Agent (OPA)<\/strong> \u0647\u0648 \u0645\u062d\u0631\u0643 \u0633\u064a\u0627\u0633\u0627\u062a \u0645\u0641\u062a\u0648\u062d \u0627\u0644\u0645\u0635\u062f\u0631 \u0648\u0639\u0627\u0645 \u0627\u0644\u0623\u063a\u0631\u0627\u0636 \u062a\u062f\u064a\u0631\u0647 \u0645\u0624\u0633\u0633\u0629 Cloud Native Computing Foundation (CNCF). \u064a\u0641\u0635\u0644 \u0627\u0644\u0633\u064a\u0627\u0633\u0629 \u0639\u0646 \u0627\u0644\u062e\u062f\u0645\u0627\u062a \u0627\u0644\u062a\u064a \u062a\u062d\u062a\u0627\u062c \u0644\u0641\u0631\u0636\u0647\u0627\u060c \u0645\u0645\u0627 \u064a\u0648\u0641\u0631 \u0625\u0637\u0627\u0631\u0627\u064b \u0648\u0627\u062d\u062f\u0627\u064b \u0644\u0644\u0633\u064a\u0627\u0633\u0627\u062a \u0639\u0628\u0631 \u0627\u0644\u0645\u0646\u0638\u0648\u0645\u0629 \u2014 \u0645\u0646 \u0627\u0644\u062a\u062d\u0643\u0645 \u0641\u064a \u0642\u0628\u0648\u0644 Kubernetes \u0625\u0644\u0649 \u0628\u0648\u0627\u0628\u0627\u062a CI\/CD \u0625\u0644\u0649 \u062a\u0641\u0648\u064a\u0636 API.<\/p>\n \u064a\u062a\u0628\u0639 OPA \u0646\u0645\u0648\u0630\u062c\u0627\u064b \u0628\u0633\u064a\u0637\u0627\u064b: \u0645\u062f\u062e\u0644\u0627\u062a \u2190 \u0633\u064a\u0627\u0633\u0629 \u2190 \u0642\u0631\u0627\u0631<\/strong>.<\/p>\n Rego \u0647\u064a \u0644\u063a\u0629 \u0627\u0644\u0633\u064a\u0627\u0633\u0627\u062a \u0627\u0644\u0645\u064f\u0635\u0645\u0645\u0629 \u062e\u0635\u064a\u0635\u0627\u064b \u0644\u0640 OPA. \u0625\u0646\u0647\u0627 \u062a\u0635\u0631\u064a\u062d\u064a\u0629\u060c \u0645\u0645\u0627 \u064a\u0639\u0646\u064a \u0623\u0646\u0643 \u062a\u0635\u0641 \u0627\u0644\u0634\u0631\u0648\u0637 \u0628\u062f\u0644\u0627\u064b \u0645\u0646 \u0643\u062a\u0627\u0628\u0629 \u0645\u0646\u0637\u0642 \u062e\u0637\u0648\u0629 \u0628\u062e\u0637\u0648\u0629. \u062a\u062a\u0636\u0645\u0646 \u0627\u0644\u0644\u0628\u0646\u0627\u062a \u0627\u0644\u0623\u0633\u0627\u0633\u064a\u0629:<\/p>\n \u0644\u0646\u0628\u062f\u0623 \u0628\u0642\u0627\u0639\u062f\u0629 \u0623\u0645\u0627\u0646 \u0634\u0627\u0626\u0639\u0629: \u0631\u0641\u0636 \u0623\u064a \u0646\u0634\u0631 Kubernetes \u064a\u0633\u062a\u062e\u062f\u0645 \u0648\u0633\u0645 \u0627\u0644\u0635\u0648\u0631\u0629 \u062a\u062a\u0643\u0631\u0631 \u0647\u0630\u0647 \u0627\u0644\u0633\u064a\u0627\u0633\u0629 \u0639\u0644\u0649 \u062c\u0645\u064a\u0639 \u0627\u0644\u062d\u0627\u0648\u064a\u0627\u062a \u0641\u064a \u0645\u0648\u0627\u0635\u0641\u0627\u062a \u0646\u0634\u0631 Kubernetes \u0648\u062a\u064f\u0648\u0644\u0651\u062f \u0631\u0633\u0627\u0644\u0629 \u0631\u0641\u0636 \u0625\u0630\u0627 \u0627\u0633\u062a\u062e\u062f\u0645\u062a \u0627\u0644\u0635\u0648\u0631\u0629 \u064a\u0645\u0643\u0646\u0643 \u062a\u0642\u064a\u064a\u0645 \u0647\u0630\u0647 \u0627\u0644\u0633\u064a\u0627\u0633\u0629 \u0645\u062d\u0644\u064a\u0627\u064b \u0628\u0627\u0633\u062a\u062e\u062f\u0627\u0645 \u0648\u0627\u062c\u0647\u0629 \u0633\u0637\u0631 \u0623\u0648\u0627\u0645\u0631 OPA:<\/p>\n \u0633\u062a\u062a\u0636\u0645\u0646 \u0627\u0644\u0645\u062e\u0631\u062c\u0627\u062a \u0631\u0633\u0627\u0644\u0629 \u0627\u0644\u0631\u0641\u0636 \u0644\u062d\u0627\u0648\u064a\u0629 \u0644\u0627 \u064a\u0642\u062a\u0635\u0631 OPA \u0639\u0644\u0649 Kubernetes. \u062a\u0635\u0645\u064a\u0645\u0647 \u0627\u0644\u0645\u0633\u062a\u0642\u0644 \u0639\u0646 \u0627\u0644\u0645\u062f\u062e\u0644\u0627\u062a \u064a\u062c\u0639\u0644\u0647 \u0645\u0641\u064a\u062f\u0627\u064b \u0623\u064a\u0646\u0645\u0627 \u062a\u062d\u062a\u0627\u062c \u0625\u0644\u0649 \u0627\u0644\u062a\u062d\u0642\u0642 \u0645\u0646 \u0635\u062d\u0629 \u0627\u0644\u0628\u064a\u0627\u0646\u0627\u062a \u0627\u0644\u0645\u064f\u0647\u064a\u0643\u0644\u0629 \u0645\u0642\u0627\u0628\u0644 \u0627\u0644\u0642\u0648\u0627\u0639\u062f. \u0625\u0644\u064a\u0643 \u062d\u0627\u0644\u0627\u062a \u0627\u0644\u0627\u0633\u062a\u062e\u062f\u0627\u0645 \u0627\u0644\u0623\u0643\u062b\u0631 \u062a\u0623\u062b\u064a\u0631\u0627\u064b \u0641\u064a CI\/CD.<\/p>\n \u0627\u0643\u062a\u0634\u0641 \u0627\u0644\u0623\u062e\u0637\u0627\u0621 \u0641\u064a \u0627\u0644\u062a\u0643\u0648\u064a\u0646 \u0642\u0628\u0644 \u0623\u0646 \u062a\u0635\u0644 \u0625\u0644\u0649 \u0627\u0644\u0645\u062c\u0645\u0648\u0639\u0629: \u062d\u062f\u0648\u062f \u0627\u0644\u0645\u0648\u0627\u0631\u062f \u0627\u0644\u0645\u0641\u0642\u0648\u062f\u0629\u060c \u0648\u0627\u0644\u062d\u0627\u0648\u064a\u0627\u062a \u0630\u0627\u062a \u0627\u0644\u0627\u0645\u062a\u064a\u0627\u0632\u0627\u062a\u060c \u0648\u0627\u0644\u0648\u0635\u0648\u0644 \u0625\u0644\u0649 \u0634\u0628\u0643\u0629 \u0627\u0644\u0645\u0636\u064a\u0641\u060c \u0648\u0633\u064a\u0627\u0642\u0627\u062a \u0627\u0644\u0623\u0645\u0627\u0646 \u0627\u0644\u0645\u0641\u0642\u0648\u062f\u0629\u060c \u0623\u0648 \u0627\u0644\u062a\u0633\u0645\u064a\u0627\u062a \u063a\u064a\u0631 \u0627\u0644\u0645\u062a\u0648\u0627\u0641\u0642\u0629.<\/p>\n \u0628\u0627\u0633\u062a\u062e\u062f\u0627\u0645 \u0623\u062f\u0648\u0627\u062a \u0645\u062b\u0644 \u062d\u0648\u0651\u0644 \u062e\u0637\u0629 Terraform \u0625\u0644\u0649 JSON \u0628\u0627\u0633\u062a\u062e\u062f\u0627\u0645 \u064a\u0645\u0643\u0646\u0643 \u062d\u062a\u0649 \u0641\u0631\u0636 \u0642\u0648\u0627\u0639\u062f \u0639\u0644\u0649 \u062a\u0639\u0631\u064a\u0641\u0627\u062a \u0627\u0644\u0623\u0646\u0627\u0628\u064a\u0628 \u0646\u0641\u0633\u0647\u0627 \u2014 \u0644\u0636\u0645\u0627\u0646 \u0623\u0646 \u0643\u0644 \u0623\u0646\u0628\u0648\u0628 \u064a\u062a\u0636\u0645\u0646 \u062e\u0637\u0648\u0627\u062a \u0645\u0637\u0644\u0648\u0628\u0629 \u0645\u062b\u0644 \u0641\u062d\u0635 SAST\u060c \u0648\u0627\u0643\u062a\u0634\u0627\u0641 \u0627\u0644\u0623\u0633\u0631\u0627\u0631\u060c \u0623\u0648 \u062a\u0648\u0642\u064a\u0639 \u0627\u0644\u0635\u0648\u0631:<\/p>\n \u062a\u062d\u0642\u0642 \u0645\u0646 \u0623\u0646 \u0627\u0644\u062a\u063a\u064a\u064a\u0631\u0627\u062a \u0639\u0644\u0649 \u0641\u0631\u0648\u0639 \u0627\u0644\u0625\u0646\u062a\u0627\u062c \u062a\u0623\u062a\u064a \u0645\u0639 \u0627\u0644\u0645\u0648\u0627\u0641\u0642\u0627\u062a \u0627\u0644\u0645\u0637\u0644\u0648\u0628\u0629 \u0648\u062a\u062c\u062a\u0627\u0632 \u0627\u0644\u0641\u062d\u0648\u0635\u0627\u062a \u0627\u0644\u0625\u0644\u0632\u0627\u0645\u064a\u0629 \u0642\u0628\u0644 \u0627\u0644\u062f\u0645\u062c. \u064a\u0645\u0643\u0646 \u0644\u0640 OPA \u062a\u0642\u064a\u064a\u0645 \u062d\u0645\u0648\u0644\u0627\u062a GitHub \u0623\u0648 GitLab webhooks \u0623\u0648 \u0627\u0633\u062a\u062c\u0627\u0628\u0627\u062a API \u0644\u0641\u0631\u0636 \u0647\u0630\u0647 \u0627\u0644\u0633\u064a\u0627\u0633\u0627\u062a \u0628\u0631\u0645\u062c\u064a\u0627\u064b.