apidays LIVE New York 2021 - Simplify Open Policy Agent with Styra DAS by Tim Hinrichs, Styra
Download as PPTX, PDF•0 likes•214 views
The document discusses the Open Policy Agent (OPA) and its role in cloud-native software authorization, highlighting its adoption across various platforms and use cases. It outlines the functionalities of OPA, particularly through Styra DAS, which offers management capabilities for enterprise policy enforcement and governance. The document also emphasizes the importance of flexible policies for Kubernetes and microservices, along with the benefits of integrating OPA as a declarative authorization service.
![Copyright ©2021 Styra, Inc. | All Rights Reserved
What does an OPA policy for Kubernetes look like?
package kubernetes.admission
deny[msg] {
input.request.kind.kind == "Pod"
some i
image := input.request.object.spec.containers[i].image
not startswith(image, "hooli.com/")
msg := sprintf("image comes from bad registry: %v", [image])
}
apiVersion: admission.k8s.io/v1beta1
kind: AdmissionReview
request:
kind:
group: ''
kind: Pod
version: v1
namespace: opa
object:
metadata:
labels:
app: nginx
name: nginx
namespace: opa
spec:
containers:
- image: nginx
imagePullPolicy: Always
name: nginx
operation: CREATE
JSON/YAML from Kubernetes
OPA Policy: All images come from a trusted registry
OPA Playground](https://image.slidesharecdn.com/das-apidaysworkshop2021-210807010122/85/apidays-LIVE-New-York-2021-Simplify-Open-Policy-Agent-with-Styra-DAS-by-Tim-Hinrichs-Styra-23-320.jpg)
![Copyright ©2021 Styra, Inc. | All Rights Reserved
What does an OPA policy for Envoy look like?
package envoy.authz
# everyone can GET /
allow {
input.attributes.request.http.method == "GET"
input.parsed_path = ["/"]
}
# updates to /v1/admin/{id} dependent on source IP
allow {
input.attributes.request.http.method == "PUT"
input.parsed_path = ["v1", "admin", id]
user_is_admin
src := input.attributes.source.address.Address.SocketAddress.address
net.cidr_contains("172.28.0.0/16", src)
}
user_is_admin { ... }
parsed_path: [“api”, “v1”, “products”]
attributes:
source:
address:
Address:
SocketAddress:
address: "172.17.0.10"
PortSpecifier:
PortValue: 36472
destination:
address:
Address:
SocketAddress:
address: "172.17.0.17"
PortSpecifier:
PortValue: 9080
request:
http:
id: 13359530607844510314
method: GET
headers: ...
path: "/api/v1/products"
host: "192.168.99.100:31380"
protocol: "HTTP/1.1"
JSON/YAML from Envoy
OPA Policy: Allow all GET and some PUT
OPA Playground](https://image.slidesharecdn.com/das-apidaysworkshop2021-210807010122/85/apidays-LIVE-New-York-2021-Simplify-Open-Policy-Agent-with-Styra-DAS-by-Tim-Hinrichs-Styra-24-320.jpg)
apidays LIVE New York 2021 - Simplify Open Policy Agent with Styra DAS by Tim Hinrichs, Styra
- 1. Copyright ©2021 Styra, Inc. | All Rights Reserved Creators of Open Policy Agent Simplify Open Policy Agent with Styra DAS Tim Hinrichs CTO, co-founder Styra co-creator OPA @tlhinrichs
- 2. Copyright ©2021 Styra, Inc. | All Rights Reserved Adoption of the Cloud-native Software Stack is Skyrocketing Linux Tekton Github Actions CICD Container Management Microservices / Apps Databases Public Cloud Servers Platform App CICD Pipeline 1 2 3 4 Gateway Frontend Backend DB App 2
- 3. Copyright ©2021 Styra, Inc. | All Rights Reserved Authorization Happens Everywhere in the Cloud-native Stack Linux Tekton Github Actions CICD Container Management Microservices / Apps Databases Public Cloud Servers Platform App CICD Pipeline 1 2 3 4 Gateway Frontend Backend DB App 3 Can user Alice withdraw money from account 123? Can service 456 request invoices from service 789 on behalf of alice? Can user Alice query the finance database? Which rows and fields can service 456 request on behalf of alice? Does this application configuration meet company standards? Can the payments service be deployed to this cluster? Can pods in namespace payments run as privileged? Can this cluster send outbound requests to IP 13.6.0.1? Are S3 buckets in account 1234 allowed to be public? Can EBS volumes for the payments app be unencrypted? Who can SSH to production servers?
