SlideShare a Scribd company logo

Dynamic Authorization & Policy Control for Docker Environments

T
Torin Sandall

How do you enable rapid deployment of innovative applications on top of Docker containers while still satisfying strict requirements from your InfoSec and compliance departments? The Open Policy Agent (OPA), an open-source tool, enables you to update and enforce policies without slowing down developers or modifying application code. In this talk, Justin Cormack (Security Engineer at Docker) and Torin Sandall (Co-founder of the OPA project) will show how you can leverage the integrations between Docker and OPA to enforce fine-grained policies in your organization's container platform while still allowing your developers to move quickly. This talk is targeted at engineers building and operating container platforms who are interested in security and policy enforcement. The audience can expect to take aware fresh ideas about how to enforce fine-grained security policies across their container platform.

Technology
1 of 40
Download to read offline
Dynamic Authorization and Policy Control for Docker Container Environments
TORIN SANDALL Engineer, Styra @sometorin JUSTIN CORMACK Engineer, Docker @justincormack
Why Policy?
● Heterogeneity: many languages, protocols, systems ● Dynamism: system changing, policies changing ● How do you enforce and audit policy? ● Correctness, performance, cost Challenges
Today we are going to talk about tools and approaches for solving this problem! Computers can help!
Real life example
Example Scenario: AcmeCorp ● Pet camera & home monitoring devices ● Watch your cute pets while you travel ● Always on, always connected
AcmeCorp's Architecture Portal PaymentsAccounts Device UpdatesDevice Streams Stream Archiving HTTP HTTP gRPCHLS S3 MySQL Alice (Customer) AcmeCorp VPC Janet (Tech support)
AcmeCorp's Problem Portal PaymentsAccounts Device UpdatesDevice Streams Stream Archiving HTTP HTTP gRPCHLS S3 MySQL Alice (Customer) AcmeCorp VPC Janet (Tech support)
"Tech support specialists accessing customer data must be assigned to an open ticket for the customer they are assisting." Example Policy
Example Implementation Portal PaymentsAccounts Device UpdatesDevice Streams Stream Archiving HTTP HTTP gRPCHLS S3 MySQL Alice (Customer) AcmeCorp VPC Janet (Tech support) authzauthzauthzauthz authz authz
Example Implementation business logic authorization logic def get_user_account(req): if not authorized(req): raise status(403) return db.read_user_account(req.id) def authorized(req): if "support" in req.subject.groups: for ticket in get_open_tickets(req.id): if req.subject.user == ticket.assignee: return True return False # other authorization logic...
Obvious questions... def get_user_account(req): if not authorized(req): raise status(403) return db.read_user_account(req.id) def authorized(req): if "support" in req.subject.groups: for ticket in get_open_tickets(req.id): if req.subject.user == ticket.assignee: return True return False # other authorization logic... What happens when the policy changes... What if the policy requires additional context... What if the customer requires control of the policy... What if the policy was not implemented correctly... What if you have 100+ services written in N langs...
What is Open Policy Agent?
OPA: general-purpose policy engine Inception Project started in 2016 at Styra. Goal Unify policy enforcement across the stack. Use Cases Admission control Authorization ACLs RBAC IAM ABAC Risk management Data Protection Data Filtering Users Netflix Chef Medallia Cloudflare State Street Pinterest Intuit ...and many more. Today CNCF project (Sandbox) 36 contributors 1.5K stars 400 slack members 20+ integrations Open Policy Agent
OPA: general-purpose policy engine Service OPA Policy (Rego) Data (JSON) Policy Query Policy Decision Enforcement Request
OPA: general-purpose policy engine Accounts OPA Policy (Rego) Data (JSON) Policy Query Policy Decision Enforcement Request GET /accounts/alice HTTP/1.1 Authorization: janet
OPA: general-purpose policy engine Accounts OPA Policy (Rego) Data (JSON) Policy Query Policy Decision Enforcement Request GET /accounts/alice HTTP/1.1 Authorization: janet { "method": "GET", "path": ["accounts", "alice"], "user": "janet" } true or false
OPA: general-purpose policy engine Service OPA Policy (Rego) Data (JSON) Policy Query Policy Decision Enforcement Request Service refers to any one of: ● Custom service ● Kubernetes API server ● Message broker ● SSH daemon ● CI/CD pipeline script
OPA: general-purpose policy engine Service OPA Policy (Rego) Data (JSON) Policy Query Policy Decision Enforcement Request Service refers to any one of: ● Custom service ● Kubernetes API server ● Message broker ● SSH daemon ● CI/CD pipeline script Input can be any JSON value: "alice" ["v1", "users", "bob"] {"kind": "Pod", "spec": …} Output can be any JSON value: true "request rejected" {"servers": ["web1", "web2"]}
Getting hands on
"Tech support specialists accessing customer data must be assigned to an open ticket for the customer they are assisting." Example Policy
Conclusions
● write rules not code ● re-use same policy across all applications and languages ● support audit and testing A better way to build policy
OPA: Integrations Data Filtering Admission Control “Restrict ingress hostnames for payments team.” “Ensure container images come from corporate repo.” API Authorization “Deny test scripts access to production services.” “Allow analysts to access APIs serving anonymized data.” Data Protection Linux PAM SSH & sudo “Only allow on-call engineers to SSH into production servers.” "Trades exceeding $10M must be executed between 9AM and 5PM and require MFA." "Users can access files for past 6 months related to the region they licensed."
● allow developers to see effect of policy earlier ● show effect of policy as soon as possible ● have ability to move point of enforcement around if it improves code ● test policy was enforced in production as well “Shift left”
● https://www.openpolicyagent.org/ ● https://slack.openpolicyagent.org/ ● https://github.com/open-policy-agent ● Examples from talk ○ https://github.com/tsandall/dockercon-eu-2018 Questions? I want more!
Blank slide
OPA: general-purpose policy engine Service OPA Policy (rego) Data (json) Policy Query Policy Decision Enforcement ● Declarative Policy Language (Rego) ○ Can identity I do operation O on resource R? ■ ACLs, RBAC, IAM, ABAC ○ What invariants does workload W violate? ■ Enforce, audit, dry-run ○ Which records should bob be allowed to see? ■ Constraints on data
OPA: general-purpose policy engine Service OPA Policy (rego) Data (json) Policy Query Policy Decision Enforcement ● Declarative Policy Language (Rego) ○ Can identity I do operation O on resource R? ■ ACLs, RBAC, IAM, ABAC ○ What invariants does workload W violate? ■ Enforce, audit, dry-run ○ Which records should bob be allowed to see? ■ Constraints on data ● Library, sidecar, host-level daemon ○ Policy and data are kept in-memory ○ Zero decision-time dependencies
OPA: general-purpose policy engine Service OPA Policy (rego) Data (json) Policy Query Policy Decision Enforcement ● Declarative Policy Language (Rego) ○ Can identity I do operation O on resource R? ■ ACLs, RBAC, IAM, ABAC ○ What invariants does workload W violate? ■ Enforce, audit, dry-run ○ Which records should bob be allowed to see? ■ Constraints on data ● Library, sidecar, host-level daemon ○ Policy and data are kept in-memory ○ Zero decision-time dependencies ● Management APIs for control & observability ○ Bundle service API for sending policy & data to OPA ○ Status service API for receiving status from OPA ○ Log service API for receiving audit log from OPA
OPA: general-purpose policy engine Service OPA Policy (rego) Data (json) Policy Query Policy Decision Enforcement ● Declarative Policy Language (Rego) ○ Can identity I do operation O on resource R? ■ ACLs, RBAC, IAM, ABAC ○ What invariants does workload W violate? ■ Enforce, audit, dry-run ○ Which records should bob be allowed to see? ■ Constraints on data ● Library, sidecar, host-level daemon ○ Policy and data are kept in-memory ○ Zero decision-time dependencies ● Management APIs for control & observability ○ Bundle service API for sending policy & data to OPA ○ Status service API for receiving status from OPA ○ Log service API for receiving audit log from OPA ● Tooling to build, test, and debug policy ○ opa run, opa test, opa fmt, opa deps, opa check, etc. ○ VS Code plugin, Tracing, Profiling, etc.
Hands on example with OPA Accounts OPA Bundle Server Policy + Tickets GET /accounts/alice HTTP/1.1 Authorization: Bearer ... Input { method: GET path: [accounts, alice] subject: { user: janet groups: [support] } } Result true (allow) or false (deny) Data { tickets: { alice: [ {assignee: janet}, {assignee: bob} ], ken: [ {assignee: janet} ] } }
Hands on example with OPA Input { method: GET path: [accounts, alice] subject: { user: janet groups: [support] } } Data { tickets: { alice: [ {assignee: janet} ] } } package acmecorp.authz default allow = false allow = true { input.method = "GET" input.path = ["accounts", id] input.subject.groups[_] = "support" input.subject.user = data.tickets[id][_].assignee }
Example Policy++ "Tech support specialists should only perform device updates during core business hours (10AM to 3PM GMT)."
allow { input.action = "UpdateDevice" input.subject.groups[_] = "support" inside_business_hours } inside_business_hours { [hour, minute, second] = time.clock(time.now_ns()) time_of_day = (hour * seconds_per_hour) + (minute * seconds_per_minute) + second time_of_day >= 10 * seconds_per_hour time_of_day <= 15 * seconds_per_hour } seconds_per_hour = 60 * 60 seconds_per_minute = 60 Example Policy++
For example: ● valuable data on PVs must be retained 6 months after app is undeployed ● default reclaim policy is "delete" because clean-up is annoying ● admins want to grant exceptions for specific apps to use "retain" policy Beyond the app
Kubernetes Admission Policy package kubernetes.admission import data.kubernetes.storageclasses reclaim_exceptions = {"payments", "clickstream"} # Generate an admission control violation error if... deny["invalid reclaim policy requested by app"] { # Input object is a PVC and ... input.kind = "PersistentVolumeClaim" # StorageClass specifies the "Retain" reclaim policy and... name = input.spec.storageClassName storageclasses[name].reclaimPolicy = "Retain" # The app that owns the PVC is not whitelisted. not reclaim_exceptions[input.labels["app"]] }