<\/p>\n \u0627\u0644\u0637\u0631\u064a\u0642\u0629 \u0627\u0644\u0623\u0643\u062b\u0631 \u0645\u0644\u0627\u0621\u0645\u0629 \u0644\u062f\u0645\u062c OPA \u0641\u064a CI\/CD \u0647\u064a \u0645\u0646 \u062e\u0644\u0627\u0644 Conftest<\/strong>\u060c \u0623\u062f\u0627\u0629 \u0627\u062e\u062a\u0628\u0627\u0631 \u0645\u0628\u0646\u064a\u0629 \u0641\u0648\u0642 OPA \u0648\u0645\u064f\u0635\u0645\u0645\u0629 \u062e\u0635\u064a\u0635\u0627\u064b \u0644\u0644\u062a\u062d\u0642\u0642 \u0645\u0646 \u0645\u0644\u0641\u0627\u062a \u0627\u0644\u062a\u0643\u0648\u064a\u0646 \u0627\u0644\u0645\u064f\u0647\u064a\u0643\u0644\u0629. \u062a\u0641\u0647\u0645 YAML \u0648 JSON \u0648 HCL \u0648 Dockerfile \u0648\u0627\u0644\u0639\u062f\u064a\u062f \u0645\u0646 \u0627\u0644\u062a\u0646\u0633\u064a\u0642\u0627\u062a \u0627\u0644\u0623\u062e\u0631\u0649 \u0628\u0634\u0643\u0644 \u0645\u0628\u0627\u0634\u0631.<\/p>\n \u0644\u0645\u0639\u0638\u0645 \u062d\u0627\u0644\u0627\u062a \u0627\u0633\u062a\u062e\u062f\u0627\u0645 \u0628\u0648\u0627\u0628\u0627\u062a \u0627\u0644\u0623\u0645\u0627\u0646 \u0641\u064a CI\/CD\u060c \u064a\u064f\u0639\u062f Conftest \u0627\u0644\u062e\u064a\u0627\u0631 \u0627\u0644\u0635\u062d\u064a\u062d. \u0641\u0647\u0648 \u064a\u0642\u0644\u0644 \u0645\u0646 \u0627\u0644\u0643\u0648\u062f \u0627\u0644\u0645\u062a\u0643\u0631\u0631 \u0648\u064a\u0646\u062f\u0645\u062c \u0628\u0633\u0644\u0627\u0633\u0629 \u0641\u064a \u062e\u0637\u0648\u0627\u062a \u0627\u0644\u0623\u0646\u0628\u0648\u0628.<\/p>\n \u0643\u062a\u0627\u0628\u0629 \u0633\u064a\u0627\u0633\u0627\u062a Rego \u0642\u0627\u0628\u0644\u0629 \u0644\u0644\u0635\u064a\u0627\u0646\u0629 \u0648\u0627\u0644\u062a\u0635\u062d\u064a\u062d \u0648\u0645\u0641\u064a\u062f\u0629 \u0639\u0645\u0644\u064a\u0627\u064b \u062a\u062a\u0637\u0644\u0628 \u0627\u062a\u0628\u0627\u0639 \u0623\u0646\u0645\u0627\u0637 \u0648\u0627\u0635\u0637\u0644\u0627\u062d\u0627\u062a \u0631\u0627\u0633\u062e\u0629.<\/p>\n \u0647\u0646\u0627\u0643 \u0646\u0647\u062c\u0627\u0646 \u0623\u0633\u0627\u0633\u064a\u0627\u0646:<\/p>\n \u0644\u0644\u062d\u0635\u0648\u0644 \u0639\u0644\u0649 \u0623\u0642\u0635\u0649 \u062f\u0631\u062c\u0627\u062a \u0627\u0644\u0623\u0645\u0627\u0646\u060c \u062a\u0633\u062a\u062e\u062f\u0645 \u0628\u0639\u0636 \u0627\u0644\u0645\u0624\u0633\u0633\u0627\u062a \u0646\u0645\u0648\u0630\u062c \u0627\u0644\u0631\u0641\u0636 \u0627\u0644\u0635\u0627\u0631\u0645 \u0627\u0641\u062a\u0631\u0627\u0636\u064a\u0627\u064b<\/strong> \u062d\u064a\u062b \u064a\u062c\u0628 \u0623\u0646 \u062a\u062a\u0637\u0627\u0628\u0642 \u0627\u0644\u0645\u062f\u062e\u0644\u0627\u062a \u0635\u0631\u0627\u062d\u0629 \u0645\u0639 \u0642\u0627\u0639\u062f\u0629 \u0627\u0644\u0633\u064a\u0627\u0633\u0629 \u0627\u0644\u062a\u064a \u062a\u0642\u0648\u0644 \"\u062a\u0645 \u0627\u0643\u062a\u0634\u0627\u0641 \u0627\u0646\u062a\u0647\u0627\u0643\" \u0639\u062f\u064a\u0645\u0629 \u0627\u0644\u0641\u0627\u0626\u062f\u0629 \u062a\u0642\u0631\u064a\u0628\u0627\u064b. \u064a\u062c\u0628 \u0623\u0646 \u062a\u062e\u0628\u0631 \u0631\u0633\u0627\u0626\u0644 \u0627\u0644\u0627\u0646\u062a\u0647\u0627\u0643 \u0627\u0644\u062c\u064a\u062f\u0629 \u0627\u0644\u0645\u0647\u0646\u062f\u0633 \u0645\u0627<\/em> \u0627\u0644\u062e\u0637\u0623\u060c \u0648\u0623\u064a\u0646<\/em> \u0641\u064a \u0627\u0644\u062a\u0643\u0648\u064a\u0646 \u064a\u062d\u062f\u062b\u060c \u0648\u0645\u0646 \u0627\u0644\u0623\u0641\u0636\u0644 \u0643\u064a\u0641<\/em> \u064a\u062a\u0645 \u0625\u0635\u0644\u0627\u062d\u0647:<\/p>\n \u064a\u062c\u0628 \u0627\u062e\u062a\u0628\u0627\u0631 \u0633\u064a\u0627\u0633\u0627\u062a Rego \u062a\u0645\u0627\u0645\u0627\u064b \u0645\u062b\u0644 \u0643\u0648\u062f \u0627\u0644\u062a\u0637\u0628\u064a\u0642. \u064a\u062a\u0636\u0645\u0646 OPA \u0625\u0637\u0627\u0631 \u0627\u062e\u062a\u0628\u0627\u0631 \u0645\u062f\u0645\u062c:<\/p>\n \u0634\u063a\u0651\u0644 \u0627\u0644\u0627\u062e\u062a\u0628\u0627\u0631\u0627\u062a \u0628\u0627\u0633\u062a\u062e\u062f\u0627\u0645:<\/p>\n \u0647\u064a\u0643\u0644 \u0645\u0633\u062a\u0648\u062f\u0639 \u0633\u064a\u0627\u0633\u0627\u062a \u0646\u0638\u064a\u0641 \u064a\u062c\u0639\u0644 \u0627\u0644\u0633\u064a\u0627\u0633\u0627\u062a \u0642\u0627\u0628\u0644\u0629 \u0644\u0644\u0627\u0643\u062a\u0634\u0627\u0641 \u0648\u0627\u0644\u0635\u064a\u0627\u0646\u0629:<\/p>\n \u0644\u0644\u0645\u0624\u0633\u0633\u0627\u062a \u0627\u0644\u062a\u064a \u0644\u062f\u064a\u0647\u0627 \u0641\u0631\u0642 \u0639\u062f\u064a\u062f\u0629\u060c \u064a\u064f\u0639\u062f \u062a\u0648\u0632\u064a\u0639 \u0627\u0644\u0633\u064a\u0627\u0633\u0627\u062a \u0643\u0640 \u062d\u0632\u0645 OPA<\/strong> \u0627\u0644\u0646\u0647\u062c \u0627\u0644\u0645\u0648\u0635\u0649 \u0628\u0647. \u0627\u0644\u062d\u0632\u0645 \u0647\u064a \u0623\u0631\u0634\u064a\u0641\u0627\u062a \u0645\u064f\u0631\u0642\u0651\u0645\u0629 \u0627\u0644\u0625\u0635\u062f\u0627\u0631 \u0645\u0646 \u0645\u0644\u0641\u0627\u062a Rego \u0648\u0627\u0644\u0628\u064a\u0627\u0646\u0627\u062a \u064a\u0645\u0643\u0646 \u0627\u0633\u062a\u0636\u0627\u0641\u062a\u0647\u0627 \u0639\u0644\u0649 \u0623\u064a \u062e\u0627\u062f\u0645 HTTP\u060c \u0623\u0648 \u0633\u062c\u0644 OCI\u060c \u0623\u0648 \u062a\u062e\u0632\u064a\u0646 \u0633\u062d\u0627\u0628\u064a:<\/p>\n \u064a\u062a\u064a\u062d \u0647\u0630\u0627 \u0627\u0644\u0646\u0647\u062c \u0644\u0641\u0631\u0642 \u0627\u0644\u0623\u0645\u0646 \u0646\u0634\u0631 \u0627\u0644\u0633\u064a\u0627\u0633\u0627\u062a \u0645\u0631\u0643\u0632\u064a\u0627\u064b \u0628\u064a\u0646\u0645\u0627 \u062a\u0633\u062a\u0647\u0644\u0643 \u0641\u0631\u0642 \u0627\u0644\u062a\u0637\u0628\u064a\u0642\u0627\u062a \u0625\u0635\u062f\u0627\u0631\u0627\u062a \u0645\u062d\u062f\u062f\u0629\u060c \u0648\u064a\u064f\u0645\u0643\u0651\u0646 \u0645\u0646 \u0637\u0631\u062d \u0645\u064f\u062a\u062d\u0643\u0645 \u0641\u064a\u0647 \u0644\u0625\u0635\u062f\u0627\u0631\u0627\u062a \u0627\u0644\u0633\u064a\u0627\u0633\u0627\u062a \u0627\u0644\u062c\u062f\u064a\u062f\u0629.<\/p>\n \u0641\u0631\u0636 \u0627\u0644\u0633\u064a\u0627\u0633\u0627\u062a \u0641\u064a CI\/CD \u0647\u0648 \u062a\u062d\u062f\u064d \u0647\u0646\u062f\u0633\u064a \u0628\u0642\u062f\u0631 \u0645\u0627 \u0647\u0648 \u0623\u0645\u0646\u064a. \u0637\u0631\u062d \u0627\u0644\u0625\u0641\u0634\u0627\u0644 \u0627\u0644\u0635\u0627\u0631\u0645 \u0645\u0646 \u0627\u0644\u064a\u0648\u0645 \u0627\u0644\u0623\u0648\u0644 \u0633\u064a\u062e\u0644\u0642 \u0641\u0648\u0636\u0649. \u0627\u0644\u0646\u0647\u062c \u0627\u0644\u0645\u062f\u0631\u0648\u0633 \u0636\u0631\u0648\u0631\u064a.<\/p>\n \u064a\u062f\u0639\u0645 Conftest \u0646\u0648\u0639\u064a\u0646 \u0645\u0646 \u0627\u0644\u0642\u0648\u0627\u0639\u062f \u064a\u062a\u0648\u0627\u0641\u0642\u0627\u0646 \u0628\u0648\u0636\u0648\u062d \u0645\u0639 \u0647\u0630\u0627 \u0627\u0644\u062a\u0645\u064a\u064a\u0632:<\/p>\n \u0644\u0627 \u064a\u0645\u0643\u0646 \u0644\u0623\u064a \u0633\u064a\u0627\u0633\u0629 \u062a\u063a\u0637\u064a\u0629 \u0643\u0644 \u062d\u0627\u0644\u0629 \u0634\u0631\u0639\u064a\u0629. \u062a\u062d\u062a\u0627\u062c \u0625\u0644\u0649 \u0622\u0644\u064a\u0629 \u0644\u0644\u0627\u0633\u062a\u062b\u0646\u0627\u0621\u0627\u062a \u0642\u0627\u0628\u0644\u0629 \u0644\u0644\u062a\u062f\u0642\u064a\u0642 \u0648\u0644\u0627 \u062a\u062a\u062c\u0627\u0648\u0632 \u0627\u0644\u0646\u0638\u0627\u0645 \u0643\u0644\u064a\u0627\u064b:<\/p>\n \u0645\u0644\u0641 \u0628\u064a\u0627\u0646\u0627\u062a \u0627\u0644\u0627\u0633\u062a\u062b\u0646\u0627\u0621\u0627\u062a \u0623\u064a\u0636\u0627\u064b \u062e\u0627\u0636\u0639 \u0644\u0644\u062a\u062d\u0643\u0645 \u0641\u064a \u0627\u0644\u0625\u0635\u062f\u0627\u0631\u0627\u062a \u0648\u064a\u062a\u0637\u0644\u0628 \u0645\u0648\u0627\u0641\u0642\u0629:<\/p>\n \u064a\u062f\u0639\u0645 \u0643\u0644 \u0645\u0646 Conftest \u0648 OPA \u0645\u062e\u0631\u062c\u0627\u062a JSON\u060c \u0645\u0645\u0627 \u064a\u062c\u0639\u0644 \u0645\u0646 \u0627\u0644\u0633\u0647\u0644 \u0625\u0631\u0633\u0627\u0644 \u0627\u0644\u0646\u062a\u0627\u0626\u062c \u0625\u0644\u0649 \u0645\u0646\u0635\u0627\u062a \u0627\u0644\u0645\u0631\u0627\u0642\u0628\u0629. \u0641\u064a \u0623\u0646\u0628\u0648\u0628\u0643\u060c \u0627\u0644\u062a\u0642\u0637 \u0627\u0644\u0645\u062e\u0631\u062c\u0627\u062a \u0648\u0623\u0631\u0633\u0644\u0647\u0627 \u0625\u0644\u0649 SIEM \u0623\u0648 \u0645\u0646\u0635\u0629 \u0627\u0644\u062a\u0633\u062c\u064a\u0644 \u0623\u0648 \u0644\u0648\u062d\u0629 \u0645\u0639\u0644\u0648\u0645\u0627\u062a \u0645\u062e\u0635\u0635\u0629:<\/p>\n \u064a\u064f\u0646\u0634\u0626 \u0647\u0630\u0627 \u0633\u062c\u0644 \u062a\u062f\u0642\u064a\u0642 \u0645\u0633\u062a\u0642\u0644 \u0639\u0646 \u0633\u062c\u0644\u0627\u062a CI\/CD \u2014 \u0636\u0631\u0648\u0631\u064a \u0644\u0644\u0627\u0645\u062a\u062b\u0627\u0644 \u0648\u062a\u062d\u0644\u064a\u0644 \u0627\u0644\u0627\u062a\u062c\u0627\u0647\u0627\u062a.<\/p>\n \u0627\u0633\u062a\u0631\u0627\u062a\u064a\u062c\u064a\u0629 \u0627\u0644\u0637\u0631\u062d \u0627\u0644\u0645\u0648\u0635\u0649 \u0628\u0647\u0627 \u0644\u0623\u064a \u0633\u064a\u0627\u0633\u0629 \u062c\u062f\u064a\u062f\u0629 \u062a\u062a\u0628\u0639 \u0647\u0630\u0627 \u0627\u0644\u062a\u062f\u0631\u062c:<\/p>\n \u064a\u062d\u062a\u0631\u0645 \u0647\u0630\u0627 \u0627\u0644\u0646\u0647\u062c \u0633\u064a\u0631 \u0627\u0644\u0639\u0645\u0644 \u0627\u0644\u0647\u0646\u062f\u0633\u064a \u0645\u0639 \u0631\u0641\u0639 \u0645\u0633\u062a\u0648\u0649 \u0627\u0644\u0623\u0645\u0627\u0646 \u0628\u0634\u0643\u0644 \u0645\u0637\u0631\u062f.<\/p>\n Policy as Code \u0645\u0639 OPA \u0623\u062f\u0627\u0629 \u0642\u0648\u064a\u0629\u060c \u0644\u0643\u0646\u0647\u0627 \u0644\u064a\u0633\u062a \u0628\u062f\u0648\u0646 \u0645\u0642\u0627\u064a\u0636\u0627\u062a. \u0627\u0644\u0635\u062f\u0642 \u0628\u0634\u0623\u0646 \u0627\u0644\u0642\u064a\u0648\u062f \u064a\u0633\u0627\u0639\u062f\u0643 \u0639\u0644\u0649 \u0627\u062a\u062e\u0627\u0630 \u0642\u0631\u0627\u0631\u0627\u062a \u0645\u0633\u062a\u0646\u064a\u0631\u0629.