Using source code management patterns to configure and secure your Kubernetes clusters
0 likes114 views
The document discusses the configuration and security of Kubernetes clusters using source code management patterns, presenting tools such as Anthos Config Management (ACM) and components like the config sync policy controller and policy controller based on Open Policy Agent. It emphasizes the integration of these tools for managing resources and enforcing policies within multi-platform environments, including Google Cloud and other public clouds. Key features include the registration of KCC resources and enforcement of security policies through custom Kubernetes objects.
Using source code management patterns to configure and secure your Kubernetes clusters
- 1. Using source code management patterns to configure and secure your Kubernetes clusters Giovanni Galloro - Customer Engineer, Google Cloud 23-24-25 Marzo, 2021
- 2. Pods Pods ns:app1 ns:app2 Pods Pods ns:app1 ns:app2 Pods Pods ns:app1 ns:app2 Operator team Imperative ops Multi-Platform environment kubectl
- 3. Pods Pods ns:app1 ns:app2 Pods Pods ns:app1 ns:app2 Pods Pods ns:app1 ns:app2 Operator team Config repo Multi-Platform environment
- 4. Anthos Config Management (ACM) Components Config Sync Policy Controller Config Connector Hosted ACM UI and API ACM Operator
- 5. GKE Anthos Service Mesh Cloud Code Cloud Run Anthos Con g Management Cloud Logging, Cloud Monitoring Google Cloud Baremetal Other public clouds: AWS EC2, Azure VMs Attached clusters: EKS, AKS On-prem hypervisor
- 6. GKE Anthos Service Mesh Cloud Code Cloud Run Anthos Con g Management Cloud Logging, Cloud Monitoring Google Cloud Baremetal Other public clouds: AWS EC2, Azure VMs Attached clusters: EKS, AKS On-prem hypervisor
- 7. Config Sync Policy Controller Config Connector Hosted ACM UI and API ACM Operator Anthos Config Management (ACM) Components
- 8. Pods Pods ns:app1 ns:app2 Pods Pods ns:app1 ns:app2 Pods Pods ns:app1 ns:app2 Operator team Config repo Multi-Platform environment
- 9. Branch Validate Review Merge Deploy Source Code Management approach to Config Management
- 10. Config Sync Policy Controller Config Connector Hosted ACM UI and API ACM Operator Anthos Config Management (ACM) Components
- 11. Policy controller Based on Open Policy Agent’s Gatekeeper, ACM Policy Controller provides first-class integration between OPA and Kubernetes via a custom controller. It turns Rego policies into Kubernetes objects, allowing them to be customized and deployed using standard workflows. GKE Policy Controller AdmissionReview (request) AdmissionReview (response) kubectl Config Mgmt API Clients Policy Rule Definition Enforcement
- 13. Pod Security Policies → Gatekeeper Constraints PSP Field Name OPA GK Constraint Template privileged privileged-containers hostPID, hostIPC host-namespaces hostNetwork, hostPorts host-network-ports volumes volumes allowedHostPaths host-filesystem allowedFlexVolumes flexvolume-drivers runAsUser, runAsGroup, supplementalGroups users* fsGroup users* readOnlyRootFilesystem read-only-root-filesystem allowPrivilegeEscalation allow-privilege-escalation defaultAddCapabilities, requiredDropCapabilities, allowedCapabilities capabilities seLinux seLinux allowedProcMountTypes proc-mount Annotations for AppArmor profile apparmor Annotations for seccomp profile seccomp forbiddenSysctls,allowedUnsafeSysctls forbidden-sysctls
- 14. Config Sync Policy Controller Config Connector Hosted ACM UI and API ACM Operator Anthos Config Management (ACM) Components
- 15. How does KCC work? KCC resources are registered via Custom Resource Definitions watched by the KCC controller Spanner Cloud SQL Pub/Sub Storage Redis IAM Kubernetes cluster KCC controller manager CRD etcd CRUD APIs API server
- 16. Q & A