Recommended

OPA APIs and Use Case Survey
OPA APIs and Use Case SurveyOPA APIs and Use Case Survey
OPA APIs and Use Case Survey
Torin Sandall
 
Istio's mixer policy enforcement with custom adapters (cloud nativecon 17)
Istio's mixer policy enforcement with custom adapters (cloud nativecon 17)Istio's mixer policy enforcement with custom adapters (cloud nativecon 17)
Istio's mixer policy enforcement with custom adapters (cloud nativecon 17)
Torin Sandall
 
Implementing Authorization
Implementing AuthorizationImplementing Authorization
Implementing Authorization
Torin Sandall
 
OPA: The Cloud Native Policy Engine
OPA: The Cloud Native Policy EngineOPA: The Cloud Native Policy Engine
OPA: The Cloud Native Policy Engine
Torin Sandall
 
Policy Enforcement on Kubernetes with Open Policy Agent
Policy Enforcement on Kubernetes with Open Policy AgentPolicy Enforcement on Kubernetes with Open Policy Agent
Policy Enforcement on Kubernetes with Open Policy Agent
VMware Tanzu
 
Open Policy Agent Deep Dive Seattle 2018
Open Policy Agent Deep Dive Seattle 2018Open Policy Agent Deep Dive Seattle 2018
Open Policy Agent Deep Dive Seattle 2018
Torin Sandall
 
Rego Deep Dive
Rego Deep DiveRego Deep Dive
Rego Deep Dive
Torin Sandall
 
Enforcing Bespoke Policies in Kubernetes
Enforcing Bespoke Policies in KubernetesEnforcing Bespoke Policies in Kubernetes
Enforcing Bespoke Policies in Kubernetes
Torin Sandall
 

Recommended

OPA APIs and Use Case Survey
OPA APIs and Use Case SurveyOPA APIs and Use Case Survey
OPA APIs and Use Case Survey
Torin Sandall
 
Istio's mixer policy enforcement with custom adapters (cloud nativecon 17)
Istio's mixer policy enforcement with custom adapters (cloud nativecon 17)Istio's mixer policy enforcement with custom adapters (cloud nativecon 17)
Istio's mixer policy enforcement with custom adapters (cloud nativecon 17)
Torin Sandall
 
