Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

of

Policy & Governance für Kubernetes Slide 1 Policy & Governance für Kubernetes Slide 2 Policy & Governance für Kubernetes Slide 3 Policy & Governance für Kubernetes Slide 4 Policy & Governance für Kubernetes Slide 5 Policy & Governance für Kubernetes Slide 6 Policy & Governance für Kubernetes Slide 7 Policy & Governance für Kubernetes Slide 8 Policy & Governance für Kubernetes Slide 9 Policy & Governance für Kubernetes Slide 10 Policy & Governance für Kubernetes Slide 11 Policy & Governance für Kubernetes Slide 12 Policy & Governance für Kubernetes Slide 13 Policy & Governance für Kubernetes Slide 14 Policy & Governance für Kubernetes Slide 15 Policy & Governance für Kubernetes Slide 16 Policy & Governance für Kubernetes Slide 17 Policy & Governance für Kubernetes Slide 18 Policy & Governance für Kubernetes Slide 19 Policy & Governance für Kubernetes Slide 20 Policy & Governance für Kubernetes Slide 21 Policy & Governance für Kubernetes Slide 22 Policy & Governance für Kubernetes Slide 23 Policy & Governance für Kubernetes Slide 24
Upcoming SlideShare
What to Upload to SlideShare
Next
Download to read offline and view in fullscreen.

0 Likes

Share

Download to read offline

Policy & Governance für Kubernetes

Download to read offline

Policy & Governance für Kubernetes using Open Policy Agent Gatekeeper

Related Books

Free with a 30 day trial from Scribd

See all

Related Audiobooks

Free with a 30 day trial from Scribd

See all
  • Be the first to like this

Policy & Governance für Kubernetes

  1. 1. Policy & Governance for Kubernetes June 2020
  2. 2. Nico Meisenzahl • Senior Cloud & DevOps Consultant at white duck • Microsoft MVP, GitLab Hero, Docker Community Leader • loves Kubernetes, DevOps and Cloud © white duck GmbH 2020 Phone: +49 8031 230159 0 Email: nico.meisenzahl@whiteduck.de Twitter: @nmeisenzahl LinkedIn: https://www.linkedin.com/in/nicomeisenzahl Blog: https://meisenzahl.org
  3. 3. Agenda • Cloud Governance? Why do we need it? • Governance for Kubernetes • Open Policy Agent – the foundation • OPA Gatekeeper – the Kubernetes implementation © white duck GmbH 2020
  4. 4. CLOUD GOVERNANCE Why do we need it? © white duck GmbH 2020
  5. 5. Cloud Governance … … is used to provide a set of rules that defines guidelines that can either be enforced or audited. © white duck GmbH 2020
  6. 6. Why do we need it? • decisions are made decentralized & taken at a rapid pace • therefore it is important to • reduce risk • control shadow IT • make it easier to manage cloud resources • reduce effort © white duck GmbH 2020
  7. 7. KUBERNETES GOVERNANCE Why do we need it? © white duck GmbH 2020
  8. 8. Governance for Kubernetes • Authorization with Role-based Access Control (RBAC) • is used to define who is allowed to do what • very granular • But: Kubernetes offers nothing to control/change the specification of resources • which is essential for successfully governing a cluster © white duck GmbH 2020
  9. 9. Some examples are • whitelist of trusted container registries, images or tags • required container security specifications • required labels to group resources • permit conflicting Ingress host resources • permit publicly exposed LoadBalancer services © white duck GmbH 2020
  10. 10. OPEN POLICY AGENT The foundation © white duck GmbH 2020
  11. 11. Open Policy Agent • “policy-based control for cloud native environments” • open-source project by styra • a unified toolset and framework • declarative policy language • decoupled • Golang library • REST API with sidecar or daemon © white duck GmbH 2020
  12. 12. © white duck GmbH 2020
  13. 13. Ecosystem • API and service authorization with Envoy, Kong or Traefik • Authorization policies for SQL, Kafka and others • Container Network authorization with Istio • Test policies for Terraform infrastructure changes • Polices for SSH and sudo • Policy and Governance for Kubernetes • and many more • https://www.openpolicyagent.org/docs/latest/ecosystem/ © white duck GmbH 2020
  14. 14. How OPA works © white duck GmbH 2020
  15. 15. How OPA works © white duck GmbH 2020 POST /api HTTP/1.1 Authorization: nico { “method”: “POST”, “path”: “api”, “user”: “nico” } { “allow”: “true” } { }
  16. 16. Rego • “ray-go” • inspired by Datalog with support for JSON • declarative Policy Language • ”is Nico allowed to POST a payload to /api” • Get started • Rego Playground • https://play.openpolicyagent.org/ • Rego deep dive • https://www.slideshare.net/TorinSandall/rego-deep-dive © white duck GmbH 2020 package app.abac default allow = false allow { action_is_post user_is_owner } action_is_post { input.method == ”POST" } user_is_owner { input.user == "nico" }
  17. 17. Rego in action © white duck GmbH 2020 POST /api HTTP/1.1 Authorization: nico { “method”: “POST”, “path”: “api”, “user”: “nico” } { “allow”: “true” } package app.abac default allow = false allow { action_is_post user_is_owner } action_is_post { input.method == ”POST" } user_is_owner { input.user == "nico" } { }
  18. 18. OPA Tips • OPA binary • opa run, opa test, … • VS Code plugin • management APIs • bundle API à send policies and data to OPA • status API à for observability/monitoring • log API à for receiving audit logs © white duck GmbH 2020
  19. 19. OPA GATEKEEPER OPA Kubernetes implementation © white duck GmbH 2020
  20. 20. OPA Gatekeeper • Kubernetes implementation of OPA • build by Google, Microsoft, Red Hat, and styra • based on • Open Policy Agent daemon • Kubernetes Admission Controller • Custom Resource Definitions (CRDs) • AuthZ Webhook • Can be installed with Helm or kubectl apply • https://github.com/open-policy-agent/gatekeeper © white duck GmbH 2020
  21. 21. How Gatekeeper works © white duck GmbH 2020 https://kubernetes.io/blog/2019/08/06/opa-gatekeeper-policy-and-governance-for-kubernetes/
  22. 22. How Gatekeeper works © white duck GmbH 2020
  23. 23. Demos • OPA Gatekeeper in action • example rules • required label • trusted images • unique ingress hosts • auditing © white duck GmbH 2020
  24. 24. Questions? Slides: https://www.slideshare.net/nmeisenzahl Demos: https://gitlab.com/nico-meisenzahl/opa-gatekeeper-sample Nico Meisenzahl (Senior Cloud & DevOps Consultant) Phone: +49 8031 230159 0 Email: nico.meisenzahl@whiteduck.de Twitter: @nmeisenzahl LinkedIn: https://www.linkedin.com/in/nicomeisenzahl Blog: https://meisenzahl.org © white duck GmbH 2020

Policy & Governance für Kubernetes using Open Policy Agent Gatekeeper

Views

Total views

100

On Slideshare

0

From embeds

0

Number of embeds

0

Actions

Downloads

0

Shares

0

Comments

0

Likes

0

×