- 4. Copyright ©2021 Styra, Inc. | All Rights Reserved Two Classes of Authorization: Application and Platform Linux Tekton Github Actions CICD Container Management Microservices / Apps Databases Public Cloud Servers Platform App CICD Pipeline 1 2 3 4 Gateway Frontend Backend DB App 4 Application Authorization Platform Authorization
- 5. Copyright ©2021 Styra, Inc. | All Rights Reserved Open Policy Agent: Unified Authorization, Proven in Production Linux Tekton Github Actions Platform App CICD Pipeline 1 2 3 4 Gateway Frontend Backend DB App OPA OPA OPA OPA OPA OPA 5
- 6. Copyright ©2021 Styra, Inc. | All Rights Reserved Styra DAS: Operationalize OPA for the Enterprise Linux Tekton Github Actions OPA OPA OPA OPA OPA OPA World’s first management plane for Open Policy Agent Vertically-integrated policy lifecycle management Enterprise-grade governance Declarative Authorization Service 6
- 7. Copyright ©2021 Styra, Inc. | All Rights Reserved Open Policy Agent Community Open Policy Agent (OPA) Cloud-native policy engine Contributors: 30+ companies, 150+ devs Founded by Styra (2016) / Sandbox (2018) / Incubating (2019) / Graduated (2021) GitHub Stars 5000 Downloads 80M Slack Users 4000 Sessions at KubeCon US 2019 ● Yelp - How Yelp moved security from the app to the mesh ● Google - Enforcing service mesh structure using OPA ● Goldman Sachs - K8s policy enforcement using OPA at Goldman Sachs ● Snyk - Applying policy throughout the app lifecycle with OPA ● Reddit - Kubernetes at Reddit: Tales from Production ● Adobe - What Makes A Good Multi Tenant Kubernetes Solution ● Giant Swarm - Using OPA for complex CRD Validation and Defaulting OPA Summit at KubeCon US 2019 ● Capital One - Open Policy Agent for Policy-enabled Kubernetes and CICD ● Chef - Open Policy Agent in Practice: From Angular to OPA in Chef Automate ● Pinterest - Open Policy Agent at Scale: How Pinterest Manages Policy Distribution ● Tripadvisor - Building a Testing Framework for Integrating Open Policy Agent into Kubernetes ● Atlassian - Deploying Open Policy Agent at Atlassian Sessions at Virtual KubeCon EU 2020 ● AquaSecurity: Handling Container Vulnerabilities with Open Policy Agent ● ABN AMRO: How ABN AMRO Switched Cloud Providers Without Anyone Noticing ● Medudoc: Securing Your Healthcare Data with OPA Other events or public confirmation of using OPA: Bank of New York Mellon, AWS, Synemedia, Pure Storage, VMware, Netflix, Daimler, T-Mobile, Salesforce Vendor-neutral open-source Growing Community Active End-users
- 8. Copyright ©2021 Styra, Inc. | All Rights Reserved OPA’s flexibility and DAS for Management Sidecar / Daemon Service OP A Server Library (Go or WASM) Service OP A Server Centralized Service CLI Server Service $ opa eval Service Server OP A OP A OP A Architectural Flexibility Team A’s policies Team B’s policies Common library Policy Composition Flexibility Management Flexibility Declarative Authorization Service
- 9. Copyright ©2021 Styra, Inc. | All Rights Reserved DAS: Policy Management for Individual Users and Teams 9 Enterprise governance Policy changes: roll out new policies slowly and help teams prepare Multi-team dependencies: policies are stored in each team’s home repo but are deployed as a unit Author Rego Schemas Modularize Test Assemble Test Impact Deploy Policy Data Dependency Monitor Health Decisions OPA Integrate Configure Harden Policy lifecycle management Policy overrides: enforce global policies but empower teams to add their own Visibility: let security, compliance, operations know which policies are enforced in which systems at a glance so they can review & troubleshoot Audit: Prove to auditors that the policies you have are making the decisions they should. Sustainability: Ensure your OPA deployment adapts to new teams & software and outlives its creators’ tenure CICD team K8s team LOB Team Cloud team Security Compliance Declarative Authorization Service
