Cloud Compliance With Open Policy Agent

Transcript

1. Alex Krause [email protected] @alex0ptr Cloud Compliance with Open Policy Agent

2. The Problem @alex0ptr

3. Policy @alex0ptr “Users should only access data of their own

   teams/projects. ” // TODO Compliance “Security First. Least Privilege, where possible. ” Governance

4. @alex0ptr May this action be allowed? Who or what can

   perform a certain action? Are there violations?

5. Infrastructure Machines Network DNS RDBMS Storage Application Platform Container Orchestration

   Container Images CD- Pipeline Applications User Management Configuration HTTP APIs + UIs Code Continuous Integration Code Artifacts Version Control Logs Secret Store API Gateways Metrics Backups @alex0ptr Life of the YAML -Engineer

6. @alex0ptr @PreAuthorize("#username == authentication.principal.username") public String getMyRoles(String username) { //...

   }

7. (1) Many components, which (2) use different concepts, protocols, and

   configuration languages, with(3) strong coupling to the concrete implementation. The Problems ✔ @alex0ptr

8. Solution? @alex0ptr

9. @alex0ptr Open Policy Agent Engine + Language

10. @alex0ptr Open Policy Agent ‣ Policy Engine ‣ universal ‣

    lightweight ‣ de-coupled ‣ easy to integrate “Policy-based control for cloud native environments”

11. @alex0ptr OPA: Rego ‣ inheritance: datalog ‣ declarative, logic ‣

    made for Policies ‣ and structured data “Use Rego for defining policy that is easy to read and write.”

12. @alex0ptr

13. @alex0ptr

14. The Dream: ✨ Central Policy Repository ✨ @alex0ptr

15. The Present @alex0ptr

16. Demo The Basics @alex0ptr

17. @alex0ptr @Configuration @EnableWebSecurity public class WebSecurityConfig extends WebSecurityConfigurerAdapter { @Override

    protected void configure(HttpSecurity http) throws Exception { http.authorizeRequests() .anyRequest() .authenticated() .accessDecisionManager(accessDecisionManager()); } @Bean public AccessDecisionManager accessDecisionManager() { List<AccessDecisionVoter<? extends Object>> decisionVoters = Arrays .asList(new OPAVoter("http://localhost:8181/v1/data/http/authz/allow")); return new UnanimousBased(decisionVoters); } }

18. @alex0ptr “Policy Controller for Kubernetes” ‣ K8s Admission Controller ‣

    CRDs for Policies ‣ Audit ‣ Policy Library Gatekeeper

19. Demo Gatekeeper @alex0ptr

20. @alex0ptr “Write tests against structured configuration data […]” ‣ CLI

    wrapper for OPA ‣ shift-left for Policies ‣ YAML/JSON, HCL(2), INI, TOML, Dockerfile ‣ go-getter support Conftest

21. Demo Conftest @alex0ptr

22. Conclusion @alex0ptr

23. @alex0ptr Gatekeeper Rego Conftest Tooling Integration Integrations Complexity

24. xing.com/companies/qawaregmbh linkedin.com/company/qaware-gmbh slideshare.net/qaware twitter.com/qaware github.com/qaware youtube.com/qawaregmbh Alex Krause [email protected] @alex0ptr

25. QAware 21.09.2018 25

26. QAware GmbH Mainz Rheinstraße 4 D 55116 Mainz Tel.: +49

    (0) 6131 215 69 – 0 Fax: +49 (0) 6131 215 69 – 68 xing.com/companies/qawaregmbh linkedin.com/company/qaware-gmbh slideshare.net/qaware twitter.com/qaware github.com/qaware youtube.com/qawaregmbh

27. QAware GmbH München Aschauer Straße 32 81549 München Tel.: +49

    (0) 89 23 23 15 – 0 Fax: +49 (0) 89 23 23 15 – 129 xing.com/companies/qawaregmbh linkedin.com/company/qaware-gmbh slideshare.net/qaware twitter.com/qaware github.com/qaware youtube.com/qawaregmbh