Fine-grained Authorization in a Containerized World

Fine-Grained Authorization in a Containerized World

A bit about Ash Narkar ! @ashtalk

• A Containerized World ! • Open Policy Agent ◦
Community ◦ Features ◦ Integrations ◦ Use Cases • Use case deep dive ◦ Kubernetes Admission Control Agenda

A Containerized World ! CONTAINER CONTAINER CONTAINER CONTAINER CONTAINER CONTAINER
CONTAINER CONTAINER CONTAINER POD POD POD NODE

• Intent-based API ◦ Focus on WHAT and not HOW
• Define the desired state in YAML files ◦ kubectl apply Security Challenges # nginx-pod.yaml kind: Pod apiVersion: v1 metadata: name: nginx labels: app: nginx spec: containers: - image: nginx name: nginx

• All pods must only use images from trusted repos
• Ensure all containers specify CPU and memory requirements • Ensure containers don’t use “latest” tag • Prevent containers from running in privileged mode • Ensure no two ingresses are configured with the same hostname • Prevent workloads from running on master nodes Example Security Policies on Kubernetes Cluster

What Is OPA?

OPA: Community Inception Project started in 2016 at Styra. Goal
Unify policy enforcement across the stack. Use Cases Admission control Authorization ACLs RBAC IAM ABAC Risk management Data Protection Data Filtering Users Netflix Chef Medallia Cloudflare State Street Pinterest Intuit Capital One ABN AMRO ...and many more. Today CNCF project (Incubating) 70+ contributors 1100+ slack members 2400+ stars 20+ integrations

Service OPA Policy (Rego) Data (JSON) Request Decision Query OPA:
General-purpose policy engine Input can be ANY JSON value Output can be ANY JSON value

• Declarative Policy Language (Rego) ◦ Can user X do
operation Y on resource Z? ◦ What invariants does workload W violate? ◦ Which records should bob be allowed to see? • Library, sidecar, host-level daemon ◦ Policy and data are kept in-memory ◦ Zero decision-time dependencies • Management APIs for control & observability ◦ Bundle service API for sending policy & data to OPA ◦ Status service API for receiving status from OPA ◦ Log service API for receiving audit log from OPA • Tooling to build, test, and debug policy ◦ opa run, opa test, opa fmt, opa deps, opa check, etc. ◦ VS Code plugin, Tracing, Profiling, etc. OPA: Features Service OPA Policy (Rego) Data (JSON) Request Decision Query

OPA: Integrations Data Filtering Admission Control “Restrict ingress hostnames for
payments team.” “Ensure container images come from corporate repo.” API Authorization “Deny test scripts access to production services.” “Allow analysts to access APIs serving anonymized data.” Data Protection Linux PAM SSH & Sudo “Only allow on-call engineers to SSH into production servers.” "Trades exceeding $10M must be executed between 9AM and 5PM and require MFA." "Users can access files for past 6 months related to the region they licensed."

How does OPA work?

How does OPA work? Salary Service V1 OPA Policy (Rego)
Data (JSON) Request Decision Query Example policy "Employees can read their own salary and the salary of anyone they manage."

How does OPA work? Example policy Employees can read their
own salary and the salary of anyone they manage. Input Data method: "GET" path: ["salary", "bob"] user: "bob"

OPA: Playground Demo

OPA: Use Cases

Use Cases CLOUD Host DB Host sshd App Container HTTP
API Microservice APIs Orchestrator Admission Control Container Execution, SSH, sudo Linux Risk Management Data Protection and Data Filtering

OPA Use Case: Kubernetes Admission Control

Use Case: Kubernetes Admission Control apiserver admission controllers quota exec
webhook kubectl apply -f app.yaml OPA Example Policies • Images may only be pulled from internal registry • Only scanned images may be deployed in namespaces A, B, and C • QA team must sign-off on image before deployed to production • Stateful deployments must use ‘recreate’ update strategy • Developers must not modify selectors or labels referred to by selectors after creation • Containers must have CPU and memory resource requests and limits set • Containers cannot run with privileged security context • Services in namespace X should have AWS SSL annotation added

Use Case: Kubernetes Admission Control apiserver Policies (Rego) Data/Context (JSON)
webhook OPA kind: Pod metadata: labels: app: nginx name: nginx-1493591563-bvl8q namespace: production spec: containers: - image: nginx name: nginx securityContext: privileged: true dnsPolicy: ClusterFirst nodeName: minikube restartPolicy: Always status: containerStatuses: - name: nginx ready: true hostIP: 192.168.99.100 status: allowed: false reason: "bad image registry" admission review admission response generated by the policy!

OPA: Demo

Use Case: Kubernetes Admission Control Example policy "Two ingresses in
different namespaces must not have the same hostname."

Deploy Demo App in Prod Namespace Ingress productpage Service Pod
App NAMESPACE = PROD hooli.com rules: - host: hooli.com http: paths: - path: / backend: serviceName: productpage servicePort: 80 Incoming Request

Deploy Alice’s Demo App in Dev Namespace Ingress Alice’s productpage
Service Pod App NAMESPACE = DEV rules: - host: * http: paths: - path: / backend: serviceName: productpage servicePort: 80

What Just Happened ?!?! productpage Service Pod App NAMESPACE =
PROD hooli.com Incoming Request Ingress Alice’s productpage Service NAMESPACE = DEV App Pod

Demo: Kubernetes Admission Control https://katacoda.com/styra

Thank You! github.com/open-policy-agent/opa openpolicyagent.org slack.openpolicyagent.org @ashtalk

Fine-grained Authorization in a Containerized World

Fine-grained Authorization in a Containerized World

Ash

More Decks by Ash

Other Decks in Technology

Featured

Transcript