- 10. Copyright ©2021 Styra, Inc. | All Rights Reserved Native DAS Support for Leading OPA Use Cases DESIRED STATE k8s API Server Pod Network Policy Volumes OPA Protect k8s compute, network, storage, app configuration OPA Protect public cloud configuration Service A Service B OPA OPA Protect inbound and outbound microservice APIs Custom Service OPA Protect your custom resources and API calls
- 11. Copyright ©2021 Styra, Inc. | All Rights Reserved Creators of Open Policy Agent Open Policy Agent openpolicyagent.org @openpolicyagent Styra styra.com @styrainc Tim Hinrichs CTO, co-founder Styra co-creator OPA @tlhinrichs
- 12. Copyright ©2021 Styra, Inc. | All Rights Reserved Creators of Open Policy Agent Popular OPA/DAS Use Cases
- 13. Copyright ©2021 Styra, Inc. | All Rights Reserved Native DAS Support for Leading OPA Use Cases DESIRED STATE k8s API Server Pod Network Policy Volumes OPA Protect k8s compute, network, storage, app configuration OPA Protect public cloud configuration Service A Service B OPA OPA Protect inbound and outbound microservice APIs Custom Service OPA Protect your custom resources and API calls
- 14. Copyright ©2021 Styra, Inc. | All Rights Reserved Kubernetes Challenges OPERATIONS SECURITY COMPLIANCE CICD well implemented, policy defined, protected against mistakes Prove what has been blocked/allowed over time. Easy reporting, extremely detailed historical checks Wrong app accepting web traffic, improper egress, improper permissions…. Not including liveness probes on pods Failing to specify encrypted storage Duplicating paths/names so traffic goes to the wrong service Running containers as privileged Setting up network connections to non-approved IPs / Internet Runaway resource usage because no limits were specified Failing to include proper labels required for traffic control Running Images from Unauthorized Registries
- 15. Copyright ©2021 Styra, Inc. | All Rights Reserved Styra DAS: Push-button Authorization Controls for K8s 15 DESIRED STATE API Server RUNTIME STATE DESIRED STATE API Server RUNTIME STATE ... Open Policy Agent ● makes decisions locally and logs centrally ● flexible policy language ● vendor-neutral open-source (CNCF) Declarative Authorization Service OPA OPA Styra DAS ● OPA control plane ● 100+ Pre-built policies ● PCI, MITRE, PSP, CIS packs ● install in under 5 minutes ● multi-cluster policy authoring ● impact analysis Support all k8s flavors
- 16. Copyright ©2021 Styra, Inc. | All Rights Reserved Terraform Challenges OPERATIONS SECURITY COMPLIANCE CICD well implemented, policy defined, protected against mistakes Prove what has been blocked/allowed over time. Easy reporting, extremely detailed historical checks Wrong app accepting web traffic, improper egress, improper permissions…. Failing to specify encrypted storage Duplicating paths/names so traffic goes to the wrong service Setting up network connections to non-approved IPs / Internet Runaway resource usage because no limits were specified Failing to include proper labels for chargeback Running unauthorized VM images
- 17. Copyright ©2021 Styra, Inc. | All Rights Reserved Styra DAS: Authorization Controls for Terraform 17 Open Policy Agent ● makes decisions locally and logs centrally ● provides flexible policy language ● vendor-neutral open-source (CNCF) Declarative Authorization Service OPA Styra DAS ● policy assembly from multiple sources of truth ● distribution of policy to OPA ● audit log of decisions ● dry-runs policy changes Desired State Planned Changes terraform plan terraform apply
