Docker Rosenheim Meetup: Policy & Governance for Kubernetes
0 likes104 views
The document covers the importance of cloud governance, specifically in the context of Kubernetes, highlighting the need to reduce risks and manage resources effectively. It discusses the Open Policy Agent (OPA) as a foundational policy engine for cloud-native environments and introduces OPA Gatekeeper as a Kubernetes implementation to enforce governance rules. The presentation aims to provide insights into policy-based control and demonstrate examples of governance in action.
Docker Rosenheim Meetup: Policy & Governance for Kubernetes
- 1. Policy & Governance for Kubernetes Docker Rosenheim Meetup, June 2020
- 2. Nico Meisenzahl • Senior Cloud & DevOps Consultant at white duck • Microsoft MVP, GitLab Hero, Docker Community Leader • loves Kubernetes, DevOps and Cloud © white duck GmbH 2020 Phone: +49 8031 230159 0 Email: nico.meisenzahl@whiteduck.de Twitter: @nmeisenzahl LinkedIn: https://www.linkedin.com/in/nicomeisenzahl Blog: https://meisenzahl.org
- 3. Agenda • Cloud Governance? Why do we need it? • Governance for Kubernetes • Open Policy Agent – the foundation • OPA Gatekeeper – the Kubernetes implementation © white duck GmbH 2020
- 4. CLOUD GOVERNANCE Why do we need it? © white duck GmbH 2020
- 5. Cloud Governance … … is used to provide a set of rules that defines guidelines that can either be enforced or audited. © white duck GmbH 2020
- 6. Why do we need it? • decisions are made decentralized & taken at a rapid pace • therefore it is important to • reduce risk • control shadow IT • make it easier to manage cloud resources • reduce effort © white duck GmbH 2020
- 7. KUBERNETES GOVERNANCE Why do we need it? © white duck GmbH 2020
- 8. Governance for Kubernetes • Authorization with Role-based Access Control (RBAC) • is used to define who is allowed to do what • very granular • But: Kubernetes offers nothing to control/change the specification of resources • which is essential for successfully governing a cluster © white duck GmbH 2020
- 9. Some examples are • whitelist of trusted container registries, images or tags • required container security specifications • required labels to group resources • permit conflicting Ingress host resources • permit publicly exposed LoadBalancer services © white duck GmbH 2020
- 10. OPEN POLICY AGENT The foundation © white duck GmbH 2020
- 11. Open Policy Agent • “policy-based control for cloud native environments” • general-purpose policy engine • open-source project created by styra • CNCF project since 2018 • declarative policy language • decoupled • Golang library • REST API with sidecar or daemon © white duck GmbH 2020
- 12. © white duck GmbH 2020
- 13. Ecosystem • API and service authorization with Envoy, Kong or Traefik • Authorization policies for SQL, Kafka and others • Container Network authorization with Istio • Test policies for Terraform infrastructure changes • Polices for SSH and sudo • Policy and Governance for Kubernetes • and many more • https://www.openpolicyagent.org/docs/latest/ecosystem/ © white duck GmbH 2020
- 14. How OPA works © white duck GmbH 2020
- 15. How OPA works © white duck GmbH 2020 POST /api HTTP/1.1 Authorization: nico { “method”: “POST”, “path”: “api”, “user”: “nico” } { “allow”: “true” } { }
- 16. Rego • “ray-go” • inspired by Datalog with support for JSON • declarative Policy Language • ”is Nico allowed to POST a payload to /api” • Build-in functions • JWTs • date/time • Regex • … © white duck GmbH 2020 package app.abac default allow = false allow { action_is_post user_is_owner } action_is_post { input.method == ”POST" } user_is_owner { input.user == "nico" }
- 17. Rego in action © white duck GmbH 2020 POST /api HTTP/1.1 Authorization: nico { “method”: “POST”, “path”: “api”, “user”: “nico” } { “allow”: “true” } package app.abac default allow = false allow { action_is_post user_is_owner } action_is_post { input.method == ”POST" } user_is_owner { input.user == "nico" } { }
- 18. OPA Tips • OPA binary • opa run, opa test, … • Rego Playground • https://play.openpolicyagent.org/ • VS Code plugin • management APIs • bundle API à send policies and data to OPA • status API à for observability/monitoring • log API à for receiving audit logs © white duck GmbH 2020
- 19. OPA GATEKEEPER OPA Kubernetes implementation © white duck GmbH 2020
- 20. OPA Gatekeeper • Kubernetes implementation of OPA • build by Google, Microsoft, Red Hat, and styra • based on • Open Policy Agent daemon • Kubernetes Admission Controller • Custom Resource Definitions (CRDs) • AuthZ Webhook • based on OPA Constraint Framework • can be installed with Helm or kubectl apply • https://github.com/open-policy-agent/gatekeeper © white duck GmbH 2020
- 21. How Gatekeeper works © white duck GmbH 2020 https://kubernetes.io/blog/2019/08/06/opa-gatekeeper-policy-and-governance-for-kubernetes/
- 22. How Gatekeeper works © white duck GmbH 2020
- 23. How Gatekeeper works © white duck GmbH 2020
- 24. Demos • OPA Gatekeeper in action • example rules • required label • trusted images • unique ingress hosts • auditing © white duck GmbH 2020
- 25. Questions? Slides: https://www.slideshare.net/nmeisenzahl Demos: https://gitlab.com/nico-meisenzahl/opa-gatekeeper-sample Nico Meisenzahl (Senior Cloud & DevOps Consultant) Phone: +49 8031 230159 0 Email: nico.meisenzahl@whiteduck.de Twitter: @nmeisenzahl LinkedIn: https://www.linkedin.com/in/nicomeisenzahl Blog: https://meisenzahl.org © white duck GmbH 2020