Implementing Authorization
Implementing AuthorizationImplementing Authorization
Implementing Authorization
Torin Sandall
 
OPA: The Cloud Native Policy Engine
OPA: The Cloud Native Policy EngineOPA: The Cloud Native Policy Engine
OPA: The Cloud Native Policy Engine
Torin Sandall
 
Policy Enforcement on Kubernetes with Open Policy Agent
Policy Enforcement on Kubernetes with Open Policy AgentPolicy Enforcement on Kubernetes with Open Policy Agent
Policy Enforcement on Kubernetes with Open Policy Agent
VMware Tanzu
 
Open Policy Agent Deep Dive Seattle 2018
Open Policy Agent Deep Dive Seattle 2018Open Policy Agent Deep Dive Seattle 2018
Open Policy Agent Deep Dive Seattle 2018
Torin Sandall
 
Rego Deep Dive
Rego Deep DiveRego Deep Dive
Rego Deep Dive
Torin Sandall
 
Enforcing Bespoke Policies in Kubernetes
Enforcing Bespoke Policies in KubernetesEnforcing Bespoke Policies in Kubernetes
Enforcing Bespoke Policies in Kubernetes
Torin Sandall
 
Fine-grained Authorization in a Containerized World
Fine-grained Authorization in a Containerized WorldFine-grained Authorization in a Containerized World
Fine-grained Authorization in a Containerized World
Ashutosh Narkar
 
Open Policy Agent
Open Policy AgentOpen Policy Agent
Open Policy Agent
Torin Sandall
 
Opa microservice authorization
Opa microservice authorizationOpa microservice authorization
Opa microservice authorization
Anders Eknert
 
Kubernetes Security with Calico and Open Policy Agent
Kubernetes Security with Calico and Open Policy AgentKubernetes Security with Calico and Open Policy Agent
Kubernetes Security with Calico and Open Policy Agent
CloudOps2005
 
DSO-LG 2021 Reboot: Policy As Code (Anders Eknert)
DSO-LG 2021 Reboot: Policy As Code (Anders Eknert)DSO-LG 2021 Reboot: Policy As Code (Anders Eknert)
DSO-LG 2021 Reboot: Policy As Code (Anders Eknert)
Michael Man
 
How Netflix Is Solving Authorization Across Their Cloud
How Netflix Is Solving Authorization Across Their CloudHow Netflix Is Solving Authorization Across Their Cloud
How Netflix Is Solving Authorization Across Their Cloud
Torin Sandall
 
Open Policy Agent (OPA) と Kubernetes Policy
Open Policy Agent (OPA) と Kubernetes PolicyOpen Policy Agent (OPA) と Kubernetes Policy
Open Policy Agent (OPA) と Kubernetes Policy
Motonori Shindo
 
Securing APIs with Open Policy Agent
Securing APIs with Open Policy AgentSecuring APIs with Open Policy Agent
Securing APIs with Open Policy Agent
Anders Eknert
 
OAuth2 Authorization Server Under the Hood
OAuth2 Authorization Server Under the HoodOAuth2 Authorization Server Under the Hood
OAuth2 Authorization Server Under the Hood
Lohika_Odessa_TechTalks
 
Access Control for HTTP Operations on Linked Data
Access Control for HTTP Operations on Linked DataAccess Control for HTTP Operations on Linked Data
Access Control for HTTP Operations on Linked Data
Luca Costabello
 
Vonk fhir facade (christiaan)
Vonk fhir facade (christiaan)Vonk fhir facade (christiaan)
Vonk fhir facade (christiaan)
DevDays
 
Analyse your SEO Data with R and Kibana
Analyse your SEO Data with R and KibanaAnalyse your SEO Data with R and Kibana
Analyse your SEO Data with R and Kibana
Vincent Terrasi
 
Use Cases for Elastic Search Percolator
Use Cases for Elastic Search PercolatorUse Cases for Elastic Search Percolator
Use Cases for Elastic Search Percolator
Maxim Shelest
 
Fire kit ios (r-baldwin)
Fire kit ios (r-baldwin)Fire kit ios (r-baldwin)
Fire kit ios (r-baldwin)
DevDays
 
Finding the right stuff, an intro to Elasticsearch (at Rug::B)
Finding the right stuff, an intro to Elasticsearch (at Rug::B) Finding the right stuff, an intro to Elasticsearch (at Rug::B)
Finding the right stuff, an intro to Elasticsearch (at Rug::B)
Michael Reinsch
 
ElasticSearch - Introduction to Aggregations
ElasticSearch - Introduction to AggregationsElasticSearch - Introduction to Aggregations
ElasticSearch - Introduction to Aggregations
enterprisesearchmeetup
 
Content Negotiation in HTTP - Ibnul Tahsin Bhuiyan
Content Negotiation in HTTP - Ibnul Tahsin BhuiyanContent Negotiation in HTTP - Ibnul Tahsin Bhuiyan
Content Negotiation in HTTP - Ibnul Tahsin Bhuiyan
Cefalo
 
Building Beautiful REST APIs in ASP.NET Core
Building Beautiful REST APIs in ASP.NET CoreBuilding Beautiful REST APIs in ASP.NET Core
Building Beautiful REST APIs in ASP.NET Core
Nate Barbettini
 
Query DSL In Elasticsearch
Query DSL In ElasticsearchQuery DSL In Elasticsearch
Query DSL In Elasticsearch
Knoldus Inc.
 