- 18. Copyright ©2021 Styra, Inc. | All Rights Reserved Microservice Authorization Challenges Can Alice see the list of outgoing payments? 18 Service A Service B Service C Can service A ask for Alice’s profile on behalf of Alice? Can service A ask for Hooli’s outgoing payments on behalf of Alice? On every API call, every microservice makes an authorization decision Authz Implementation Challenges ● Different languages across services. ● Centralized service is too slow for microservices ● New services/teams should snap into framework ● Security/compliance should be able to audit policies ● Journey from coarse-grained permissions to fine-grained and from gateway enforcement to microservice enforcement
- 19. Copyright ©2021 Styra, Inc. | All Rights Reserved Styra DAS: Authorization Sidecar Plus Control Plane 19 Service A Service B Service C Open Policy Agent ● makes decisions locally and logs centrally ● flexible policy language ● vendor-neutral open-source (CNCF) Declarative Authorization Service OPA OPA OPA Styra DAS ● OPA control plane ● distributes policies ● monitors OPAs ● team-based policy authoring ● impact analysis
- 20. Copyright ©2021 Styra, Inc. | All Rights Reserved Creators of Open Policy Agent FAQ
- 21. Copyright ©2021 Styra, Inc. | All Rights Reserved What does Policy-as-code mean and what does OPA provide? 21 Communicate Policies written in file format that people AND a policy engine understand. ● Precise ● Dry-runnable ● Portable Enforce Policy engine integrated into software and uses policies to make authorization decisions ● Fast ● Comprehensive ● Correct Audit Policy engine records all decisions and can be analyzed like any data ● Always-on ● Comprehensive ● Deep Govern Policy files have a lifecycle (approval, test, build, deploy) for governance. ● Manual & Automated ● Granular Policy-as-Code Approach to Authorization 21 OPA Provides .rego Policy file + Policy engine OPA Policy tools +
- 22. Copyright ©2021 Styra, Inc. | All Rights Reserved How does OPA work? Service OP A Policy (Rego) Data (JSON) Request Policy Decision Policy Query Input can be ANY JSON value Output can be ANY JSON value OPA makes decisions. Service enforces decisions. Linux 22
- 23. Copyright ©2021 Styra, Inc. | All Rights Reserved What does an OPA policy for Kubernetes look like? package kubernetes.admission deny[msg] { input.request.kind.kind == "Pod" some i image := input.request.object.spec.containers[i].image not startswith(image, "hooli.com/") msg := sprintf("image comes from bad registry: %v", [image]) } apiVersion: admission.k8s.io/v1beta1 kind: AdmissionReview request: kind: group: '' kind: Pod version: v1 namespace: opa object: metadata: labels: app: nginx name: nginx namespace: opa spec: containers: - image: nginx imagePullPolicy: Always name: nginx operation: CREATE JSON/YAML from Kubernetes OPA Policy: All images come from a trusted registry OPA Playground
- 24. Copyright ©2021 Styra, Inc. | All Rights Reserved What does an OPA policy for Envoy look like? package envoy.authz # everyone can GET / allow { input.attributes.request.http.method == "GET" input.parsed_path = ["/"] } # updates to /v1/admin/{id} dependent on source IP allow { input.attributes.request.http.method == "PUT" input.parsed_path = ["v1", "admin", id] user_is_admin src := input.attributes.source.address.Address.SocketAddress.address net.cidr_contains("172.28.0.0/16", src) } user_is_admin { ... } parsed_path: [“api”, “v1”, “products”] attributes: source: address: Address: SocketAddress: address: "172.17.0.10" PortSpecifier: PortValue: 36472 destination: address: Address: SocketAddress: address: "172.17.0.17" PortSpecifier: PortValue: 9080 request: http: id: 13359530607844510314 method: GET headers: ... path: "/api/v1/products" host: "192.168.99.100:31380" protocol: "HTTP/1.1" JSON/YAML from Envoy OPA Policy: Allow all GET and some PUT OPA Playground
- 25. Copyright ©2021 Styra, Inc. | All Rights Reserved Creators of Open Policy Agent Thanks!
Editor's Notes
- #18: What each of OPA/DAS does to implement authorization.