Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

0

Share

Download to read offline

Docker Rosenheim Meetup: Policy & Governance for Kubernetes

Download to read offline

In diesem Meetup möchten wir euch einen Überblick über Policy und Governance für Kubernetes geben. Hierbei gehen wir auf das Open Source Projekt Open Policy Agent Gatekeeper ein und zeigen euch wir ihr diesen nutzen könnten.

Related Books

Free with a 30 day trial from Scribd

See all
  • Be the first to like this

Docker Rosenheim Meetup: Policy & Governance for Kubernetes

  1. 1. Policy & Governance for Kubernetes Docker Rosenheim Meetup, June 2020
  2. 2. Nico Meisenzahl • Senior Cloud & DevOps Consultant at white duck • Microsoft MVP, GitLab Hero, Docker Community Leader • loves Kubernetes, DevOps and Cloud © white duck GmbH 2020 Phone: +49 8031 230159 0 Email: nico.meisenzahl@whiteduck.de Twitter: @nmeisenzahl LinkedIn: https://www.linkedin.com/in/nicomeisenzahl Blog: https://meisenzahl.org
  3. 3. Agenda • Cloud Governance? Why do we need it? • Governance for Kubernetes • Open Policy Agent – the foundation • OPA Gatekeeper – the Kubernetes implementation © white duck GmbH 2020
  4. 4. CLOUD GOVERNANCE Why do we need it? © white duck GmbH 2020
  5. 5. Cloud Governance … … is used to provide a set of rules that defines guidelines that can either be enforced or audited. © white duck GmbH 2020
  6. 6. Why do we need it? • decisions are made decentralized & taken at a rapid pace • therefore it is important to • reduce risk • control shadow IT • make it easier to manage cloud resources • reduce effort © white duck GmbH 2020
  7. 7. KUBERNETES GOVERNANCE Why do we need it? © white duck GmbH 2020
  8. 8. Governance for Kubernetes • Authorization with Role-based Access Control (RBAC) • is used to define who is allowed to do what • very granular • But: Kubernetes offers nothing to control/change the specification of resources • which is essential for successfully governing a cluster © white duck GmbH 2020
  9. 9. Some examples are • whitelist of trusted container registries, images or tags • required container security specifications • required labels to group resources • permit conflicting Ingress host resources • permit publicly exposed LoadBalancer services © white duck GmbH 2020
  10. 10. OPEN POLICY AGENT The foundation © white duck GmbH 2020
  11. 11. Open Policy Agent • “policy-based control for cloud native environments” • general-purpose policy engine • open-source project created by styra • CNCF project since 2018 • declarative policy language • decoupled • Golang library • REST API with sidecar or daemon © white duck GmbH 2020
  12. 12. © white duck GmbH 2020
  13. 13. Ecosystem • API and service authorization with Envoy, Kong or Traefik • Authorization policies for SQL, Kafka and others • Container Network authorization with Istio • Test policies for Terraform infrastructure changes • Polices for SSH and sudo • Policy and Governance for Kubernetes • and many more • https://www.openpolicyagent.org/docs/latest/ecosystem/ © white duck GmbH 2020
  14. 14. How OPA works © white duck GmbH 2020
  15. 15. How OPA works © white duck GmbH 2020 POST /api HTTP/1.1 Authorization: nico { “method”: “POST”, “path”: “api”, “user”: “nico” } { “allow”: “true” } { }
  16. 16. Rego • “ray-go” • inspired by Datalog with support for JSON • declarative Policy Language • ”is Nico allowed to POST a payload to /api” • Build-in functions • JWTs • date/time • Regex • … © white duck GmbH 2020 package app.abac default allow = false allow { action_is_post user_is_owner } action_is_post { input.method == ”POST" } user_is_owner { input.user == "nico" }
  17. 17. Rego in action © white duck GmbH 2020 POST /api HTTP/1.1 Authorization: nico { “method”: “POST”, “path”: “api”, “user”: “nico” } { “allow”: “true” } package app.abac default allow = false allow { action_is_post user_is_owner } action_is_post { input.method == ”POST" } user_is_owner { input.user == "nico" } { }
  18. 18. OPA Tips • OPA binary • opa run, opa test, … • Rego Playground • https://play.openpolicyagent.org/ • VS Code plugin • management APIs • bundle API à send policies and data to OPA • status API à for observability/monitoring • log API à for receiving audit logs © white duck GmbH 2020
  19. 19. OPA GATEKEEPER OPA Kubernetes implementation © white duck GmbH 2020
  20. 20. OPA Gatekeeper • Kubernetes implementation of OPA • build by Google, Microsoft, Red Hat, and styra • based on • Open Policy Agent daemon • Kubernetes Admission Controller • Custom Resource Definitions (CRDs) • AuthZ Webhook • based on OPA Constraint Framework • can be installed with Helm or kubectl apply • https://github.com/open-policy-agent/gatekeeper © white duck GmbH 2020
  21. 21. How Gatekeeper works © white duck GmbH 2020 https://kubernetes.io/blog/2019/08/06/opa-gatekeeper-policy-and-governance-for-kubernetes/
  22. 22. How Gatekeeper works © white duck GmbH 2020
  23. 23. How Gatekeeper works © white duck GmbH 2020
  24. 24. Demos • OPA Gatekeeper in action • example rules • required label • trusted images • unique ingress hosts • auditing © white duck GmbH 2020
  25. 25. Questions? Slides: https://www.slideshare.net/nmeisenzahl Demos: https://gitlab.com/nico-meisenzahl/opa-gatekeeper-sample Nico Meisenzahl (Senior Cloud & DevOps Consultant) Phone: +49 8031 230159 0 Email: nico.meisenzahl@whiteduck.de Twitter: @nmeisenzahl LinkedIn: https://www.linkedin.com/in/nicomeisenzahl Blog: https://meisenzahl.org © white duck GmbH 2020

In diesem Meetup möchten wir euch einen Überblick über Policy und Governance für Kubernetes geben. Hierbei gehen wir auf das Open Source Projekt Open Policy Agent Gatekeeper ein und zeigen euch wir ihr diesen nutzen könnten.

Views

Total views

75

On Slideshare

0

From embeds

0

Number of embeds

0

Actions

Downloads

4

Shares

0

Comments

0

Likes

0

×