Elasticsearch Distributed search & analytics on BigData made easy
Elasticsearch Distributed search & analytics on BigData made easyElasticsearch Distributed search & analytics on BigData made easy
Elasticsearch Distributed search & analytics on BigData made easy
Itamar
 
Protecting the Data Lake
Protecting the Data LakeProtecting the Data Lake
Protecting the Data Lake
Ashutosh Narkar
 
Accelerate Your Analytic Queries with Amazon Aurora Parallel Query (DAT362) -...
Accelerate Your Analytic Queries with Amazon Aurora Parallel Query (DAT362) -...Accelerate Your Analytic Queries with Amazon Aurora Parallel Query (DAT362) -...
Accelerate Your Analytic Queries with Amazon Aurora Parallel Query (DAT362) -...
Amazon Web Services
 

More Related Content

What's hot

Fine-grained Authorization in a Containerized World
Fine-grained Authorization in a Containerized WorldFine-grained Authorization in a Containerized World
Fine-grained Authorization in a Containerized World
Ashutosh Narkar
 
Open Policy Agent
Open Policy AgentOpen Policy Agent
Open Policy Agent
Torin Sandall
 
Opa microservice authorization
Opa microservice authorizationOpa microservice authorization
Opa microservice authorization
Anders Eknert
 
Kubernetes Security with Calico and Open Policy Agent
Kubernetes Security with Calico and Open Policy AgentKubernetes Security with Calico and Open Policy Agent
Kubernetes Security with Calico and Open Policy Agent
CloudOps2005
 
DSO-LG 2021 Reboot: Policy As Code (Anders Eknert)
DSO-LG 2021 Reboot: Policy As Code (Anders Eknert)DSO-LG 2021 Reboot: Policy As Code (Anders Eknert)
DSO-LG 2021 Reboot: Policy As Code (Anders Eknert)
Michael Man
 
How Netflix Is Solving Authorization Across Their Cloud
How Netflix Is Solving Authorization Across Their CloudHow Netflix Is Solving Authorization Across Their Cloud
How Netflix Is Solving Authorization Across Their Cloud
Torin Sandall
 
Open Policy Agent (OPA) と Kubernetes Policy
Open Policy Agent (OPA) と Kubernetes PolicyOpen Policy Agent (OPA) と Kubernetes Policy
Open Policy Agent (OPA) と Kubernetes Policy
Motonori Shindo
 
Securing APIs with Open Policy Agent
Securing APIs with Open Policy AgentSecuring APIs with Open Policy Agent
Securing APIs with Open Policy Agent
Anders Eknert
 
OAuth2 Authorization Server Under the Hood
OAuth2 Authorization Server Under the HoodOAuth2 Authorization Server Under the Hood
OAuth2 Authorization Server Under the Hood
Lohika_Odessa_TechTalks
 
Access Control for HTTP Operations on Linked Data
Access Control for HTTP Operations on Linked DataAccess Control for HTTP Operations on Linked Data
Access Control for HTTP Operations on Linked Data
Luca Costabello
 
Vonk fhir facade (christiaan)
Vonk fhir facade (christiaan)Vonk fhir facade (christiaan)
Vonk fhir facade (christiaan)
DevDays
 
Analyse your SEO Data with R and Kibana
Analyse your SEO Data with R and KibanaAnalyse your SEO Data with R and Kibana
Analyse your SEO Data with R and Kibana
Vincent Terrasi
 
Use Cases for Elastic Search Percolator
Use Cases for Elastic Search PercolatorUse Cases for Elastic Search Percolator
Use Cases for Elastic Search Percolator
Maxim Shelest
 
Fire kit ios (r-baldwin)
Fire kit ios (r-baldwin)Fire kit ios (r-baldwin)
Fire kit ios (r-baldwin)
DevDays
 
Finding the right stuff, an intro to Elasticsearch (at Rug::B)
Finding the right stuff, an intro to Elasticsearch (at Rug::B) Finding the right stuff, an intro to Elasticsearch (at Rug::B)
Finding the right stuff, an intro to Elasticsearch (at Rug::B)
Michael Reinsch
 
ElasticSearch - Introduction to Aggregations
ElasticSearch - Introduction to AggregationsElasticSearch - Introduction to Aggregations
ElasticSearch - Introduction to Aggregations
enterprisesearchmeetup
 
Content Negotiation in HTTP - Ibnul Tahsin Bhuiyan
Content Negotiation in HTTP - Ibnul Tahsin BhuiyanContent Negotiation in HTTP - Ibnul Tahsin Bhuiyan
Content Negotiation in HTTP - Ibnul Tahsin Bhuiyan
Cefalo
 
Building Beautiful REST APIs in ASP.NET Core
Building Beautiful REST APIs in ASP.NET CoreBuilding Beautiful REST APIs in ASP.NET Core
Building Beautiful REST APIs in ASP.NET Core
Nate Barbettini
 
Query DSL In Elasticsearch
Query DSL In ElasticsearchQuery DSL In Elasticsearch
Query DSL In Elasticsearch
Knoldus Inc.
 
Elasticsearch Distributed search & analytics on BigData made easy
Elasticsearch Distributed search & analytics on BigData made easyElasticsearch Distributed search & analytics on BigData made easy
Elasticsearch Distributed search & analytics on BigData made easy
Itamar
 

What's hot (20)

Fine-grained Authorization in a Containerized World
Fine-grained Authorization in a Containerized WorldFine-grained Authorization in a Containerized World
Fine-grained Authorization in a Containerized World
 
Open Policy Agent
Open Policy AgentOpen Policy Agent
Open Policy Agent
 
Opa microservice authorization
Opa microservice authorizationOpa microservice authorization
Opa microservice authorization
 
Kubernetes Security with Calico and Open Policy Agent
Kubernetes Security with Calico and Open Policy AgentKubernetes Security with Calico and Open Policy Agent
Kubernetes Security with Calico and Open Policy Agent
 
DSO-LG 2021 Reboot: Policy As Code (Anders Eknert)
DSO-LG 2021 Reboot: Policy As Code (Anders Eknert)DSO-LG 2021 Reboot: Policy As Code (Anders Eknert)
DSO-LG 2021 Reboot: Policy As Code (Anders Eknert)
 
How Netflix Is Solving Authorization Across Their Cloud
How Netflix Is Solving Authorization Across Their CloudHow Netflix Is Solving Authorization Across Their Cloud
How Netflix Is Solving Authorization Across Their Cloud
 
Open Policy Agent (OPA) と Kubernetes Policy
Open Policy Agent (OPA) と Kubernetes PolicyOpen Policy Agent (OPA) と Kubernetes Policy
Open Policy Agent (OPA) と Kubernetes Policy
 
Securing APIs with Open Policy Agent
Securing APIs with Open Policy AgentSecuring APIs with Open Policy Agent
Securing APIs with Open Policy Agent
 
OAuth2 Authorization Server Under the Hood
OAuth2 Authorization Server Under the HoodOAuth2 Authorization Server Under the Hood
OAuth2 Authorization Server Under the Hood
 
Access Control for HTTP Operations on Linked Data
Access Control for HTTP Operations on Linked DataAccess Control for HTTP Operations on Linked Data
Access Control for HTTP Operations on Linked Data
 