<\/p>\n Rego \u0644\u063a\u0629 \u0645\u064f\u0635\u0645\u0645\u0629 \u0644\u063a\u0631\u0636 \u0645\u062d\u062f\u062f \u0645\u0639 \u0646\u0645\u0648\u0630\u062c \u062a\u0642\u064a\u064a\u0645 \u0641\u0631\u064a\u062f. \u0625\u0646\u0647\u0627 \u0644\u064a\u0633\u062a \u0625\u0644\u0632\u0627\u0645\u064a\u0629 \u2014 \u0644\u0627 \u062a\u0648\u062c\u062f \u062d\u0644\u0642\u0627\u062a \u0623\u0648 \u0645\u062a\u063a\u064a\u0631\u0627\u062a \u0642\u0627\u0628\u0644\u0629 \u0644\u0644\u062a\u063a\u064a\u064a\u0631 \u0628\u0627\u0644\u0645\u0639\u0646\u0649 \u0627\u0644\u062a\u0642\u0644\u064a\u062f\u064a. \u0633\u064a\u062d\u062a\u0627\u062c \u0627\u0644\u0645\u0647\u0646\u062f\u0633\u0648\u0646 \u0627\u0644\u0645\u0639\u062a\u0627\u062f\u0648\u0646 \u0639\u0644\u0649 Python \u0623\u0648 Go \u0623\u0648 Bash \u0648\u0642\u062a\u0627\u064b \u0644\u0627\u0633\u062a\u064a\u0639\u0627\u0628 \u0646\u0647\u062c Rego \u0627\u0644\u062a\u0635\u0631\u064a\u062d\u064a \u0627\u0644\u0642\u0627\u0626\u0645 \u0639\u0644\u0649 \u0627\u0644\u0645\u062c\u0645\u0648\u0639\u0627\u062a. \u0627\u0633\u062a\u062b\u0645\u0631 \u0641\u064a \u062a\u062f\u0631\u064a\u0628 \u0627\u0644\u0641\u0631\u064a\u0642\u060c \u0648\u0627\u0644\u0628\u0631\u0645\u062c\u0629 \u0627\u0644\u062b\u0646\u0627\u0626\u064a\u0629 \u0639\u0644\u0649 \u0627\u0644\u0633\u064a\u0627\u0633\u0627\u062a \u0627\u0644\u0623\u0648\u0644\u064a\u0629\u060c \u0648\u0645\u0643\u062a\u0628\u0629 \u0645\u0646 \u0623\u0645\u062b\u0644\u0629 \u0627\u0644\u0633\u064a\u0627\u0633\u0627\u062a \u0627\u0644\u0645\u064f\u0639\u0644\u0651\u0642\u0629 \u062c\u064a\u062f\u0627\u064b.<\/p>\n \u064a\u064f\u0642\u064a\u0651\u0645 OPA \u0627\u0644\u0633\u064a\u0627\u0633\u0627\u062a \u0641\u064a \u0627\u0644\u0630\u0627\u0643\u0631\u0629. \u0644\u0645\u0639\u0638\u0645 \u062d\u0627\u0644\u0627\u062a \u0627\u0633\u062a\u062e\u062f\u0627\u0645 CI\/CD \u2014 \u0628\u064a\u0627\u0646\u0627\u062a Kubernetes\u060c \u062e\u0637\u0637 Terraform\u060c \u0645\u0644\u0641\u0627\u062a Dockerfile \u2014 \u0623\u062d\u062c\u0627\u0645 \u0627\u0644\u0645\u062f\u062e\u0644\u0627\u062a \u0635\u063a\u064a\u0631\u0629 \u0648\u0627\u0644\u062a\u0642\u064a\u064a\u0645 \u0634\u0628\u0647 \u0641\u0648\u0631\u064a. \u0648\u0645\u0639 \u0630\u0644\u0643\u060c \u062e\u0637\u0637 Terraform \u0627\u0644\u0643\u0628\u064a\u0631\u0629 \u062c\u062f\u0627\u064b (\u0622\u0644\u0627\u0641 \u0627\u0644\u0645\u0648\u0627\u0631\u062f) \u0623\u0648 \u0627\u0644\u0633\u064a\u0627\u0633\u0627\u062a \u0627\u0644\u0645\u0639\u0642\u062f\u0629 \u0630\u0627\u062a \u0627\u0644\u0639\u0648\u062f\u064a\u0629 \u0627\u0644\u0639\u0645\u064a\u0642\u0629 \u064a\u0645\u0643\u0646 \u0623\u0646 \u062a\u0633\u0628\u0628 \u062a\u0623\u062e\u0631\u0627\u064b \u0645\u0644\u062d\u0648\u0638\u0627\u064b. \u0642\u0645 \u0628\u062a\u0646\u0645\u064a\u0637 \u0627\u0644\u0633\u064a\u0627\u0633\u0627\u062a \u0628\u0627\u0633\u062a\u062e\u062f\u0627\u0645 OPA \u0644\u064a\u0633 \u0627\u0644\u062e\u064a\u0627\u0631 \u0627\u0644\u0648\u062d\u064a\u062f. \u0641\u0643\u0631 \u0641\u064a \u0627\u0644\u0628\u062f\u0627\u0626\u0644 \u0628\u0646\u0627\u0621\u064b \u0639\u0644\u0649 \u0645\u062c\u0645\u0648\u0639\u062a\u0643 \u0627\u0644\u062a\u0642\u0646\u064a\u0629:<\/p>\n \u0642\u0648\u0629 OPA \u0641\u064a \u0639\u0645\u0648\u0645\u064a\u062a\u0647. \u064a\u0639\u0645\u0644 \u0639\u0628\u0631 Kubernetes \u0648 Terraform \u0648 Docker \u0648\u062a\u0643\u0648\u064a\u0646\u0627\u062a \u0627\u0644\u0623\u0646\u0627\u0628\u064a\u0628 \u0648\u0623\u064a \u0628\u064a\u0627\u0646\u0627\u062a \u0645\u064f\u0647\u064a\u0643\u0644\u0629 \u0623\u062e\u0631\u0649. \u0625\u0630\u0627 \u0643\u0646\u062a \u0628\u062d\u0627\u062c\u0629 \u0625\u0644\u0649 \u0633\u064a\u0627\u0633\u0629 \u0639\u0628\u0631 \u0645\u062c\u0627\u0644\u0627\u062a \u0645\u062a\u0639\u062f\u062f\u0629\u060c \u064a\u062a\u062c\u0646\u0628 OPA \u062a\u0634\u062a\u062a \u0627\u0644\u0623\u062f\u0648\u0627\u062a.<\/p>\n \u0627\u0644\u0633\u064a\u0627\u0633\u0627\u062a \u0639\u0646\u0627\u0635\u0631 \u062d\u064a\u0629. \u062a\u062a\u0637\u0644\u0628 \u0635\u064a\u0627\u0646\u0629 \u0645\u0633\u062a\u0645\u0631\u0629:<\/p>\n \u0639\u0627\u0645\u0644 \u0645\u0633\u062a\u0648\u062f\u0639 \u0627\u0644\u0633\u064a\u0627\u0633\u0627\u062a \u0628\u0646\u0641\u0633 \u0627\u0644\u0635\u0631\u0627\u0645\u0629 \u0627\u0644\u062a\u064a \u062a\u0639\u0627\u0645\u0644 \u0628\u0647\u0627 \u0643\u0648\u062f \u0627\u0644\u062a\u0637\u0628\u064a\u0642: \u0639\u064a\u0651\u0646 \u0645\u0627\u0644\u0643\u064a\u0646\u060c \u062c\u062f\u0648\u0650\u0644 \u0645\u0631\u0627\u062c\u0639\u0627\u062a\u060c \u062a\u062a\u0628\u0639 \u0627\u0644\u062a\u063a\u0637\u064a\u0629\u060c \u0648\u0623\u0648\u0642\u0641 \u0627\u0644\u0642\u0648\u0627\u0639\u062f \u0627\u0644\u0642\u062f\u064a\u0645\u0629.<\/p>\n Policy as Code \u0644\u064a\u0633 \u0634\u064a\u0626\u0627\u064b \u0627\u062e\u062a\u064a\u0627\u0631\u064a\u0627\u064b \u0623\u0648 \u062e\u0627\u0646\u0629 \u0627\u0645\u062a\u062b\u0627\u0644. \u0625\u0646\u0647 \u0628\u0646\u064a\u0629 \u062a\u062d\u062a\u064a\u0629 \u2014 \u0628\u0646\u0641\u0633 \u0627\u0644\u0637\u0631\u064a\u0642\u0629 \u0627\u0644\u062a\u064a \u064a\u064f\u0639\u062f \u0628\u0647\u0627 \u0623\u0646\u0628\u0648\u0628 CI\/CD \u0648\u0645\u064f\u0646\u0633\u0651\u0642 \u0627\u0644\u062d\u0627\u0648\u064a\u0627\u062a \u0648\u0648\u0627\u062c\u0647\u0627\u062a \u0628\u0631\u0645\u062c\u0629 \u0645\u0632\u0648\u062f \u0627\u0644\u062e\u062f\u0645\u0627\u062a \u0627\u0644\u0633\u062d\u0627\u0628\u064a\u0629 \u0628\u0646\u064a\u0629 \u062a\u062d\u062a\u064a\u0629. \u064a\u0633\u062a\u062d\u0642 \u0646\u0641\u0633 \u0627\u0644\u0627\u0646\u0636\u0628\u0627\u0637 \u0627\u0644\u0647\u0646\u062f\u0633\u064a.<\/p>\n \u0627\u0644\u0637\u0631\u064a\u0642 \u0648\u0627\u0636\u062d:<\/p>\n \u0639\u0627\u0645\u0644 \u0633\u064a\u0627\u0633\u0627\u062a\u0643 \u0645\u062b\u0644 \u0627\u0644\u0643\u0648\u062f: \u0627\u062e\u062a\u0628\u0631\u0647\u0627\u060c \u0631\u0627\u062c\u0639\u0647\u0627\u060c \u0631\u0642\u0651\u0645\u0647\u0627\u060c \u0627\u0646\u0634\u0631\u0647\u0627. \u0627\u0644\u0646\u062a\u064a\u062c\u0629 \u0647\u064a \u0648\u0636\u0639 \u0623\u0645\u0646\u064a \u064a\u062a\u0648\u0633\u0639 \u0645\u0639 \u0633\u0631\u0639\u0629 \u0627\u0644\u062a\u0633\u0644\u064a\u0645 \u2014 \u0642\u0627\u0628\u0644 \u0644\u0644\u062a\u0637\u0628\u064a\u0642\u060c \u0642\u0627\u0628\u0644 \u0644\u0644\u062a\u062f\u0642\u064a\u0642\u060c \u0648\u0645\u0624\u062a\u0645\u062a \u0645\u0646 \u0623\u0648\u0644 \u0627\u0644\u062a\u0632\u0627\u0645 \u0625\u0644\u0649 \u0627\u0644\u0625\u0646\u062a\u0627\u062c.