More Related Content
Similar to Policy & Governance für Kubernetes (20)
More from Nico Meisenzahl (8)
Policy & Governance für Kubernetes
- 2. Nico Meisenzahl
• Senior Cloud & DevOps Consultant at white duck
• Microsoft MVP, GitLab Hero, Docker Community
Leader
• loves Kubernetes, DevOps and Cloud
© white duck GmbH 2020
Phone: +49 8031 230159 0
Email: nico.meisenzahl@whiteduck.de
Twitter: @nmeisenzahl
LinkedIn: https://www.linkedin.com/in/nicomeisenzahl
Blog: https://meisenzahl.org
- 3. Agenda
• Cloud Governance? Why do we need it?
• Governance for Kubernetes
• Open Policy Agent – the foundation
• OPA Gatekeeper – the Kubernetes implementation
© white duck GmbH 2020
- 5. Cloud Governance …
… is used to provide a set of rules that defines
guidelines that can either be enforced or audited.
© white duck GmbH 2020
- 6. Why do we need it?
• decisions are made decentralized & taken at a rapid pace
• therefore it is important to
• reduce risk
• control shadow IT
• make it easier to manage cloud resources
• reduce effort
© white duck GmbH 2020
- 8. Governance for Kubernetes
• Authorization with Role-based Access Control (RBAC)
• is used to define who is allowed to do what
• very granular
• But: Kubernetes offers nothing to control/change the
specification of resources
• which is essential for successfully governing a cluster
© white duck GmbH 2020
- 9. Some examples are
• whitelist of trusted container registries, images or tags
• required container security specifications
• required labels to group resources
• permit conflicting Ingress host resources
• permit publicly exposed LoadBalancer services
© white duck GmbH 2020
- 11. Open Policy Agent
• “policy-based control for cloud native environments”
• open-source project by styra
• a unified toolset and framework
• declarative policy language
• decoupled
• Golang library
• REST API with sidecar or daemon
© white duck GmbH 2020
- 13. Ecosystem
• API and service authorization with Envoy, Kong or Traefik
• Authorization policies for SQL, Kafka and others
• Container Network authorization with Istio
• Test policies for Terraform infrastructure changes
• Polices for SSH and sudo
• Policy and Governance for Kubernetes
• and many more
• https://www.openpolicyagent.org/docs/latest/ecosystem/
© white duck GmbH 2020
- 15. How OPA works
© white duck GmbH 2020
POST /api HTTP/1.1
Authorization: nico
{
“method”: “POST”,
“path”: “api”,
“user”: “nico”
}
{
“allow”: “true”
}
{
}
- 16. Rego
• “ray-go”
• inspired by Datalog with support for JSON
• declarative Policy Language
• ”is Nico allowed to POST a payload to /api”
• Get started
• Rego Playground
• https://play.openpolicyagent.org/
• Rego deep dive
• https://www.slideshare.net/TorinSandall/rego-deep-dive
© white duck GmbH 2020
package app.abac
default allow = false
allow {
action_is_post
user_is_owner
}
action_is_post {
input.method == ”POST"
}
user_is_owner {
input.user == "nico"
}
- 17. Rego in action
© white duck GmbH 2020
POST /api HTTP/1.1
Authorization: nico
{
“method”: “POST”,
“path”: “api”,
“user”: “nico”
}
{
“allow”: “true”
}
package app.abac
default allow = false
allow {
action_is_post
user_is_owner
}
action_is_post {
input.method == ”POST"
}
user_is_owner {
input.user == "nico"
}
{
}
- 18. OPA Tips
• OPA binary
• opa run, opa test, …
• VS Code plugin
• management APIs
• bundle API à send policies and data to OPA
• status API à for observability/monitoring
• log API à for receiving audit logs
© white duck GmbH 2020
- 20. OPA Gatekeeper
• Kubernetes implementation of OPA
• build by Google, Microsoft, Red Hat, and styra
• based on
• Open Policy Agent daemon
• Kubernetes Admission Controller
• Custom Resource Definitions (CRDs)
• AuthZ Webhook
• Can be installed with Helm or kubectl apply
• https://github.com/open-policy-agent/gatekeeper
© white duck GmbH 2020
- 21. How Gatekeeper works
© white duck GmbH 2020
https://kubernetes.io/blog/2019/08/06/opa-gatekeeper-policy-and-governance-for-kubernetes/
- 23. Demos
• OPA Gatekeeper in action
• example rules
• required label
• trusted images
• unique ingress hosts
• auditing
© white duck GmbH 2020