 It's an honor and a pleasure to be actually opening this CubeCon. I never thought I'd be able to say that, but my name is Omri Gazeet. I'm the co-founder and CEO of Acerdo. Acerdo is a cloud-native authorization company, and we produced an open-source project called Topaz that uses OPA really heavily, the open policy agent. So we care a lot about secure software supply chains for OPA policies. Next, why should you care? What are these OPA policies? Well, these days in the cloud-native world, you use policies for a lot of different things. For example, Kubernetes Admission Control through the open-source project Gatekeeper. Use them to make sure that your config files obey a policy through a project called ConfTest. You can use OPA as a general decision engine as well. If you've never seen the OPA site, it looks like this. It's really pretty. You've got Vikings all over. And then you can also use it for projects like Topaz, which is an open-source project that Acerdo has, which is basically a, ooh, I guess I can't get to that screen. It's an open-source project for authorization for APIs and applications. Now what do you need a secure software supply chain for? Well, OPA policies are an important application artifact. And so you want to be able to build them into immutable images. You want to be able to sign them. But the native format for OPA policies is actually a tarball, which doesn't lend itself well to any of these things. So you really want to be able to package them up just like you do application code into an OCI image. And so you can do that using the Open Container Initiative. You want to be able to have a Docker-like workflow for these policies. So you want to be able to build them and tag them and push them and pull them, just like Docker containers. And so we have an open-source project called Open Policy Containers for that, OPCR for short. That's a CNCF Sandbox project. And finally, you want to be able to sign these containers and verify the signatures. Again, just like you can any other container, you do that using 6-door. So a bunch of different open-source projects to be able to do all of these things. And so now I will actually demonstrate what that workflow looks like. Now of course you can put this all in CICD, but I'm going to try to do this using a real demo as opposed to just some gist to increase the degree of difficulty here. So let's start with, let's see, the ability to create a new policy from a template. So we're using the policy CLI to do that here. Then I'm going to build a policy, build that from the local source directory. And this works just like Docker build. I can basically look at all the files that got created by the template. I can look at all the images that I have on my local system here. And then finally I can actually push that to a container registry, in this case the GHCR container registry. So building OPA policies into container images, super simple. The next piece of it is of course being able to sign it. And so I have gists for all of this stuff, but just again showing you what to do. It's literally as simple as just signing using cosine, this container image that I'm passing here as the one that I just created. And then I can verify the signature again using cosine. And so here I'm verifying that the container that I signed basically has that same signature using the public key file that I created with cosine. And lastly, if you want to see how to use these things, OPA speaks OCI natively now. We have that integrated into the OPA main project, so all you have to do is create a new config that has basically specifies the resource as an OCI image instead of a tar ball. And lastly, if you want to configure something like topaz, we actually have in topaz a very easy way to configure topaz using a command line. This will just basically create a config file with that policy. And I can even go bring up a console for topaz, go to the authorizers and check out all the modules here. And there they are, OPA modules. So that's basically all I had. I'm Omri. You can find me on all the socials. You can visit the OPCR booth on the pavilion. There is a booth for that as a project. And finally, stop by our booth M29 if you want one of these cool axolotl shirts or just to talk about authorization. Thank you so much. Thank you so much. Thank you so much.