<\/p>\n","protected":false},"excerpt":{"rendered":" \u0645\u0642\u062f\u0645\u0629: \u0644\u0645\u0627\u0630\u0627 \u0644\u0627 \u062a\u062a\u0648\u0633\u0639 \u0627\u0644\u0645\u0631\u0627\u062c\u0639\u0627\u062a \u0627\u0644\u0623\u0645\u0646\u064a\u0629 \u0627\u0644\u064a\u062f\u0648\u064a\u0629 \u064a\u0635\u0637\u062f\u0645 \u0643\u0644 \u0641\u0631\u064a\u0642 \u0647\u0646\u062f\u0633\u064a \u0641\u064a \u0627\u0644\u0646\u0647\u0627\u064a\u0629 \u0628\u0646\u0641\u0633 \u0627\u0644\u062c\u062f\u0627\u0631: \u0627\u0644\u0645\u0631\u0627\u062c\u0639\u0627\u062a \u0627\u0644\u0623\u0645\u0646\u064a\u0629 \u0627\u0644\u062a\u064a \u062a\u0639\u062a\u0645\u062f \u0639\u0644\u0649 \u0627\u0644\u0639\u064a\u0648\u0646 \u0627\u0644\u0628\u0634\u0631\u064a\u0629 \u0644\u0627 \u064a\u0645\u0643\u0646\u0647\u0627 \u0645\u0648\u0627\u0643\u0628\u0629 \u0633\u0631\u0639\u0629 \u0623\u0646\u0627\u0628\u064a\u0628 CI\/CD \u0627\u0644\u062d\u062f\u064a\u062b\u0629. \u0639\u0646\u062f\u0645\u0627 \u062a\u0646\u0634\u0631 \u0627\u0644\u0641\u0631\u0642 \u0639\u0634\u0631\u0627\u062a \u0623\u0648 \u0645\u0626\u0627\u062a \u0627\u0644\u0645\u0631\u0627\u062a \u064a\u0648\u0645\u064a\u0627\u064b\u060c \u0641\u0625\u0646 \u0645\u0637\u0627\u0644\u0628\u0629 \u0645\u0647\u0646\u062f\u0633 \u0623\u0645\u0646 \u0628\u0645\u0631\u0627\u062c\u0639\u0629 \u0643\u0644 \u062e\u0637\u0629 Terraform \u0623\u0648 \u0628\u064a\u0627\u0646 Kubernetes \u0623\u0648 Dockerfile \u064a\u062f\u0648\u064a\u0627\u064b \u062a\u0635\u0628\u062d \u0639\u0646\u0642 \u0632\u062c\u0627\u062c\u0629 \u0625\u0645\u0627 … \u0627\u0642\u0631\u0623 \u0627\u0644\u0645\u0632\u064a\u062f<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26,28],"tags":[],"post_folder":[],"class_list":["post-778","post","type-post","status-publish","format-standard","hentry","category-ci-cd-security","category-pipeline-hardening"],"_links":{"self":[{"href":"https:\/\/secure-pipelines.com\/ar\/wp-json\/wp\/v2\/posts\/778","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/secure-pipelines.com\/ar\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/secure-pipelines.com\/ar\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/secure-pipelines.com\/ar\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/secure-pipelines.com\/ar\/wp-json\/wp\/v2\/comments?post=778"}],"version-history":[{"count":0,"href":"https:\/\/secure-pipelines.com\/ar\/wp-json\/wp\/v2\/posts\/778\/revisions"}],"wp:attachment":[{"href":"https:\/\/secure-pipelines.com\/ar\/wp-json\/wp\/v2\/media?parent=778"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/secure-pipelines.com\/ar\/wp-json\/wp\/v2\/categories?post=778"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/secure-pipelines.com\/ar\/wp-json\/wp\/v2\/tags?post=778"},{"taxonomy":"post_folder","embeddable":true,"href":"https:\/\/secure-pipelines.com\/ar\/wp-json\/wp\/v2\/post_folder?post=778"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}\u0645\u0627 \u0647\u0648 Policy as Code\u061f<\/h2>\n
\u0627\u0644\u0645\u0641\u0627\u0647\u064a\u0645 \u0627\u0644\u0623\u0633\u0627\u0633\u064a\u0629<\/h3>\n
\n
\u0643\u064a\u0641 \u064a\u062e\u062a\u0644\u0641 \u0639\u0646 \u0641\u062d\u0648\u0635\u0627\u062a Shell Script<\/h3>\n
grep<\/code> \u0644\u0644\u0628\u062d\u062b \u0639\u0646 “latest” \u0641\u064a Dockerfile\u060c \u0623\u0648 \u0627\u0633\u062a\u0639\u0644\u0627\u0645 jq<\/code> \u0645\u0642\u0627\u0628\u0644 \u062e\u0637\u0629 Terraform. \u062a\u0639\u0645\u0644 \u0647\u0630\u0647 \u0641\u064a \u0627\u0644\u0628\u062f\u0627\u064a\u0629 \u0644\u0643\u0646\u0647\u0627 \u062a\u0646\u0647\u0627\u0631 \u0628\u0633\u0631\u0639\u0629:<\/p>\n\n
\u0623\u0633\u0627\u0633\u064a\u0627\u062a OPA \u0648 Rego<\/h2>\n
\u0643\u064a\u0641 \u064a\u0639\u0645\u0644 OPA<\/h3>\n
\n
\u0623\u0633\u0627\u0633\u064a\u0627\u062a \u0635\u064a\u0627\u063a\u0629 Rego<\/h3>\n
\n
package cicd.docker<\/code>).<\/li>\n\u0645\u062b\u0627\u0644 \u0628\u0633\u064a\u0637: \u0631\u0641\u0636 \u0648\u0633\u0645 “latest”<\/h3>\n
latest<\/code>\u060c \u062d\u064a\u062b \u064a\u062c\u0639\u0644 \u0627\u0644\u0628\u0646\u0627\u0621 \u063a\u064a\u0631 \u0642\u0627\u0628\u0644 \u0644\u0644\u062a\u0643\u0631\u0627\u0631 \u0648\u064a\u064f\u062e\u0641\u064a \u0627\u0644\u0625\u0635\u062f\u0627\u0631 \u0627\u0644\u0641\u0639\u0644\u064a \u0627\u0644\u0639\u0627\u0645\u0644 \u0641\u064a \u0627\u0644\u0625\u0646\u062a\u0627\u062c.<\/p>\n# policy\/k8s\/deny_latest_tag.rego\npackage k8s.images\n\ndeny[msg] {\n container := input.spec.template.spec.containers[_]\n endswith(container.image, \":latest\")\n msg := sprintf(\"Container '%s' uses the 'latest' tag \u2014 pin to a specific version\", [container.name])\n}\n\ndeny[msg] {\n container := input.spec.template.spec.containers[_]\n not contains(container.image, \":\")\n msg := sprintf(\"Container '%s' has no tag specified (defaults to 'latest') \u2014 pin to a specific version\", [container.name])\n}<\/code><\/pre>\n:latest<\/code> \u0623\u0648 \u0644\u0645 \u064a\u0643\u0646 \u0644\u0647\u0627 \u0648\u0633\u0645 \u0639\u0644\u0649 \u0627\u0644\u0625\u0637\u0644\u0627\u0642.<\/p>\n\u062a\u0634\u063a\u064a\u0644 OPA \u0645\u062d\u0644\u064a\u0627\u064b<\/h3>\n
