NCI WEBSITE
NORMA eResearch @NCI Library

Simulation of Compliance-as-Code for Kubernetes Using OPA, Terraform, and Conftest

Tools

Kolhe, Snehal Prataprao (2025) Simulation of Compliance-as-Code for Kubernetes Using OPA, Terraform, and Conftest. Masters thesis, Dublin, National College of Ireland.

[thumbnail of Master of Science]
Preview
 PDF (Master of Science)
Download (1MB) | Preview
[thumbnail of Configuration Manual]
Preview
 PDF (Configuration Manual)
Download (1MB) | Preview

Abstract

This study introduces a minimalistic, simulation, Compliance as Code demonstration to show how to use Open Policy Agent (OPA), Conftest and Terraform.
The most important innovation is in terms of combining these tools to model and implement compliance policies as a part of the infrastructure lifecycle, including plan-time validation and simulated deployment, even though live setups of Kubernetes and Terraform are not needed. This automated compliance model is particularly beneficial to Kubernetes environments, which tend to scale very fast and have dynamic configurations, in which traditional manual compliance checks would prove too slow and unreliable. In Rego, the policy language of OPA, its solution specifies rules which prevent insecure configurations; e.g. unprotected LoadBalancer services in Kubernetes, unsafe modifications to Terraform plans. Google Colab is used to test these policies by using Conftest. In an attempt to make Compliance as Code more practical and interactive, the study uses FastAPI with Gradio to demonstrate policy decisions in a web browser that makes outputs readable and visual to the end-user. The project also covers plots which model CI/CD pipeline performance and resource load which allow users to see how policy enforcement does or does not match what the system does. In order to demonstrate its applicability in real life, the solution is run on an AWS EC2 instance, and the simulated compliance engine is publicly available. The given study can be referred to as a walk-through, developer-friendly and student-friendly guide to learning and deploying automated policy enforcement and cloud governance in DevSecOps.

Item Type: Thesis (Masters)
Supervisors:
Name
Email
Makki, Ahmed
UNSPECIFIED
Subjects: T Technology > T Technology (General) > Information Technology > Cloud computing
Q Science > QA Mathematics > Computer software > Computer Security
T Technology > T Technology (General) > Information Technology > Computer software > Computer Security
Divisions: School of Computing > Master of Science in Cloud Computing
Depositing User: Ciara O'Brien
Date Deposited: 26 Mar 2026 15:04
Last Modified: 26 Mar 2026 15:04
URI: https://norma.ncirl.ie/id/eprint/9229

Actions (login required)

View Item View Item