OPA and Rego Formal Verification Questions

[Patrick East]

Hi Everyone,

At the meeting yesterday, 6/5/19. part of the discussion was around how we can do formal verification of OPA (Rego) polices. Some questions came up about OPA functionality in comparison to systems using Datalog, as well as some next steps to determine how to model things using OPA.

Unfortunately we didn't have OPA experts in attendance so I'm looping in Tim and Torin (cc'd) to the discussion. If possible it would be great if we could get some of your time to help answer any questions and maybe give some guidance. It would likely help kickstart the work to build the proposed verification engine quite a bit.

Thanks!

--

Patrick East

pat...@styra.com

[Tim Hinrichs]

Yep it'd be great to hear about the verificatin problems you're looking to solve.  It sounds like multitenancy and privilege escalation were two discussed at the meeting.  It was too bad I couldn't attend, but I'd like to hear more about what you're looking to verify.  I assume the next regular meeting is the right time?

Tim

[Justin Cormack]

The meeting recording and slides links are in https://docs.google.com/document/d/1ihFfEfgViKlUMbY2NKxaJzBkgHh-Phk5hqKTzK-NEEs/edit

There is an issue with some discussion too at https://github.com/cncf/sig-security/issues/196

Justin

--
You received this message because you are subscribed to the Google Groups "Policy WG" group.
To unsubscribe from this group and stop receiving emails from it, send an email to kubernetes-wg-po...@googlegroups.com.
To post to this group, send email to kubernetes...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/kubernetes-wg-policy/CAJjxPACPSAd95oNeZkq_zAyaU7Wn93-3NGO9iP%3D%3D1PUJMxveQw%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.