# Save a sample input\ncat > input.json <<'EOF'\n{\n \"spec\": {\n \"template\": {\n \"spec\": {\n \"containers\": [\n {\"name\": \"app\", \"image\": \"myregistry\/app:latest\"},\n {\"name\": \"sidecar\", \"image\": \"envoyproxy\/envoy:v1.28.0\"}\n ]\n }\n }\n }\n}\nEOF\n\n# Evaluate the policy\nopa eval --input input.json --data policy\/ \"data.k8s.images.deny\"<\/code><\/pre>\napp<\/code> \u0627\u0644\u062a\u064a \u062a\u0633\u062a\u062e\u062f\u0645 :latest<\/code>\u060c \u0628\u064a\u0646\u0645\u0627 \u062a\u0645\u0631 \u062d\u0627\u0648\u064a\u0629 sidecar<\/code> \u0630\u0627\u062a \u0627\u0644\u0625\u0635\u062f\u0627\u0631 \u0627\u0644\u0645\u064f\u062b\u0628\u0651\u062a \u0628\u0646\u062c\u0627\u062d.<\/p>\n\u062d\u0627\u0644\u0627\u062a \u0627\u0633\u062a\u062e\u062f\u0627\u0645 CI\/CD \u0644\u0640 OPA<\/h2>\n
\u0627\u0644\u062a\u062d\u0642\u0642 \u0645\u0646 \u0628\u064a\u0627\u0646\u0627\u062a Kubernetes \u0642\u0628\u0644 \u0627\u0644\u0646\u0634\u0631<\/h3>\n
# policy\/k8s\/deny_privileged.rego\npackage k8s.security\n\ndeny[msg] {\n container := input.spec.template.spec.containers[_]\n container.securityContext.privileged == true\n msg := sprintf(\"Container '%s' must not run in privileged mode\", [container.name])\n}\n\ndeny[msg] {\n not input.spec.template.spec.containers[_].resources.limits\n msg := \"All containers must define resource limits\"\n}<\/code><\/pre>\n\u0641\u0631\u0636 \u0623\u0641\u0636\u0644 \u0645\u0645\u0627\u0631\u0633\u0627\u062a Dockerfile<\/h3>\n
conftest<\/code> \u0645\u0639 \u0645\u064f\u062d\u0644\u0651\u0644 Dockerfile (\u0645\u062b\u0644 \u0645\u062e\u0631\u062c\u0627\u062a JSON \u0627\u0644\u062e\u0627\u0635\u0629 \u0628\u0640 hadolint<\/code> \u0623\u0648 dockerfile-json<\/code>)\u060c \u064a\u0645\u0643\u0646\u0643 \u0641\u0631\u0636 \u0642\u0648\u0627\u0639\u062f \u0645\u062b\u0644 \u0639\u062f\u0645 \u0627\u0644\u062a\u0634\u063a\u064a\u0644 \u0643\u0640 root \u0648\u062a\u062b\u0628\u064a\u062a \u0627\u0644\u0635\u0648\u0631 \u0627\u0644\u0623\u0633\u0627\u0633\u064a\u0629:<\/p>\n# policy\/docker\/best_practices.rego\npackage docker\n\ndeny[msg] {\n input.stages[_].commands[i].cmd == \"user\"\n input.stages[_].commands[i].value == \"root\"\n msg := \"Dockerfile must not explicitly set USER to root\"\n}\n\ndeny[msg] {\n stage := input.stages[_]\n stage.base_image\n not contains(stage.base_image, \"@sha256:\")\n not regex.match(`:.+$`, stage.base_image)\n msg := sprintf(\"Base image '%s' must be pinned to a tag or digest\", [stage.base_image])\n}<\/code><\/pre>\n\u0641\u062d\u0635 \u062e\u0637\u0637 Terraform \u0628\u062d\u062b\u0627\u064b \u0639\u0646 \u0627\u0646\u062a\u0647\u0627\u0643\u0627\u062a \u0623\u0645\u0646\u064a\u0629<\/h3>\n
terraform show -json tfplan<\/code>\u060c \u062b\u0645 \u062a\u062d\u0642\u0642 \u0645\u0646\u0647\u0627 \u0645\u0642\u0627\u0628\u0644 \u0633\u064a\u0627\u0633\u0627\u062a \u0627\u0644\u0623\u0645\u0627\u0646:<\/p>\n# policy\/terraform\/aws_security.rego\npackage terraform.aws\n\ndeny[msg] {\n resource := input.resource_changes[_]\n resource.type == \"aws_s3_bucket\"\n resource.change.after.acl == \"public-read\"\n msg := sprintf(\"S3 bucket '%s' must not be publicly readable\", [resource.address])\n}\n\ndeny[msg] {\n resource := input.resource_changes[_]\n resource.type == \"aws_security_group_rule\"\n resource.change.after.cidr_blocks[_] == \"0.0.0.0\/0\"\n resource.change.after.type == \"ingress\"\n msg := sprintf(\"Security group rule '%s' must not allow ingress from 0.0.0.0\/0\", [resource.address])\n}<\/code><\/pre>\n\u0627\u0644\u062a\u062d\u0642\u0642 \u0645\u0646 \u062a\u0643\u0648\u064a\u0646\u0627\u062a \u0627\u0644\u0623\u0646\u0627\u0628\u064a\u0628<\/h3>\n
# policy\/pipeline\/required_steps.rego\npackage pipeline\n\nrequired_jobs := {\"sast-scan\", \"secret-detection\", \"image-sign\"}\n\nmissing_jobs[job] {\n job := required_jobs[_]\n not job_exists(job)\n}\n\njob_exists(name) {\n input.jobs[name]\n}\n\ndeny[msg] {\n count(missing_jobs) > 0\n msg := sprintf(\"Pipeline is missing required security jobs: %v\", [missing_jobs])\n}<\/code><\/pre>\n\u0641\u0631\u0636 \u062d\u0645\u0627\u064a\u0629 \u0627\u0644\u0641\u0631\u0648\u0639 \u0648\u0633\u064a\u0627\u0633\u0627\u062a \u0627\u0644\u0645\u0648\u0627\u0641\u0642\u0629<\/h3>\n
\u062f\u0645\u062c OPA \u0641\u064a \u0623\u0646\u0627\u0628\u064a\u0628 CI\/CD<\/h2>\n
GitHub Actions: OPA \u0645\u0639 Conftest<\/h3>\n
# .github\/workflows\/policy-check.yml\nname: Policy Checks\n\non:\n pull_request:\n branches: [main]\n\njobs:\n validate-kubernetes:\n runs-on: ubuntu-latest\n steps:\n - name: Checkout code\n uses: actions\/checkout@v4\n\n - name: Install Conftest\n run: |\n LATEST=$(wget -qO- \"https:\/\/api.github.com\/repos\/open-policy-agent\/conftest\/releases\/latest\" | jq -r '.tag_name' | sed 's\/v\/\/')\n wget -q \"https:\/\/github.com\/open-policy-agent\/conftest\/releases\/download\/v${LATEST}\/conftest_${LATEST}_Linux_x86_64.tar.gz\"\n tar xzf conftest_${LATEST}_Linux_x86_64.tar.gz\n sudo mv conftest \/usr\/local\/bin\/\n\n - name: Validate Kubernetes manifests\n run: |\n conftest test k8s\/*.yaml \\\n --policy policy\/k8s\/ \\\n --output json \\\n --all-namespaces\n\n validate-terraform:\n runs-on: ubuntu-latest\n steps:\n - name: Checkout code\n uses: actions\/checkout@v4\n\n - name: Setup Terraform\n uses: hashicorp\/setup-terraform@v3\n\n - name: Install Conftest\n run: |\n LATEST=$(wget -qO- \"https:\/\/api.github.com\/repos\/open-policy-agent\/conftest\/releases\/latest\" | jq -r '.tag_name' | sed 's\/v\/\/')\n wget -q \"https:\/\/github.com\/open-policy-agent\/conftest\/releases\/download\/v${LATEST}\/conftest_${LATEST}_Linux_x86_64.tar.gz\"\n tar xzf conftest_${LATEST}_Linux_x86_64.tar.gz\n sudo mv conftest \/usr\/local\/bin\/\n\n - name: Generate Terraform plan JSON\n run: |\n cd terraform\/\n terraform init\n terraform plan -out=tfplan\n terraform show -json tfplan > tfplan.json\n\n - name: Validate Terraform plan\n run: |\n conftest test terraform\/tfplan.json \\\n --policy policy\/terraform\/ \\\n --output json<\/code><\/pre>\nGitLab CI: Conftest \u0641\u064a \u0645\u0647\u0645\u0629 CI<\/h3>\n
# .gitlab-ci.yml\nstages:\n - validate\n - build\n - deploy\n\npolicy-check-k8s:\n stage: validate\n image: openpolicyagent\/conftest:latest\n script:\n - conftest test k8s\/*.yaml\n --policy policy\/k8s\/\n --output json\n --all-namespaces\n rules:\n - changes:\n - k8s\/**\/*\n - policy\/k8s\/**\/*\n\npolicy-check-terraform:\n stage: validate\n image:\n name: hashicorp\/terraform:latest\n entrypoint: [\"\"]\n before_script:\n - apk add --no-cache wget\n - wget -q https:\/\/github.com\/open-policy-agent\/conftest\/releases\/download\/v0.50.0\/conftest_0.50.0_Linux_x86_64.tar.gz\n - tar xzf conftest_0.50.0_Linux_x86_64.tar.gz\n - mv conftest \/usr\/local\/bin\/\n script:\n - cd terraform\/\n - terraform init\n - terraform plan -out=tfplan\n - terraform show -json tfplan > tfplan.json\n - conftest test tfplan.json --policy ..