Vonk fhir facade (christiaan)
Vonk fhir facade (christiaan)Vonk fhir facade (christiaan)
Vonk fhir facade (christiaan)
 
Analyse your SEO Data with R and Kibana
Analyse your SEO Data with R and KibanaAnalyse your SEO Data with R and Kibana
Analyse your SEO Data with R and Kibana
 
Use Cases for Elastic Search Percolator
Use Cases for Elastic Search PercolatorUse Cases for Elastic Search Percolator
Use Cases for Elastic Search Percolator
 
Fire kit ios (r-baldwin)
Fire kit ios (r-baldwin)Fire kit ios (r-baldwin)
Fire kit ios (r-baldwin)
 
Finding the right stuff, an intro to Elasticsearch (at Rug::B)
Finding the right stuff, an intro to Elasticsearch (at Rug::B) Finding the right stuff, an intro to Elasticsearch (at Rug::B)
Finding the right stuff, an intro to Elasticsearch (at Rug::B)
 
ElasticSearch - Introduction to Aggregations
ElasticSearch - Introduction to AggregationsElasticSearch - Introduction to Aggregations
ElasticSearch - Introduction to Aggregations
 
Content Negotiation in HTTP - Ibnul Tahsin Bhuiyan
Content Negotiation in HTTP - Ibnul Tahsin BhuiyanContent Negotiation in HTTP - Ibnul Tahsin Bhuiyan
Content Negotiation in HTTP - Ibnul Tahsin Bhuiyan
 
Building Beautiful REST APIs in ASP.NET Core
Building Beautiful REST APIs in ASP.NET CoreBuilding Beautiful REST APIs in ASP.NET Core
Building Beautiful REST APIs in ASP.NET Core
 
Query DSL In Elasticsearch
Query DSL In ElasticsearchQuery DSL In Elasticsearch
Query DSL In Elasticsearch
 
Elasticsearch Distributed search & analytics on BigData made easy
Elasticsearch Distributed search & analytics on BigData made easyElasticsearch Distributed search & analytics on BigData made easy
Elasticsearch Distributed search & analytics on BigData made easy
 

Similar to Dynamic Authorization & Policy Control for Docker Environments

Protecting the Data Lake
Protecting the Data LakeProtecting the Data Lake
Protecting the Data Lake
Ashutosh Narkar
 
Accelerate Your Analytic Queries with Amazon Aurora Parallel Query (DAT362) -...
Accelerate Your Analytic Queries with Amazon Aurora Parallel Query (DAT362) -...Accelerate Your Analytic Queries with Amazon Aurora Parallel Query (DAT362) -...
Accelerate Your Analytic Queries with Amazon Aurora Parallel Query (DAT362) -...
Amazon Web Services
 
Comprehensive container based service monitoring with kubernetes and istio
Comprehensive container based service monitoring with kubernetes and istioComprehensive container based service monitoring with kubernetes and istio
Comprehensive container based service monitoring with kubernetes and istio
Fred Moyer
 
Cloud Foundry Cookbook: Recipes for a Successful Cloud Foundry Deployment in ...
Cloud Foundry Cookbook: Recipes for a Successful Cloud Foundry Deployment in ...Cloud Foundry Cookbook: Recipes for a Successful Cloud Foundry Deployment in ...
Cloud Foundry Cookbook: Recipes for a Successful Cloud Foundry Deployment in ...
VMware Tanzu
 
Recipes for a successful production cloudfoundry deployment - CF Summit 2014
Recipes for a successful production cloudfoundry deployment - CF Summit 2014Recipes for a successful production cloudfoundry deployment - CF Summit 2014
Recipes for a successful production cloudfoundry deployment - CF Summit 2014
Vinícius Carvalho
 
Cloud native policy enforcement with Open Policy Agent
Cloud native policy enforcement with Open Policy AgentCloud native policy enforcement with Open Policy Agent
Cloud native policy enforcement with Open Policy Agent
LibbySchulze
 
Creating PostgreSQL-as-a-Service at Scale
Creating PostgreSQL-as-a-Service at ScaleCreating PostgreSQL-as-a-Service at Scale
Creating PostgreSQL-as-a-Service at Scale
Sean Chittenden
 
Real-time Analytics with Trino and Apache Pinot
Real-time Analytics with Trino and Apache PinotReal-time Analytics with Trino and Apache Pinot
Real-time Analytics with Trino and Apache Pinot
Xiang Fu
 
Using Event Streams in Serverless Applications
Using Event Streams in Serverless ApplicationsUsing Event Streams in Serverless Applications
Using Event Streams in Serverless Applications
Jonathan Dee
 
Sprint 49 review
Sprint 49 reviewSprint 49 review
Sprint 49 review
ManageIQ
 
Externalizing Authorization in Micro Services world
Externalizing Authorization in Micro Services worldExternalizing Authorization in Micro Services world
Externalizing Authorization in Micro Services world
Sitaraman Lakshminarayanan
 
How to Perform Forensics on AWS Using Serverless Infrastructure (SEC416-R1) -...
How to Perform Forensics on AWS Using Serverless Infrastructure (SEC416-R1) -...How to Perform Forensics on AWS Using Serverless Infrastructure (SEC416-R1) -...
How to Perform Forensics on AWS Using Serverless Infrastructure (SEC416-R1) -...
Amazon Web Services
 
Measure() or die()
Measure() or die()Measure() or die()
Measure() or die()
Tamar Duvshani Hermel
 
Measure() or die()
Measure() or die() Measure() or die()
Measure() or die()
LivePerson
 
PPL presentation 2010
PPL presentation 2010PPL presentation 2010
PPL presentation 2010SlimTrabelsi
 
Ppl presentation 2010
Ppl presentation 2010Ppl presentation 2010
Ppl presentation 2010SlimTrabelsi
 
PPL presentation 2010
PPL presentation 2010PPL presentation 2010
PPL presentation 2010SlimTrabelsi
 
Uni w pachube 111108
Uni w pachube 111108Uni w pachube 111108
Uni w pachube 111108
Paul Tanner
 
Data Platform Architecture Principles and Evaluation Criteria
Data Platform Architecture Principles and Evaluation CriteriaData Platform Architecture Principles and Evaluation Criteria
Data Platform Architecture Principles and Evaluation Criteria
ScyllaDB
 
Preparing for Data Residency and Custom Domains
Preparing for Data Residency and Custom DomainsPreparing for Data Residency and Custom Domains
Preparing for Data Residency and Custom Domains
Atlassian
 

Similar to Dynamic Authorization & Policy Control for Docker Environments (20)

Protecting the Data Lake
Protecting the Data LakeProtecting the Data Lake
Protecting the Data Lake
 
Accelerate Your Analytic Queries with Amazon Aurora Parallel Query (DAT362) -...
Accelerate Your Analytic Queries with Amazon Aurora Parallel Query (DAT362) -...Accelerate Your Analytic Queries with Amazon Aurora Parallel Query (DAT362) -...
Accelerate Your Analytic Queries with Amazon Aurora Parallel Query (DAT362) -...
 
