Fine-grained Authorization in a Containerized World

Ec30daaec6b4cda5d3446db1b78fb330?s=47 Ash
August 22, 2019

Fine-grained Authorization in a Containerized World

Talk from Open Source Summit San Diego 2019, showing how the Open Policy Agent can help to enforce fine-grained security policies in a Kubernetes cluster through Admission Control.

Ec30daaec6b4cda5d3446db1b78fb330?s=128

Ash

August 22, 2019
Tweet

Transcript

  1. Fine-Grained Authorization in a Containerized World

  2. A bit about Ash Narkar ! @ashtalk

  3. • A Containerized World ! • Open Policy Agent ◦

    Community ◦ Features ◦ Integrations ◦ Use Cases • Use case deep dive ◦ Kubernetes Admission Control Agenda
  4. A Containerized World ! CONTAINER CONTAINER CONTAINER CONTAINER CONTAINER CONTAINER

    CONTAINER CONTAINER CONTAINER POD POD POD NODE
  5. • Intent-based API ◦ Focus on WHAT and not HOW

    • Define the desired state in YAML files ◦ kubectl apply Security Challenges # nginx-pod.yaml kind: Pod apiVersion: v1 metadata: name: nginx labels: app: nginx spec: containers: - image: nginx name: nginx
  6. • All pods must only use images from trusted repos

    • Ensure all containers specify CPU and memory requirements • Ensure containers don’t use “latest” tag • Prevent containers from running in privileged mode • Ensure no two ingresses are configured with the same hostname • Prevent workloads from running on master nodes Example Security Policies on Kubernetes Cluster
  7. • All pods must only use images from trusted repos

    • Ensure all containers specify CPU and memory requirements • Ensure containers don’t use “latest” tag • Prevent containers from running in privileged mode • Ensure no two ingresses are configured with the same hostname • Prevent workloads from running on master nodes Example Security Policies on Kubernetes Cluster
  8. • All pods must only use images from trusted repos

    • Ensure all containers specify CPU and memory requirements • Ensure containers don’t use “latest” tag • Prevent containers from running in privileged mode • Ensure no two ingresses are configured with the same hostname • Prevent workloads from running on master nodes Example Security Policies on Kubernetes Cluster
  9. • All pods must only use images from trusted repos

    • Ensure all containers specify CPU and memory requirements • Ensure containers don’t use “latest” tag • Prevent containers from running in privileged mode • Ensure no two ingresses are configured with the same hostname • Prevent workloads from running on master nodes Example Security Policies on Kubernetes Cluster
  10. What Is OPA?

  11. OPA: Community Inception Project started in 2016 at Styra. Goal

    Unify policy enforcement across the stack. Use Cases Admission control Authorization ACLs RBAC IAM ABAC Risk management Data Protection Data Filtering Users Netflix Chef Medallia Cloudflare State Street Pinterest Intuit Capital One ABN AMRO ...and many more. Today CNCF project (Incubating) 70+ contributors 1100+ slack members 2400+ stars 20+ integrations
  12. Service OPA Policy (Rego) Data (JSON) Request Decision Query OPA:

    General-purpose policy engine Input can be ANY JSON value Output can be ANY JSON value
  13. • Declarative Policy Language (Rego) ◦ Can user X do

    operation Y on resource Z? ◦ What invariants does workload W violate? ◦ Which records should bob be allowed to see? • Library, sidecar, host-level daemon ◦ Policy and data are kept in-memory ◦ Zero decision-time dependencies • Management APIs for control & observability ◦ Bundle service API for sending policy & data to OPA ◦ Status service API for receiving status from OPA ◦ Log service API for receiving audit log from OPA • Tooling to build, test, and debug policy ◦ opa run, opa test, opa fmt, opa deps, opa check, etc. ◦ VS Code plugin, Tracing, Profiling, etc. OPA: Features Service OPA Policy (Rego) Data (JSON) Request Decision Query
  14. OPA: Integrations Data Filtering Admission Control “Restrict ingress hostnames for

    payments team.” “Ensure container images come from corporate repo.” API Authorization “Deny test scripts access to production services.” “Allow analysts to access APIs serving anonymized data.” Data Protection Linux PAM SSH & Sudo “Only allow on-call engineers to SSH into production servers.” "Trades exceeding $10M must be executed between 9AM and 5PM and require MFA." "Users can access files for past 6 months related to the region they licensed."
  15. How does OPA work?

  16. How does OPA work? Salary Service V1 OPA Policy (Rego)

    Data (JSON) Request Decision Query Example policy "Employees can read their own salary and the salary of anyone they manage."
  17. How does OPA work? Example policy Employees can read their

    own salary and the salary of anyone they manage. Input Data method: "GET" path: ["salary", "bob"] user: "bob"
  18. OPA: Playground Demo

  19. OPA: Use Cases

  20. Use Cases CLOUD Host DB Host sshd App Container HTTP

    API Microservice APIs Orchestrator Admission Control Container Execution, SSH, sudo Linux Risk Management Data Protection and Data Filtering
  21. OPA Use Case: Kubernetes Admission Control

  22. Use Case: Kubernetes Admission Control apiserver admission controllers quota exec

    webhook kubectl apply -f app.yaml OPA Example Policies • Images may only be pulled from internal registry • Only scanned images may be deployed in namespaces A, B, and C • QA team must sign-off on image before deployed to production • Stateful deployments must use ‘recreate’ update strategy • Developers must not modify selectors or labels referred to by selectors after creation • Containers must have CPU and memory resource requests and limits set • Containers cannot run with privileged security context • Services in namespace X should have AWS SSL annotation added
  23. Use Case: Kubernetes Admission Control apiserver Policies (Rego) Data/Context (JSON)

    webhook OPA kind: Pod metadata: labels: app: nginx name: nginx-1493591563-bvl8q namespace: production spec: containers: - image: nginx name: nginx securityContext: privileged: true dnsPolicy: ClusterFirst nodeName: minikube restartPolicy: Always status: containerStatuses: - name: nginx ready: true hostIP: 192.168.99.100 status: allowed: false reason: "bad image registry" admission review admission response generated by the policy!
  24. OPA: Demo

  25. Use Case: Kubernetes Admission Control Example policy "Two ingresses in

    different namespaces must not have the same hostname."
  26. Deploy Demo App in Prod Namespace Ingress productpage Service Pod

    App NAMESPACE = PROD hooli.com rules: - host: hooli.com http: paths: - path: / backend: serviceName: productpage servicePort: 80 Incoming Request
  27. Deploy Alice’s Demo App in Dev Namespace Ingress Alice’s productpage

    Service Pod App NAMESPACE = DEV rules: - host: * http: paths: - path: / backend: serviceName: productpage servicePort: 80
  28. What Just Happened ?!?! productpage Service Pod App NAMESPACE =

    PROD hooli.com Incoming Request Ingress Alice’s productpage Service NAMESPACE = DEV App Pod
  29. Demo: Kubernetes Admission Control https://katacoda.com/styra

  30. Thank You! github.com/open-policy-agent/opa openpolicyagent.org slack.openpolicyagent.org @ashtalk