\/policy\/terraform\/\n rules:\n - changes:\n - terraform\/**\/*\n - policy\/terraform\/**\/*<\/code><\/pre>\nConftest \u0645\u0642\u0627\u0628\u0644 OPA CLI \u0627\u0644\u062e\u0627\u0645: \u0645\u062a\u0649 \u062a\u0633\u062a\u062e\u062f\u0645 \u0623\u064a\u0647\u0645\u0627<\/h3>\n
\n
deny<\/code>\u060c warn<\/code>\u060c violation<\/code>).<\/li>\n\u0643\u062a\u0627\u0628\u0629 \u0633\u064a\u0627\u0633\u0627\u062a Rego \u0641\u0639\u0651\u0627\u0644\u0629<\/h2>\n
\u0627\u0644\u0631\u0641\u0636 \u0627\u0641\u062a\u0631\u0627\u0636\u064a\u0627\u064b \u0645\u0642\u0627\u0628\u0644 \u0627\u0644\u0633\u0645\u0627\u062d \u0627\u0641\u062a\u0631\u0627\u0636\u064a\u0627\u064b<\/h3>\n
\n
deny<\/code>. \u0647\u0630\u0627 \u0647\u0648 \u0627\u0635\u0637\u0644\u0627\u062d Conftest \u0627\u0644\u0642\u064a\u0627\u0633\u064a \u0648\u064a\u0639\u0645\u0644 \u062c\u064a\u062f\u0627\u064b \u0644\u0628\u0648\u0627\u0628\u0627\u062a CI\/CD \u062d\u064a\u062b \u062a\u0631\u064a\u062f \u0627\u0644\u062a\u0642\u0627\u0637 \u0623\u0646\u0645\u0627\u0637 \u0645\u062d\u062f\u062f\u0629 \u0645\u0639\u0631\u0648\u0641\u0629 \u0628\u0623\u0646\u0647\u0627 \u062e\u0627\u0637\u0626\u0629.<\/li>\nallow<\/code> \u0648\u0625\u0644\u0627 \u064a\u062a\u0645 \u0631\u0641\u0636\u0647\u0627. \u0647\u0630\u0627 \u0623\u0643\u062b\u0631 \u0645\u0644\u0627\u0621\u0645\u0629 \u0644\u0644\u062a\u062d\u0643\u0645 \u0641\u064a \u0627\u0644\u0642\u0628\u0648\u0644 \u0645\u0646 \u0628\u0648\u0627\u0628\u0627\u062a CI\/CD.<\/p>\n# Deny-by-default (common for CI\/CD \u2014 catches specific violations)\npackage k8s.images\n\ndeny[msg] {\n # Explicitly deny known-bad patterns\n container := input.spec.template.spec.containers[_]\n endswith(container.image, \":latest\")\n msg := sprintf(\"Container '%s' uses ':latest' tag\", [container.name])\n}\n\n# Strict allow-only (everything not explicitly allowed is denied)\npackage k8s.registries\n\nallowed_registries := {\n \"gcr.io\/my-project\",\n \"us-docker.pkg.dev\/my-project\",\n}\n\ndeny[msg] {\n container := input.spec.template.spec.containers[_]\n image := container.image\n not image_from_allowed_registry(image)\n msg := sprintf(\"Container '%s' uses image '%s' from a non-approved registry\", [container.name, image])\n}\n\nimage_from_allowed_registry(image) {\n some registry in allowed_registries\n startswith(image, registry)\n}<\/code><\/pre>\n\u062a\u0648\u0644\u064a\u062f \u0631\u0633\u0627\u0626\u0644 \u0627\u0646\u062a\u0647\u0627\u0643 \u0630\u0627\u062a \u0645\u0639\u0646\u0649<\/h3>\n
deny[msg] {\n container := input.spec.template.spec.containers[_]\n not container.securityContext.runAsNonRoot\n msg := sprintf(\n \"Container '%s' must set securityContext.runAsNonRoot to true. \"\n \"See: https:\/\/wiki.internal\/policies\/container-security#non-root\",\n [container.name]\n )\n}<\/code><\/pre>\n\u0627\u062e\u062a\u0628\u0627\u0631 \u0627\u0644\u0633\u064a\u0627\u0633\u0627\u062a \u0628\u0627\u0633\u062a\u062e\u062f\u0627\u0645
opa test<\/code><\/h3>\n# policy\/k8s\/deny_latest_tag_test.rego\npackage k8s.images\n\ntest_deny_latest_tag {\n result := deny with input as {\n \"spec\": {\"template\": {\"spec\": {\"containers\": [\n {\"name\": \"app\", \"image\": \"nginx:latest\"}\n ]}}}\n }\n count(result) == 1\n contains(result[_], \"latest\")\n}\n\ntest_allow_pinned_tag {\n result := deny with input as {\n \"spec\": {\"template\": {\"spec\": {\"containers\": [\n {\"name\": \"app\", \"image\": \"nginx:1.25.3\"}\n ]}}}\n }\n count(result) == 0\n}\n\ntest_deny_no_tag {\n result := deny with input as {\n \"spec\": {\"template\": {\"spec\": {\"containers\": [\n {\"name\": \"app\", \"image\": \"nginx\"}\n ]}}}\n }\n count(result) == 1\n}<\/code><\/pre>\nopa test policy\/ -v<\/code><\/pre>\n\u062a\u0646\u0638\u064a\u0645 \u0627\u0644\u0633\u064a\u0627\u0633\u0627\u062a \u062d\u0633\u0628 \u0627\u0644\u0645\u062c\u0627\u0644<\/h3>\n
policy\/\n\u251c\u2500\u2500 k8s\/\n\u2502 \u251c\u2500\u2500 deny_latest_tag.rego\n\u2502 \u251c\u2500\u2500 deny_latest_tag_test.rego\n\u2502 \u251c\u2500\u2500 deny_privileged.rego\n\u2502 \u251c\u2500\u2500 deny_privileged_test.rego\n\u2502 \u251c\u2500\u2500 require_labels.rego\n\u2502 \u2514\u2500\u2500 require_labels_test.rego\n\u251c\u2500\u2500 terraform\/\n\u2502 \u251c\u2500\u2500 aws_security.rego\n\u2502 \u251c\u2500\u2500 aws_security_test.rego\n\u2502 \u251c\u2500\u2500 gcp_security.rego\n\u2502 \u2514\u2500\u2500 gcp_security_test.rego\n\u251c\u2500\u2500 docker\/\n\u2502 \u251c\u2500\u2500 best_practices.rego\n\u2502 \u2514\u2500\u2500 best_practices_test.rego\n\u2514\u2500\u2500 pipeline\/\n \u251c\u2500\u2500 required_steps.rego\n \u2514\u2500\u2500 required_steps_test.rego<\/code><\/pre>\n\u0625\u062f\u0627\u0631\u0629 \u062d\u0632\u0645 \u0627\u0644\u0633\u064a\u0627\u0633\u0627\u062a<\/h3>\n
