Fine-grained Authorization in a Containerized World
Talk from Open Source Summit San Diego 2019, showing how the Open Policy Agent can help to enforce fine-grained security policies in a Kubernetes cluster through Admission Control.
• Ensure all containers specify CPU and memory requirements • Ensure containers don’t use “latest” tag • Prevent containers from running in privileged mode • Ensure no two ingresses are configured with the same hostname • Prevent workloads from running on master nodes Example Security Policies on Kubernetes Cluster
• Ensure all containers specify CPU and memory requirements • Ensure containers don’t use “latest” tag • Prevent containers from running in privileged mode • Ensure no two ingresses are configured with the same hostname • Prevent workloads from running on master nodes Example Security Policies on Kubernetes Cluster
• Ensure all containers specify CPU and memory requirements • Ensure containers don’t use “latest” tag • Prevent containers from running in privileged mode • Ensure no two ingresses are configured with the same hostname • Prevent workloads from running on master nodes Example Security Policies on Kubernetes Cluster
• Ensure all containers specify CPU and memory requirements • Ensure containers don’t use “latest” tag • Prevent containers from running in privileged mode • Ensure no two ingresses are configured with the same hostname • Prevent workloads from running on master nodes Example Security Policies on Kubernetes Cluster
Unify policy enforcement across the stack. Use Cases Admission control Authorization ACLs RBAC IAM ABAC Risk management Data Protection Data Filtering Users Netflix Chef Medallia Cloudflare State Street Pinterest Intuit Capital One ABN AMRO ...and many more. Today CNCF project (Incubating) 70+ contributors 1100+ slack members 2400+ stars 20+ integrations
operation Y on resource Z? ◦ What invariants does workload W violate? ◦ Which records should bob be allowed to see? • Library, sidecar, host-level daemon ◦ Policy and data are kept in-memory ◦ Zero decision-time dependencies • Management APIs for control & observability ◦ Bundle service API for sending policy & data to OPA ◦ Status service API for receiving status from OPA ◦ Log service API for receiving audit log from OPA • Tooling to build, test, and debug policy ◦ opa run, opa test, opa fmt, opa deps, opa check, etc. ◦ VS Code plugin, Tracing, Profiling, etc. OPA: Features Service OPA Policy (Rego) Data (JSON) Request Decision Query
payments team.” “Ensure container images come from corporate repo.” API Authorization “Deny test scripts access to production services.” “Allow analysts to access APIs serving anonymized data.” Data Protection Linux PAM SSH & Sudo “Only allow on-call engineers to SSH into production servers.” "Trades exceeding $10M must be executed between 9AM and 5PM and require MFA." "Users can access files for past 6 months related to the region they licensed."
webhook kubectl apply -f app.yaml OPA Example Policies • Images may only be pulled from internal registry • Only scanned images may be deployed in namespaces A, B, and C • QA team must sign-off on image before deployed to production • Stateful deployments must use ‘recreate’ update strategy • Developers must not modify selectors or labels referred to by selectors after creation • Containers must have CPU and memory resource requests and limits set • Containers cannot run with privileged security context • Services in namespace X should have AWS SSL annotation added