Comprehensive container based service monitoring with kubernetes and istio
Comprehensive container based service monitoring with kubernetes and istioComprehensive container based service monitoring with kubernetes and istio
Comprehensive container based service monitoring with kubernetes and istio
 
Cloud Foundry Cookbook: Recipes for a Successful Cloud Foundry Deployment in ...
Cloud Foundry Cookbook: Recipes for a Successful Cloud Foundry Deployment in ...Cloud Foundry Cookbook: Recipes for a Successful Cloud Foundry Deployment in ...
Cloud Foundry Cookbook: Recipes for a Successful Cloud Foundry Deployment in ...
 
Recipes for a successful production cloudfoundry deployment - CF Summit 2014
Recipes for a successful production cloudfoundry deployment - CF Summit 2014Recipes for a successful production cloudfoundry deployment - CF Summit 2014
Recipes for a successful production cloudfoundry deployment - CF Summit 2014
 
Cloud native policy enforcement with Open Policy Agent
Cloud native policy enforcement with Open Policy AgentCloud native policy enforcement with Open Policy Agent
Cloud native policy enforcement with Open Policy Agent
 
Creating PostgreSQL-as-a-Service at Scale
Creating PostgreSQL-as-a-Service at ScaleCreating PostgreSQL-as-a-Service at Scale
Creating PostgreSQL-as-a-Service at Scale
 
Real-time Analytics with Trino and Apache Pinot
Real-time Analytics with Trino and Apache PinotReal-time Analytics with Trino and Apache Pinot
Real-time Analytics with Trino and Apache Pinot
 
Using Event Streams in Serverless Applications
Using Event Streams in Serverless ApplicationsUsing Event Streams in Serverless Applications
Using Event Streams in Serverless Applications
 
Sprint 49 review
Sprint 49 reviewSprint 49 review
Sprint 49 review
 
Externalizing Authorization in Micro Services world
Externalizing Authorization in Micro Services worldExternalizing Authorization in Micro Services world
Externalizing Authorization in Micro Services world
 
How to Perform Forensics on AWS Using Serverless Infrastructure (SEC416-R1) -...
How to Perform Forensics on AWS Using Serverless Infrastructure (SEC416-R1) -...How to Perform Forensics on AWS Using Serverless Infrastructure (SEC416-R1) -...
How to Perform Forensics on AWS Using Serverless Infrastructure (SEC416-R1) -...
 
Measure() or die()
Measure() or die()Measure() or die()
Measure() or die()
 
Measure() or die()
Measure() or die() Measure() or die()
Measure() or die()
 
PPL presentation 2010
PPL presentation 2010PPL presentation 2010
PPL presentation 2010
 
Ppl presentation 2010
Ppl presentation 2010Ppl presentation 2010
Ppl presentation 2010
 
PPL presentation 2010
PPL presentation 2010PPL presentation 2010
PPL presentation 2010
 
Uni w pachube 111108
Uni w pachube 111108Uni w pachube 111108
Uni w pachube 111108
 
Data Platform Architecture Principles and Evaluation Criteria
Data Platform Architecture Principles and Evaluation CriteriaData Platform Architecture Principles and Evaluation Criteria
Data Platform Architecture Principles and Evaluation Criteria
 
Preparing for Data Residency and Custom Domains
Preparing for Data Residency and Custom DomainsPreparing for Data Residency and Custom Domains
Preparing for Data Residency and Custom Domains
 

Recently uploaded

GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
Sri Ambati
 
Removing Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software FuzzingRemoving Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software Fuzzing
Aftab Hussain
 
Elevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object CalisthenicsElevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object Calisthenics
Dorra BARTAGUIZ
 
Accelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish CachingAccelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish Caching
Thijs Feryn
 
GraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge GraphGraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge Graph
Guy Korland
 
zkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex Proofs
zkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex ProofszkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex Proofs
zkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex Proofs
Alex Pruden
 
Monitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR EventsMonitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR Events
Ana-Maria Mihalceanu
 
Le nuove frontiere dell'AI nell'RPA con UiPath Autopilot™
Le nuove frontiere dell'AI nell'RPA con UiPath Autopilot™Le nuove frontiere dell'AI nell'RPA con UiPath Autopilot™
Le nuove frontiere dell'AI nell'RPA con UiPath Autopilot™
UiPathCommunity
 
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
UiPathCommunity
 
Pushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 daysPushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 days
Adtran
 
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
SOFTTECHHUB
 
Video Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the FutureVideo Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the Future
Alpen-Adria-Universität
 
RESUME BUILDER APPLICATION Project for students
RESUME BUILDER APPLICATION Project for studentsRESUME BUILDER APPLICATION Project for students
RESUME BUILDER APPLICATION Project for students
KAMESHS29
 
By Design, not by Accident - Agile Venture Bolzano 2024
By Design, not by Accident - Agile Venture Bolzano 2024By Design, not by Accident - Agile Venture Bolzano 2024
By Design, not by Accident - Agile Venture Bolzano 2024
Pierluigi Pugliese
 
PCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase TeamPCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase Team
ControlCase
 
The Future of Platform Engineering
The Future of Platform EngineeringThe Future of Platform Engineering
The Future of Platform Engineering
Jemma Hussein Allen
 
