Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Alex Krause
alex.krause@qaware.de
@alex0ptr
Cloud Compliance
with Open Policy Agent
The Problem
@alex0ptr
Policy
@alex0ptr
“Users should only access data
of their own teams/projects.”
// TODOCompliance
“Security First. Least Pri...
@alex0ptr
May this action be allowed?
Who or what can perform a certain action?
Are there violations?
Infrastructure
Machines Network DNS RDBMSStorage
Application Platform
Container
Orchestration
Container
Images
CD-
Pipelin...
@alex0ptr
@PreAuthorize("#username == authentication.principal.username")
public String getMyRoles(String username) {
//.....
(1) Many components, which (2) use different concepts,
protocols, and configuration languages, with(3) strong coupling
to ...
Solution? 🔨
@alex0ptr
@alex0ptr
Open Policy Agent
Engine + Language
@alex0ptr
Open Policy Agent
‣ Policy Engine
‣ universal
‣ lightweight
‣ de-coupled
‣ easy to integrate“Policy-based contro...
@alex0ptr
OPA: Rego
‣ inheritance: datalog
‣ declarative, logic
‣ made for Policies
‣ and structured data
“Use Rego for de...
@alex0ptr
@alex0ptr
The Dream:
✨ Central Policy Repository ✨
@alex0ptr
The Present
@alex0ptr
🎊 Demo 🎉
The Basics
@alex0ptr
@alex0ptr
@Configuration
@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
@Overrid...
@alex0ptr
“Policy Controller for Kubernetes”
‣ K8s Admission Controller
‣ CRDs for Policies
‣ Audit
‣ Policy Library
Gatek...
🎊 Demo 🎉
Gatekeeper
@alex0ptr
@alex0ptr
“Write tests against structured
configuration data […]”
‣ CLI wrapper for OPA
‣ shift-left for Policies
‣ YAML/J...
🎊 Demo 🎉
Conftest
@alex0ptr
Conclusion
@alex0ptr
😄 😕
@alex0ptr
Gatekeeper Rego
Conftest Tooling
Integration Integrations
Complexity
xing.com/companies/qawaregmbh
linkedin.com/company/qaware-gmbh slideshare.net/qaware
twitter.com/qaware github.com/qaware
...
QAware21.09.2018 25
QAware GmbH Mainz
Rheinstraße 4 D
55116 Mainz
Tel.: +49 (0) 6131 215 69 – 0
Fax: +49 (0) 6131 215 69 – 68 xing.com/compani...
QAware GmbH München
Aschauer Straße 32
81549 München
Tel.: +49 (0) 89 23 23 15 – 0
Fax: +49 (0) 89 23 23 15 – 129 xing.com...
You’ve finished this document.
Download and read it offline.
Upcoming SlideShare
What to Upload to SlideShare
Next
Upcoming SlideShare
What to Upload to SlideShare
Next
Download to read offline and view in fullscreen.

Share

Cloud Compliance mit Open Policy Agent

Download to read offline

heise devSec(), Oktober 2020, online: Vortrag von Alex Krause (@alex0ptr, Software Engineer at QAware)

== Dokument bitte herunterladen, falls unscharf! Please download slides if blurred! ==

Abstract: Microservices zerschlagen die Komplexität einer Anwendung in kleinere Prozesse und verteilte Infrastruktur. Richtlinien – z.B. für den Einsatz von Verschlüsselung, Zugriffsmanagement oder die Zuweisung von Kostenstellen – werden hiermit zu einem dezentralen Problem. Zusätzlich erschweren die an sich schon komplexen Ebenen einer Cloud-nativen Anwendung – z.B. Kubernetes-Ressourcen, IaaS-Komponenten und CI/CD-Pipelines – eine technisch einheitliche Definition solcher Richtlinien.

Open Policy Agent (OPA) ist ein Projekt der Cloud Native Computing Foundation (CNCF), um Richtlinien zu definieren und zu prüfen. Das Besondere an OPA ist zum einen die einfache Integration in Cloud-native Umgebungen und zum anderen die universelle logische Programmiersprache Rego, die eine einheitliche Defintion von Regeln über Technologiegrenzen hinweg erlaubt.

