DCSF19 Kubernetes Security with OPA
Download as PDF, PPTX3 likes838 views
The document discusses using Open Policy Agent (OPA) to enforce guardrails and security policies in Kubernetes clusters. It provides examples of sample policies for OPA that restrict which image registries pods can use and prevent conflicting ingress hosts. It also summarizes key features of OPA such as its declarative policy language, sidecar deployment model, and community support from many major companies using it for admission control, authorization, risk management and other use cases.
![@tlhinrichs openpolicyagent.org@tlhinrichs openpolicyagent.org
Sample Policies
package kubernetes.admission
deny[msg] {
input.request.kind.kind == "Pod"
image := input.request.object.spec.containers[_].image
not startswith(image, "hooli.com")
msg := sprintf("image fails to come from trusted registry: %v", [image])
}
deny[msg] {
input.request.kind.kind == "Ingress"
newhost := input.request.object.spec.rules[_].host
oldhost := data.kubernetes.ingresses[namespace][name].spec.rules[_].host
newhost == oldhost
msg := sprintf("ingress host conflicts with ingress %v/%v", [namespace, name])
}](https://image.slidesharecdn.com/kubernetessecuritywithopadockercon19-190506172733/85/DCSF19-Kubernetes-Security-with-OPA-11-320.jpg)
More Related Content
![Zero-downtime deployment with Kubernetes [Meetup #21 - 01]](https://cdn.slidesharecdn.com/ss_thumbnails/phamquangminhzerodowntimek8s-191010012000-thumbnail.jpg?width=560&fit=bounds)
Similar to DCSF19 Kubernetes Security with OPA (20)
![Strategic Picks — Prioritising the Right Agentic Use Cases [2/6]](https://cdn.slidesharecdn.com/ss_thumbnails/session-2-250902135931-4c97717a-thumbnail.jpg?width=560&fit=bounds)
DCSF19 Kubernetes Security with OPA
- 1. @tlhinrichs openpolicyagent.org Tim Hinrichs CTO, Co-Founder of Styra Co-Founder of OPA Kubernetes Security with Open Policy Agent Desired State ^
- 2. @tlhinrichs openpolicyagent.org@tlhinrichs openpolicyagent.org kubectl create -f nginx.yaml apiVersion: apps/v1 kind: Deployment metadata: name: nginx-deployment spec: replicas: 2 selector: matchLabels: app: nginx template: metadata: labels: app: nginx spec: containers: - name: nginx image: nginx:1.7.9 nginx.yaml Desired State Runtime State Server Node Server Node
- 3. @tlhinrichs openpolicyagent.org@tlhinrichs openpolicyagent.org Compute ● Run arbitrary binaries from the internet ● Deploy code with known vulnerabilities Networking ● App A can steal traffic from App B (unintentionally or otherwise) ● Open egress traffic to 0.0.0.0 Storage ● Mission-critical data can be automatically deleted when workloads move to new nodes Security ● 3rdparty software runs with root privileges ● Data at-rest and in-transit not encrypted Dangers Desired State kubectl create -f nginx.yaml apiVersion: apps/v1 kind: Deployment metadata: name: nginx-deployment spec: replicas: 2 selector: matchLabels: app: nginx template: metadata: labels: app: nginx spec: containers: - name: nginx image: nginx:1.7.9 nginx.yaml
- 4. @tlhinrichs openpolicyagent.org@tlhinrichs openpolicyagent.org Compute ● Images may only be pulled from internal registry ● Only scanned images may be deployed in namespaces A, B, and C ● QA team must sign-off on image before deployed to production Networking ● Ingresses across namespaces should not conflict ● Developers must not modify selectors or labels referred to by selectors after creation Storage ● Stateful deployments must use ‘RollingUpdate’ update strategy Security ● Containers cannot run with privileged security context ● Services in namespace X should have AWS SSL annotation added Guardrails Desired State Open Policy Agent kubectl create -f nginx.yaml apiVersion: apps/v1 kind: Deployment metadata: name: nginx-deployment spec: replicas: 2 selector: matchLabels: app: nginx template: metadata: labels: app: nginx spec: containers: - name: nginx image: nginx:1.7.9 nginx.yaml
- 5. @tlhinrichs openpolicyagent.org@tlhinrichs openpolicyagent.org Desired State Runtime State Server Node Server Node Kubernetes implements Kubernetes API Server Validating Webhook Open Policy Agent kubectl create -f nginx.yaml apiVersion: apps/v1 kind: Deployment metadata: name: nginx-deployment spec: replicas: 2 selector: matchLabels: app: nginx template: metadata: labels: app: nginx spec: containers: - name: nginx image: nginx:1.7.9 nginx.yaml
- 6. @tlhinrichs openpolicyagent.org@tlhinrichs openpolicyagent.org Open Policy Agent: How it works K8s API Server OPA Policy (Rego) Data (JSON) Request DecisionQuery kubectl create -f nginx.yaml
- 7. @tlhinrichs openpolicyagent.org@tlhinrichs openpolicyagent.org Open Policy Agent: How it works K8s API Server OPA Policy (Rego) Data (JSON) Request DecisionQuery kind: kind: Deployment request: object: metadata: name: nginx-deployment spec: replicas: 2 selector: matchLabels: app: nginx template: metadata: labels: app: nginx spec: containers: - name: nginx image: nginx:1.7.9 allow: false reason: | no costcenter label kubectl create -f nginx.yaml
- 8. @tlhinrichs openpolicyagent.org@tlhinrichs openpolicyagent.org What kind of guardrails do YOU need? ● Image repository safety ● Prevent conflicting ingresses ●
- 10. @tlhinrichs openpolicyagent.org openpolicyagent.org kubernetes.io Tim Hinrichs @tlhinrichs styra.com
- 11. @tlhinrichs openpolicyagent.org@tlhinrichs openpolicyagent.org Sample Policies package kubernetes.admission deny[msg] { input.request.kind.kind == "Pod" image := input.request.object.spec.containers[_].image not startswith(image, "hooli.com") msg := sprintf("image fails to come from trusted registry: %v", [image]) } deny[msg] { input.request.kind.kind == "Ingress" newhost := input.request.object.spec.rules[_].host oldhost := data.kubernetes.ingresses[namespace][name].spec.rules[_].host newhost == oldhost msg := sprintf("ingress host conflicts with ingress %v/%v", [namespace, name]) }
- 12. @tlhinrichs openpolicyagent.org@tlhinrichs openpolicyagent.org Open Policy Agent: Features ● Declarative Policy Language (Rego) ○ Can user X do operation Y on resource Z? ○ What invariants does workload W violate? ○ Which records should bob be allowed to see? ● Library, sidecar, host-level daemon ○ Policy and data are kept in-memory ○ Zero decision-time dependencies ● Management APIs for control & observability ○ Bundle service API for sending policy & data to OPA ○ Status service API for receiving status from OPA ○ Log service API for receiving audit log from OPA ● Tooling to build, test, and debug policy ○ opa run, opa test, opa fmt, opa deps, opa check, etc. ○ VS Code plugin, Tracing, Profiling, etc. Open Policy Agent
- 13. @tlhinrichs openpolicyagent.org@tlhinrichs openpolicyagent.org Open Policy Agent: Community Inception Project started in 2016 at Styra. Goal Unify policy enforcement across the stack. Use Cases Admission control Authorization ACLs RBAC IAM ABAC Risk management Data Protection Data Filtering Users Netflix Chef Medallia Cloudflare State Street Pinterest Intuit Capital One ...and many more. Today CNCF project (Incubation) 36 contributors 700 slack members 1.7K stars 20+ integrations