# Build a bundle\nopa build -b policy\/ -o bundle.tar.gz\n\n# Push to an OCI registry\nconftest push myregistry.io\/policies\/security:v1.2.0\n\n# Pull and use in a pipeline\nconftest pull myregistry.io\/policies\/security:v1.2.0\nconftest test k8s\/*.yaml --policy policy\/<\/code><\/pre>\n\u0625\u0641\u0634\u0627\u0644 \u0627\u0644\u0623\u0646\u0627\u0628\u064a\u0628 \u0628\u0623\u0645\u0627\u0646 \u0648\u0635\u0631\u0627\u062d\u0629<\/h2>\n
\u0627\u0644\u0628\u0648\u0627\u0628\u0627\u062a \u0627\u0644\u0635\u0627\u0631\u0645\u0629 \u0645\u0642\u0627\u0628\u0644 \u0627\u0644\u0628\u0648\u0627\u0628\u0627\u062a \u0627\u0644\u0645\u0631\u0646\u0629<\/h3>\n
\n
deny<\/code>:<\/strong> \u0628\u0648\u0627\u0628\u0627\u062a \u0635\u0627\u0631\u0645\u0629. \u064a\u0641\u0634\u0644 \u0627\u0644\u0623\u0646\u0628\u0648\u0628 \u0625\u0630\u0627 \u062a\u0637\u0627\u0628\u0642\u062a \u0623\u064a \u0642\u0627\u0639\u062f\u0629 deny<\/code>.<\/li>\nwarn<\/code>:<\/strong> \u0628\u0648\u0627\u0628\u0627\u062a \u0645\u0631\u0646\u0629. \u064a\u0633\u062c\u0644 \u0627\u0644\u0623\u0646\u0628\u0648\u0628 \u0627\u0644\u062a\u062d\u0630\u064a\u0631 \u0644\u0643\u0646\u0647 \u064a\u0633\u062a\u0645\u0631. \u0647\u0630\u0627 \u0644\u0627 \u064a\u064f\u0642\u062f\u0651\u0631 \u0628\u062b\u0645\u0646 \u0644\u0637\u0631\u062d \u0633\u064a\u0627\u0633\u0627\u062a \u062c\u062f\u064a\u062f\u0629.<\/li>\n<\/ul>\n# Start with warn, promote to deny once teams have adapted\nwarn[msg] {\n container := input.spec.template.spec.containers[_]\n not container.resources.requests\n msg := sprintf(\"[WARN] Container '%s' should define resource requests\", [container.name])\n}<\/code><\/pre>\n\u0627\u0633\u062a\u062b\u0646\u0627\u0621\u0627\u062a \u0648\u0625\u0639\u0641\u0627\u0621\u0627\u062a \u0627\u0644\u0633\u064a\u0627\u0633\u0627\u062a<\/h3>\n
# policy\/k8s\/exceptions.rego\npackage k8s.images\n\nimport data.exceptions\n\n# Skip the deny rule if an approved exception exists\ndeny[msg] {\n container := input.spec.template.spec.containers[_]\n endswith(container.image, \":latest\")\n not exception_exists(input.metadata.name, container.name)\n msg := sprintf(\"Container '%s' uses the 'latest' tag\", [container.name])\n}\n\nexception_exists(deployment, container) {\n exception := exceptions.approved[_]\n exception.deployment == deployment\n exception.container == container\n exception.policy == \"deny-latest-tag\"\n time.now_ns() < exception.expires_ns\n}<\/code><\/pre>\n# data\/exceptions.json\n{\n \"approved\": [\n {\n \"deployment\": \"legacy-app\",\n \"container\": \"app\",\n \"policy\": \"deny-latest-tag\",\n \"reason\": \"Legacy build system cannot produce tagged images \u2014 migration tracked in JIRA-1234\",\n \"approved_by\": \"security-team\",\n \"expires_ns\": 1735689600000000000\n }\n ]\n}<\/code><\/pre>\n\u0625\u0631\u0633\u0627\u0644 \u0646\u062a\u0627\u0626\u062c \u0627\u0644\u0633\u064a\u0627\u0633\u0627\u062a \u0625\u0644\u0649 \u0644\u0648\u062d\u0627\u062a \u0627\u0644\u0645\u0639\u0644\u0648\u0645\u0627\u062a<\/h3>\n
# Capture results as JSON\nconftest test k8s\/*.yaml --policy policy\/k8s\/ --output json > policy-results.json\n\n# Ship to your logging platform\ncurl -X POST https:\/\/logging.internal\/api\/v1\/policy-results \\\n -H \"Content-Type: application\/json\" \\\n -d @policy-results.json<\/code><\/pre>\n\u0627\u0644\u0637\u0631\u062d \u0627\u0644\u062a\u062f\u0631\u064a\u062c\u064a: \u0648\u0636\u0639 \u0627\u0644\u062a\u062f\u0642\u064a\u0642 \u0642\u0628\u0644 \u0648\u0636\u0639 \u0627\u0644\u062a\u0637\u0628\u064a\u0642<\/h3>\n
\n
warn<\/code>. \u0627\u062c\u0645\u0639 \u0627\u0644\u0628\u064a\u0627\u0646\u0627\u062a \u062d\u0648\u0644 \u0639\u062f\u062f \u0627\u0644\u0623\u0646\u0627\u0628\u064a\u0628 \u0627\u0644\u062a\u064a \u0633\u062a\u0641\u0634\u0644. \u0634\u0627\u0631\u0643 \u0627\u0644\u062a\u0642\u0627\u0631\u064a\u0631 \u0645\u0639 \u0627\u0644\u0641\u0631\u0642.<\/li>\nwarn<\/code> \u0644\u0643\u0646 \u0623\u0636\u0641 \u0625\u0634\u0639\u0627\u0631\u0627\u062a \u2014 \u062a\u0646\u0628\u064a\u0647\u0627\u062a Slack\u060c \u062a\u0630\u0627\u0643\u0631 Jira \u2014 \u0644\u064a\u0643\u0648\u0646 \u0627\u0644\u0641\u0631\u0642 \u0639\u0644\u0649 \u0639\u0644\u0645 \u0648\u064a\u0645\u0643\u0646\u0647\u0645 \u0627\u0644\u0645\u0639\u0627\u0644\u062c\u0629.<\/li>\nwarn<\/code> \u0625\u0644\u0649 deny<\/code> \u0628\u0639\u062f \u0645\u0648\u0639\u062f \u0646\u0647\u0627\u0626\u064a \u0645\u064f\u0639\u0644\u0646. \u062a\u0623\u0643\u062f \u0645\u0646 \u0648\u062c\u0648\u062f \u0639\u0645\u0644\u064a\u0629 \u0627\u0644\u0627\u0633\u062a\u062b\u0646\u0627\u0621.<\/li>\n\u0627\u0644\u0642\u064a\u0648\u062f \u0648\u0627\u0644\u0645\u0642\u0627\u064a\u0636\u0627\u062a<\/h2>\n
\u0645\u0646\u062d\u0646\u0649 \u062a\u0639\u0644\u0645 Rego<\/h3>\n
\u0627\u0644\u0623\u062f\u0627\u0621 \u0645\u0639 \u0627\u0644\u0645\u062f\u062e\u0644\u0627\u062a \u0627\u0644\u0643\u0628\u064a\u0631\u0629<\/h3>\n
opa eval --profile<\/code> \u0625\u0630\u0627 \u0623\u0635\u0628\u062d \u0627\u0644\u0623\u062f\u0627\u0621 \u0645\u0635\u062f\u0631 \u0642\u0644\u0642.<\/p>\nOPA \u0645\u0642\u0627\u0628\u0644 \u0623\u062f\u0648\u0627\u062a \u0627\u0644\u0633\u064a\u0627\u0633\u0627\u062a \u0627\u0644\u0623\u062e\u0631\u0649<\/h3>\n
\n
\u0627\u0646\u062d\u0631\u0627\u0641 \u0627\u0644\u0633\u064a\u0627\u0633\u0627\u062a \u0648\u0627\u0644\u0635\u064a\u0627\u0646\u0629<\/h3>\n
\n
\u0627\u0644\u062e\u0644\u0627\u0635\u0629: Policy as Code \u0647\u0648 \u0628\u0646\u064a\u0629 \u062a\u062d\u062a\u064a\u0629<\/h2>\n
\n
latest<\/code>\u060c \u0623\u0648 \u0637\u0644\u0628 \u062d\u062f\u0648\u062f \u0627\u0644\u0645\u0648\u0627\u0631\u062f\u060c \u0623\u0648 \u062d\u0638\u0631 \u062d\u0627\u0648\u064a\u0627\u062a S3 \u0627\u0644\u0639\u0627\u0645\u0629 \u2014 \u0648\u0646\u0641\u0651\u0630\u0647\u0627 \u0628\u0627\u0633\u062a\u062e\u062f\u0627\u0645 Conftest \u0641\u064a \u0623\u0646\u0628\u0648\u0628 \u0648\u0627\u062d\u062f.<\/li>\n