  • Be the first to like this

Cloud Compliance mit Open Policy Agent

  1. 1. Alex Krause alex.krause@qaware.de @alex0ptr Cloud Compliance with Open Policy Agent
  2. 2. The Problem @alex0ptr
  3. 3. Policy @alex0ptr “Users should only access data of their own teams/projects.” // TODOCompliance “Security First. Least Privilege, where possible.” Governance
  4. 4. @alex0ptr May this action be allowed? Who or what can perform a certain action? Are there violations?
  5. 5. Infrastructure Machines Network DNS RDBMSStorage Application Platform Container Orchestration Container Images CD- Pipeline Applications User Management Configuration HTTP APIs + UIs Code Continuous Integration Code Artifacts Version Control Logs Secret Store API Gateways Metrics Backups @alex0ptr 💫 Life of the YAML-Engineer
  6. 6. @alex0ptr @PreAuthorize("#username == authentication.principal.username") public String getMyRoles(String username) { //... } 👻
  7. 7. (1) Many components, which (2) use different concepts, protocols, and configuration languages, with(3) strong coupling to the concrete implementation. The Problems ✔ @alex0ptr
  8. 8. Solution? 🔨 @alex0ptr
  9. 9. @alex0ptr Open Policy Agent Engine + Language
  10. 10. @alex0ptr Open Policy Agent ‣ Policy Engine ‣ universal ‣ lightweight ‣ de-coupled ‣ easy to integrate“Policy-based control for cloud native environments”
  11. 11. @alex0ptr OPA: Rego ‣ inheritance: datalog ‣ declarative, logic ‣ made for Policies ‣ and structured data “Use Rego for defining policy that is easy to read and write.”
  12. 12. @alex0ptr
  13. 13. @alex0ptr
  14. 14. The Dream: ✨ Central Policy Repository ✨ @alex0ptr
  15. 15. The Present @alex0ptr
  16. 16. 🎊 Demo 🎉 The Basics @alex0ptr
  17. 17. @alex0ptr @Configuration @EnableWebSecurity public class WebSecurityConfig extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { http.authorizeRequests() .anyRequest() .authenticated() .accessDecisionManager(accessDecisionManager()); } @Bean public AccessDecisionManager accessDecisionManager() { List<AccessDecisionVoter<? extends Object>> decisionVoters = Arrays .asList(new OPAVoter("http://localhost:8181/v1/data/http/authz/allow")); return new UnanimousBased(decisionVoters); } }
  18. 18. @alex0ptr “Policy Controller for Kubernetes” ‣ K8s Admission Controller ‣ CRDs for Policies ‣ Audit ‣ Policy Library Gatekeeper 🎉
  19. 19. 🎊 Demo 🎉 Gatekeeper @alex0ptr
  20. 20. @alex0ptr “Write tests against structured configuration data […]” ‣ CLI wrapper for OPA ‣ shift-left for Policies ‣ YAML/JSON, HCL(2), INI, TOML, Dockerfile ‣ go-getter support Conftest 🎉
  21. 21. 🎊 Demo 🎉 Conftest @alex0ptr
  22. 22. Conclusion @alex0ptr
  23. 23. 😄 😕 @alex0ptr Gatekeeper Rego Conftest Tooling Integration Integrations Complexity
  24. 24. xing.com/companies/qawaregmbh linkedin.com/company/qaware-gmbh slideshare.net/qaware twitter.com/qaware github.com/qaware youtube.com/qawaregmbh Alex Krause alex.krause@qaware.de @alex0ptr
  25. 25. QAware21.09.2018 25
  26. 26. QAware GmbH Mainz Rheinstraße 4 D 55116 Mainz Tel.: +49 (0) 6131 215 69 – 0 Fax: +49 (0) 6131 215 69 – 68 xing.com/companies/qawaregmbh linkedin.com/company/qaware-gmbh slideshare.net/qaware twitter.com/qaware github.com/qaware youtube.com/qawaregmbh
  27. 27. QAware GmbH München Aschauer Straße 32 81549 München Tel.: +49 (0) 89 23 23 15 – 0 Fax: +49 (0) 89 23 23 15 – 129 xing.com/companies/qawaregmbh linkedin.com/company/qaware-gmbh slideshare.net/qaware twitter.com/qaware github.com/qaware youtube.com/qawaregmbh

heise devSec(), Oktober 2020, online: Vortrag von Alex Krause (@alex0ptr, Software Engineer at QAware) == Dokument bitte herunterladen, falls unscharf! Please download slides if blurred! == Abstract: Microservices zerschlagen die Komplexität einer Anwendung in kleinere Prozesse und verteilte Infrastruktur. Richtlinien – z.B. für den Einsatz von Verschlüsselung, Zugriffsmanagement oder die Zuweisung von Kostenstellen – werden hiermit zu einem dezentralen Problem. Zusätzlich erschweren die an sich schon komplexen Ebenen einer Cloud-nativen Anwendung – z.B. Kubernetes-Ressourcen, IaaS-Komponenten und CI/CD-Pipelines – eine technisch einheitliche Definition solcher Richtlinien. Open Policy Agent (OPA) ist ein Projekt der Cloud Native Computing Foundation (CNCF), um Richtlinien zu definieren und zu prüfen. Das Besondere an OPA ist zum einen die einfache Integration in Cloud-native Umgebungen und zum anderen die universelle logische Programmiersprache Rego, die eine einheitliche Defintion von Regeln über Technologiegrenzen hinweg erlaubt.

Views

Total views

238

On Slideshare

0

From embeds

0

Number of embeds

0

Actions

Downloads

4

Shares

0

Comments

0

Likes

0

×