A tale of scale & speed: How the US Navy is enabling software delivery from l...
A tale of scale & speed: How the US Navy is enabling software delivery from l...A tale of scale & speed: How the US Navy is enabling software delivery from l...
A tale of scale & speed: How the US Navy is enabling software delivery from l...
sonjaschweigert1
 
The Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and SalesThe Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and Sales
Laura Byrne
 
FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdfFIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance
 
Elizabeth Buie - Older adults: Are we really designing for our future selves?
Elizabeth Buie - Older adults: Are we really designing for our future selves?Elizabeth Buie - Older adults: Are we really designing for our future selves?
Elizabeth Buie - Older adults: Are we really designing for our future selves?
Nexer Digital
 

Recently uploaded (20)

GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
 
Removing Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software FuzzingRemoving Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software Fuzzing
 
Elevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object CalisthenicsElevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object Calisthenics
 
Accelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish CachingAccelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish Caching
 
GraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge GraphGraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge Graph
 
zkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex Proofs
zkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex ProofszkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex Proofs
zkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex Proofs
 
Monitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR EventsMonitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR Events
 
Le nuove frontiere dell'AI nell'RPA con UiPath Autopilot™
Le nuove frontiere dell'AI nell'RPA con UiPath Autopilot™Le nuove frontiere dell'AI nell'RPA con UiPath Autopilot™
Le nuove frontiere dell'AI nell'RPA con UiPath Autopilot™
 
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
 
Pushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 daysPushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 days
 
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
 
Video Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the FutureVideo Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the Future
 
RESUME BUILDER APPLICATION Project for students
RESUME BUILDER APPLICATION Project for studentsRESUME BUILDER APPLICATION Project for students
RESUME BUILDER APPLICATION Project for students
 
By Design, not by Accident - Agile Venture Bolzano 2024
By Design, not by Accident - Agile Venture Bolzano 2024By Design, not by Accident - Agile Venture Bolzano 2024
By Design, not by Accident - Agile Venture Bolzano 2024
 
PCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase TeamPCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase Team
 
The Future of Platform Engineering
The Future of Platform EngineeringThe Future of Platform Engineering
The Future of Platform Engineering
 
A tale of scale & speed: How the US Navy is enabling software delivery from l...
A tale of scale & speed: How the US Navy is enabling software delivery from l...A tale of scale & speed: How the US Navy is enabling software delivery from l...
A tale of scale & speed: How the US Navy is enabling software delivery from l...
 
The Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and SalesThe Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and Sales
 
FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdfFIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdf
 
Elizabeth Buie - Older adults: Are we really designing for our future selves?
Elizabeth Buie - Older adults: Are we really designing for our future selves?Elizabeth Buie - Older adults: Are we really designing for our future selves?
Elizabeth Buie - Older adults: Are we really designing for our future selves?
 

