Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

DCSF19 Kubernetes Security with OPA

236 views

Published on

DockerCon Open Source Summit: Security
Tim Hinrichs, Styra

Published in: Technology
  • Be the first to comment

  • Be the first to like this

DCSF19 Kubernetes Security with OPA

  1. 1. @tlhinrichs openpolicyagent.org Tim Hinrichs CTO, Co-Founder of Styra Co-Founder of OPA Kubernetes Security with Open Policy Agent Desired State ^
  2. 2. @tlhinrichs openpolicyagent.org@tlhinrichs openpolicyagent.org kubectl create -f nginx.yaml apiVersion: apps/v1 kind: Deployment metadata: name: nginx-deployment spec: replicas: 2 selector: matchLabels: app: nginx template: metadata: labels: app: nginx spec: containers: - name: nginx image: nginx:1.7.9 nginx.yaml Desired State Runtime State Server Node Server Node
  3. 3. @tlhinrichs openpolicyagent.org@tlhinrichs openpolicyagent.org Compute ● Run arbitrary binaries from the internet ● Deploy code with known vulnerabilities Networking ● App A can steal traffic from App B (unintentionally or otherwise) ● Open egress traffic to 0.0.0.0 Storage ● Mission-critical data can be automatically deleted when workloads move to new nodes Security ● 3rdparty software runs with root privileges ● Data at-rest and in-transit not encrypted Dangers Desired State kubectl create -f nginx.yaml apiVersion: apps/v1 kind: Deployment metadata: name: nginx-deployment spec: replicas: 2 selector: matchLabels: app: nginx template: metadata: labels: app: nginx spec: containers: - name: nginx image: nginx:1.7.9 nginx.yaml
  4. 4. @tlhinrichs openpolicyagent.org@tlhinrichs openpolicyagent.org Compute ● Images may only be pulled from internal registry ● Only scanned images may be deployed in namespaces A, B, and C ● QA team must sign-off on image before deployed to production Networking ● Ingresses across namespaces should not conflict ● Developers must not modify selectors or labels referred to by selectors after creation Storage ● Stateful deployments must use ‘RollingUpdate’ update strategy Security ● Containers cannot run with privileged security context ● Services in namespace X should have AWS SSL annotation added Guardrails Desired State Open Policy Agent kubectl create -f nginx.yaml apiVersion: apps/v1 kind: Deployment metadata: name: nginx-deployment spec: replicas: 2 selector: matchLabels: app: nginx template: metadata: labels: app: nginx spec: containers: - name: nginx image: nginx:1.7.9 nginx.yaml
  5. 5. @tlhinrichs openpolicyagent.org@tlhinrichs openpolicyagent.org Desired State Runtime State Server Node Server Node Kubernetes implements Kubernetes API Server Validating Webhook Open Policy Agent kubectl create -f nginx.yaml apiVersion: apps/v1 kind: Deployment metadata: name: nginx-deployment spec: replicas: 2 selector: matchLabels: app: nginx template: metadata: labels: app: nginx spec: containers: - name: nginx image: nginx:1.7.9 nginx.yaml
  6. 6. @tlhinrichs openpolicyagent.org@tlhinrichs openpolicyagent.org Open Policy Agent: How it works K8s API Server OPA Policy (Rego) Data (JSON) Request DecisionQuery kubectl create -f nginx.yaml
  7. 7. @tlhinrichs openpolicyagent.org@tlhinrichs openpolicyagent.org Open Policy Agent: How it works K8s API Server OPA Policy (Rego) Data (JSON) Request DecisionQuery kind: kind: Deployment request: object: metadata: name: nginx-deployment spec: replicas: 2 selector: matchLabels: app: nginx template: metadata: labels: app: nginx spec: containers: - name: nginx image: nginx:1.7.9 allow: false reason: | no costcenter label kubectl create -f nginx.yaml
  8. 8. @tlhinrichs openpolicyagent.org@tlhinrichs openpolicyagent.org What kind of guardrails do YOU need? ● Image repository safety ● Prevent conflicting ingresses ●
  9. 9. @tlhinrichs openpolicyagent.org Live Coding!
  10. 10. @tlhinrichs openpolicyagent.org openpolicyagent.org kubernetes.io Tim Hinrichs @tlhinrichs styra.com
  11. 11. @tlhinrichs openpolicyagent.org@tlhinrichs openpolicyagent.org Sample Policies package kubernetes.admission deny[msg] { input.request.kind.kind == "Pod" image := input.request.object.spec.containers[_].image not startswith(image, "hooli.com") msg := sprintf("image fails to come from trusted registry: %v", [image]) } deny[msg] { input.request.kind.kind == "Ingress" newhost := input.request.object.spec.rules[_].host oldhost := data.kubernetes.ingresses[namespace][name].spec.rules[_].host newhost == oldhost msg := sprintf("ingress host conflicts with ingress %v/%v", [namespace, name]) }
  12. 12. @tlhinrichs openpolicyagent.org@tlhinrichs openpolicyagent.org Open Policy Agent: Features ● Declarative Policy Language (Rego) ○ Can user X do operation Y on resource Z? ○ What invariants does workload W violate? ○ Which records should bob be allowed to see? ● Library, sidecar, host-level daemon ○ Policy and data are kept in-memory ○ Zero decision-time dependencies ● Management APIs for control & observability ○ Bundle service API for sending policy & data to OPA ○ Status service API for receiving status from OPA ○ Log service API for receiving audit log from OPA ● Tooling to build, test, and debug policy ○ opa run, opa test, opa fmt, opa deps, opa check, etc. ○ VS Code plugin, Tracing, Profiling, etc. Open Policy Agent
  13. 13. @tlhinrichs openpolicyagent.org@tlhinrichs openpolicyagent.org Open Policy Agent: Community Inception Project started in 2016 at Styra. Goal Unify policy enforcement across the stack. Use Cases Admission control Authorization ACLs RBAC IAM ABAC Risk management Data Protection Data Filtering Users Netflix Chef Medallia Cloudflare State Street Pinterest Intuit Capital One ...and many more. Today CNCF project (Incubation) 36 contributors 700 slack members 1.7K stars 20+ integrations

×