Talk from Open Source Summit San Diego 2019, showing how the Open Policy Agent can help to enforce fine-grained security policies in a Kubernetes cluster through Admission Control.
3. ● A Containerized World !
● Open Policy Agent
○ Community
○ Features
○ Integrations
○ Use Cases
● Use case deep dive
○ Kubernetes Admission Control
Agenda
4. A Containerized World !
CONTAINER
CONTAINER
CONTAINER
CONTAINER
CONTAINER
CONTAINER
CONTAINER
CONTAINER
CONTAINER
POD POD POD
NODE
5. ● Intent-based API
○ Focus on WHAT and not HOW
● Define the desired state in YAML files
○ kubectl apply
Security Challenges
# nginx-pod.yaml
kind: Pod
apiVersion: v1
metadata:
name: nginx
labels:
app: nginx
spec:
containers:
- image: nginx
name: nginx
6. ● All pods must only use images from trusted repos
● Ensure all containers specify CPU and memory requirements
● Ensure containers don’t use “latest” tag
● Prevent containers from running in privileged mode
● Ensure no two ingresses are configured with the same hostname
● Prevent workloads from running on master nodes
Example Security Policies on Kubernetes Cluster
7. ● All pods must only use images from trusted repos
● Ensure all containers specify CPU and memory requirements
● Ensure containers don’t use “latest” tag
● Prevent containers from running in privileged mode
● Ensure no two ingresses are configured with the same hostname
● Prevent workloads from running on master nodes
Example Security Policies on Kubernetes Cluster
8. ● All pods must only use images from trusted repos
● Ensure all containers specify CPU and memory requirements
● Ensure containers don’t use “latest” tag
● Prevent containers from running in privileged mode
● Ensure no two ingresses are configured with the same hostname
● Prevent workloads from running on master nodes
Example Security Policies on Kubernetes Cluster
9. ● All pods must only use images from trusted repos
● Ensure all containers specify CPU and memory requirements
● Ensure containers don’t use “latest” tag
● Prevent containers from running in privileged mode
● Ensure no two ingresses are configured with the same hostname
● Prevent workloads from running on master nodes
Example Security Policies on Kubernetes Cluster
11. OPA: Community
Inception
Project started in 2016
at Styra.
Goal
Unify policy
enforcement across the
stack.
Use Cases
Admission control
Authorization
ACLs
RBAC
IAM
ABAC
Risk management
Data Protection
Data Filtering
Users
Netflix
Chef
Medallia
Cloudflare
State Street
Pinterest
Intuit
Capital One
ABN AMRO
...and many more.
Today
CNCF project (Incubating)
70+ contributors
1100+ slack members
2400+ stars
20+ integrations
13. ● Declarative Policy Language (Rego)
○ Can user X do operation Y on resource Z?
○ What invariants does workload W violate?
○ Which records should bob be allowed to see?
● Library, sidecar, host-level daemon
○ Policy and data are kept in-memory
○ Zero decision-time dependencies
● Management APIs for control & observability
○ Bundle service API for sending policy & data to OPA
○ Status service API for receiving status from OPA
○ Log service API for receiving audit log from OPA
● Tooling to build, test, and debug policy
○ opa run, opa test, opa fmt, opa deps, opa check, etc.
○ VS Code plugin, Tracing, Profiling, etc.
OPA: Features
Service
OPA
Policy
(Rego)
Data
(JSON)
Request
DecisionQuery
14. OPA: Integrations
Data Filtering
Admission Control “Restrict ingress hostnames for payments team.”
“Ensure container images come from corporate repo.”
API Authorization
“Deny test scripts access to production services.”
“Allow analysts to access APIs serving anonymized data.”
Data Protection
Linux PAM SSH & Sudo “Only allow on-call engineers to SSH into production
servers.”
"Trades exceeding $10M must be executed between
9AM and 5PM and require MFA."
"Users can access files for past 6 months related to the
region they licensed."
16. How does OPA work?
Salary Service V1
OPA
Policy
(Rego)
Data
(JSON)
Request
DecisionQuery
Example policy
"Employees can read their own salary
and the salary of anyone they
manage."
17. How does OPA work?
Example policy
Employees can read their own salary and the salary of
anyone they manage.
Input Data
method: "GET"
path: ["salary", "bob"]
user: "bob"
22. Use Case: Kubernetes Admission Control
apiserver
admission controllers
quota execwebhook
kubectl apply -f app.yaml
OPA
Example Policies
● Images may only be pulled from internal
registry
● Only scanned images may be deployed in
namespaces A, B, and C
● QA team must sign-off on image before
deployed to production
● Stateful deployments must use ‘recreate’
update strategy
● Developers must not modify selectors or
labels referred to by selectors after
creation
● Containers must have CPU and memory
resource requests and limits set
● Containers cannot run with privileged
security context
● Services in namespace X should have
AWS SSL annotation added
27. Deploy Alice’s Demo App in Dev Namespace
Ingress
Alice’s
productpage
Service
Pod
App
NAMESPACE = DEVrules:
- host: *
http:
paths:
- path: /
backend:
serviceName: productpage
servicePort: 80
28. What Just Happened ?!?!
productpage
Service
Pod
App
NAMESPACE = PROD
hooli.com Incoming
Request
Ingress
Alice’s
productpage
Service
NAMESPACE = DEV
App
Pod