Dynamic Authorization & Policy Control for Docker Environments

  • 1. Dynamic Authorization and Policy Control for Docker Container Environments
  • 2. TORIN SANDALL Engineer, Styra @sometorin JUSTIN CORMACK Engineer, Docker @justincormack
  • 4.
  • 5.
  • 6. ● Heterogeneity: many languages, protocols, systems ● Dynamism: system changing, policies changing ● How do you enforce and audit policy? ● Correctness, performance, cost Challenges
  • 7. Today we are going to talk about tools and approaches for solving this problem! Computers can help!
  • 9. Example Scenario: AcmeCorp ● Pet camera & home monitoring devices ● Watch your cute pets while you travel ● Always on, always connected
  • 10. AcmeCorp's Architecture Portal PaymentsAccounts Device UpdatesDevice Streams Stream Archiving HTTP HTTP gRPCHLS S3 MySQL Alice (Customer) AcmeCorp VPC Janet (Tech support)
  • 11. AcmeCorp's Problem Portal PaymentsAccounts Device UpdatesDevice Streams Stream Archiving HTTP HTTP gRPCHLS S3 MySQL Alice (Customer) AcmeCorp VPC Janet (Tech support)
  • 12. "Tech support specialists accessing customer data must be assigned to an open ticket for the customer they are assisting." Example Policy
  • 13. Example Implementation Portal PaymentsAccounts Device UpdatesDevice Streams Stream Archiving HTTP HTTP gRPCHLS S3 MySQL Alice (Customer) AcmeCorp VPC Janet (Tech support) authzauthzauthzauthz authz authz
  • 14. Example Implementation business logic authorization logic def get_user_account(req): if not authorized(req): raise status(403) return db.read_user_account(req.id) def authorized(req): if "support" in req.subject.groups: for ticket in get_open_tickets(req.id): if req.subject.user == ticket.assignee: return True return False # other authorization logic...
  • 15. Obvious questions... def get_user_account(req): if not authorized(req): raise status(403) return db.read_user_account(req.id) def authorized(req): if "support" in req.subject.groups: for ticket in get_open_tickets(req.id): if req.subject.user == ticket.assignee: return True return False # other authorization logic... What happens when the policy changes... What if the policy requires additional context... What if the customer requires control of the policy... What if the policy was not implemented correctly... What if you have 100+ services written in N langs...
  • 16. What is Open Policy Agent?
  • 17. OPA: general-purpose policy engine Inception Project started in 2016 at Styra. Goal Unify policy enforcement across the stack. Use Cases Admission control Authorization ACLs RBAC IAM ABAC Risk management Data Protection Data Filtering Users Netflix Chef Medallia Cloudflare State Street Pinterest Intuit ...and many more. Today CNCF project (Sandbox) 36 contributors 1.5K stars 400 slack members 20+ integrations Open Policy Agent
  • 18. OPA: general-purpose policy engine Service OPA Policy (Rego) Data (JSON) Policy Query Policy Decision Enforcement Request
  • 19. OPA: general-purpose policy engine Accounts OPA Policy (Rego) Data (JSON) Policy Query Policy Decision Enforcement Request GET /accounts/alice HTTP/1.1 Authorization: janet
  • 20. OPA: general-purpose policy engine Accounts OPA Policy (Rego) Data (JSON) Policy Query Policy Decision Enforcement Request GET /accounts/alice HTTP/1.1 Authorization: janet { "method": "GET", "path": ["accounts", "alice"], "user": "janet" } true or false
  • 21. OPA: general-purpose policy engine Service OPA Policy (Rego) Data (JSON) Policy Query Policy Decision Enforcement Request Service refers to any one of: ● Custom service ● Kubernetes API server ● Message broker ● SSH daemon ● CI/CD pipeline script
  • 22. OPA: general-purpose policy engine Service OPA Policy (Rego) Data (JSON) Policy Query Policy Decision Enforcement Request Service refers to any one of: ● Custom service ● Kubernetes API server ● Message broker ● SSH daemon ● CI/CD pipeline script Input can be any JSON value: "alice" ["v1", "users", "bob"] {"kind": "Pod", "spec": …} Output can be any JSON value: true "request rejected" {"servers": ["web1", "web2"]}
  • 24. "Tech support specialists accessing customer data must be assigned to an open ticket for the customer they are assisting." Example Policy
  • 26. ● write rules not code ● re-use same policy across all applications and languages ● support audit and testing A better way to build policy
  • 27. OPA: Integrations Data Filtering Admission Control “Restrict ingress hostnames for payments team.” “Ensure container images come from corporate repo.” API Authorization “Deny test scripts access to production services.” “Allow analysts to access APIs serving anonymized data.” Data Protection Linux PAM SSH & sudo “Only allow on-call engineers to SSH into production servers.” "Trades exceeding $10M must be executed between 9AM and 5PM and require MFA." "Users can access files for past 6 months related to the region they licensed."
  • 28. ● allow developers to see effect of policy earlier ● show effect of policy as soon as possible ● have ability to move point of enforcement around if it improves code ● test policy was enforced in production as well “Shift left”
  • 29. ● https://www.openpolicyagent.org/ ● https://slack.openpolicyagent.org/ ● https://github.com/open-policy-agent ● Examples from talk ○ https://github.com/tsandall/dockercon-eu-2018 Questions? I want more!
  • 31. OPA: general-purpose policy engine Service OPA Policy (rego) Data (json) Policy Query Policy Decision Enforcement ● Declarative Policy Language (Rego) ○ Can identity I do operation O on resource R? ■ ACLs, RBAC, IAM, ABAC ○ What invariants does workload W violate? ■ Enforce, audit, dry-run ○ Which records should bob be allowed to see? ■ Constraints on data
  • 32. OPA: general-purpose policy engine Service OPA Policy (rego) Data (json) Policy Query Policy Decision Enforcement ● Declarative Policy Language (Rego) ○ Can identity I do operation O on resource R? ■ ACLs, RBAC, IAM, ABAC ○ What invariants does workload W violate? ■ Enforce, audit, dry-run ○ Which records should bob be allowed to see? ■ Constraints on data ● Library, sidecar, host-level daemon ○ Policy and data are kept in-memory ○ Zero decision-time dependencies
  • 33. OPA: general-purpose policy engine Service OPA Policy (rego) Data (json) Policy Query Policy Decision Enforcement ● Declarative Policy Language (Rego) ○ Can identity I do operation O on resource R? ■ ACLs, RBAC, IAM, ABAC ○ What invariants does workload W violate? ■ Enforce, audit, dry-run ○ Which records should bob be allowed to see? ■ Constraints on data ● Library, sidecar, host-level daemon ○ Policy and data are kept in-memory ○ Zero decision-time dependencies ● Management APIs for control & observability ○ Bundle service API for sending policy & data to OPA ○ Status service API for receiving status from OPA ○ Log service API for receiving audit log from OPA
  • 34. OPA: general-purpose policy engine Service OPA Policy (rego) Data (json) Policy Query Policy Decision Enforcement ● Declarative Policy Language (Rego) ○ Can identity I do operation O on resource R? ■ ACLs, RBAC, IAM, ABAC ○ What invariants does workload W violate? ■ Enforce, audit, dry-run ○ Which records should bob be allowed to see? ■ Constraints on data ● Library, sidecar, host-level daemon ○ Policy and data are kept in-memory ○ Zero decision-time dependencies ● Management APIs for control & observability ○ Bundle service API for sending policy & data to OPA ○ Status service API for receiving status from OPA ○ Log service API for receiving audit log from OPA ● Tooling to build, test, and debug policy ○ opa run, opa test, opa fmt, opa deps, opa check, etc. ○ VS Code plugin, Tracing, Profiling, etc.
  • 35. Hands on example with OPA Accounts OPA Bundle Server Policy + Tickets GET /accounts/alice HTTP/1.1 Authorization: Bearer ... Input { method: GET path: [accounts, alice] subject: { user: janet groups: [support] } } Result true (allow) or false (deny) Data { tickets: { alice: [ {assignee: janet}, {assignee: bob} ], ken: [ {assignee: janet} ] } }
  • 36. Hands on example with OPA Input { method: GET path: [accounts, alice] subject: { user: janet groups: [support] } } Data { tickets: { alice: [ {assignee: janet} ] } } package acmecorp.authz default allow = false allow = true { input.method = "GET" input.path = ["accounts", id] input.subject.groups[_] = "support" input.subject.user = data.tickets[id][_].assignee }
  • 37. Example Policy++ "Tech support specialists should only perform device updates during core business hours (10AM to 3PM GMT)."
  • 38. allow { input.action = "UpdateDevice" input.subject.groups[_] = "support" inside_business_hours } inside_business_hours { [hour, minute, second] = time.clock(time.now_ns()) time_of_day = (hour * seconds_per_hour) + (minute * seconds_per_minute) + second time_of_day >= 10 * seconds_per_hour time_of_day <= 15 * seconds_per_hour } seconds_per_hour = 60 * 60 seconds_per_minute = 60 Example Policy++
  • 39. For example: ● valuable data on PVs must be retained 6 months after app is undeployed ● default reclaim policy is "delete" because clean-up is annoying ● admins want to grant exceptions for specific apps to use "retain" policy Beyond the app
  • 40. Kubernetes Admission Policy package kubernetes.admission import data.kubernetes.storageclasses reclaim_exceptions = {"payments", "clickstream"} # Generate an admission control violation error if... deny["invalid reclaim policy requested by app"] { # Input object is a PVC and ... input.kind = "PersistentVolumeClaim" # StorageClass specifies the "Retain" reclaim policy and... name = input.spec.storageClassName storageclasses[name].reclaimPolicy = "Retain" # The app that owns the PVC is not whitelisted. not reclaim_exceptions[input.labels["app"]] }