Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Troubleshooting Permissions in Cloud-Native Products With Komodor & Authorizon

Komodor
April 23, 2022
Programming
0
69

Troubleshooting Permissions in Cloud-Native Products With Komodor & Authorizon

Cloud-native applications are distributed, intricate, and constantly changing. And with multiple stakeholders involved, it’s just a matter of time until something goes south.

One way to mitigate this problem is with correctly built permissions that restrict access while ensuring smooth operations. But what happens when things inevitably break, and the ‘doomsday clock’ starts ticking back? How should you build authorization into your product to support fixing problems? What happens if they don’t have the right privileges? How can they quickly gain access without escalation, while ensuring that critical functions won’t break in the process?

Join Mickael Alliel of Komodor and Or Weis of Authorizon as they discuss:
> The critical role of authorization in modern cloud-native applications
> Ways in which troubleshooting insights inform authorization decisions
> Best practices for access control, with rapid troubleshooting in mind

Komodor

April 23, 2022
Tweet

More Decks by Komodor

See All by Komodor
Nemlig.com's Multi-Cluster DNS Setup
komodor
0
72
Making Kubernetes Dev-Friendly with Komodor & Okteto
komodor
0
110
Unlocking Developer's Efficiency with Komodor & Loft
komodor
0
68
May the Fork Be with You: Community Contributed Open Source Projects FTW!
komodor
0
75
Shine a Light on K8s Blindspots With Komodor and Anodot
komodor
0
57
ArgoCD for K8s Done Right
komodor
0
30
Hardcore K8s
komodor
0
41
Defying the Odds: Building Robust and Safe Workloads
komodor
0
33
How to Cope When Kubernetes Misbehaves
komodor
0
78

Other Decks in Programming

See All in Programming
Go製Webアプリケーションのエラーとの向き合い方大全、あるいはやっぱりスタックトレース欲しいやん / Kyoto.go #50
utgwkk
6
2k
戦略的DDDは重いのか? / Is strategic DDD heavy?
pictiny
3
2.1k
slow types ってなんだろう?
karad
0
210
Let's learn code review
riofujimon
2
640
Open AI APIを使う前に知っておきたいアカウントTier の話
akki_megane
0
130
Exploring the Implementation of “t.Run”, “t.Parallel”, and “t.Cleanup”
akarin
1
160
ペパボOpenTelemetry革命
pyama86
2
980
Productivity is Messing Around and Having Fun
hollycummins
1
180
Three ways to use AI on Android: The Good, the Bad and the Ugly
marxallski
0
120
TypeScriptから始める VR生活
tamagokakeg
2
110
Implementing Design Systems in Swift
seyfoyun
2
530
mb_trim関数を作りました
youkidearitai
PRO
1
200

Featured

See All Featured
A Philosophy of Restraint
colly
197
16k
WebSockets: Embracing the real-time Web
robhawkes
59
7k
Side Projects
sachag
451
41k
Building Effective Engineering Teams - LeadDev
addyosmani
33
1.9k
Building Applications with DynamoDB
mza
88
5.7k
Principles of Awesome APIs and How to Build Them.
keavy
121
16k
The Invisible Customer
myddelton
114
12k
Music & Morning Musume
bryan
41
5.6k
Optimising Largest Contentful Paint
csswizardry
13
2.4k
BBQ
matthewcrist
80
8.8k
The Mythical Team-Month
searls
217
42k
Imperfection Machines: The Place of Print at Facebook
scottboms
261
12k

Transcript

  1. Komodor <> Epsagon | May 2021 Troubleshooting Permissions in Cloud-Native

    Products

  2. Komodor <> Epsagon | May 2021 Let’s start with the

    basics. Troubleshooting Permissions in Cloud-Native Products

  3. Epic | February 2021 Introduction The Inherent Issues with Cloud-Native

    Apps • Distributed • Many changes in many different places (infra, git, k8s, etc.) • Many different stakeholders (in most cases only one person has a full understanding of the system )

  4. Epic | February 2021 Introduction Identity Management Authentication JWT Authorization

    authorizon Your Product The IAM waterfall

  5. Epic | February 2021 Introduction The Different Stakeholders Internal ◦

    Devs ◦ Ops ◦ Sec ◦ Product ◦ Compliance ◦ Sales External ◦ Customers ◦ Tenants ◦ 3rd-Parties ◦ Partners ◦ Auditors

  6. Epic | February 2021 Introduction Building Authorization In the past:

    build on your own … 󰣻 Today: OPA, OPAL, Zanzibar, … 💪

  7. Komodor <> Epsagon | May 2021 Why is Cloud-native so

    Hard? Troubleshooting Permissions in Cloud-Native Products

  8. Epic | February 2021 Introduction Giving you more to worry

    about... • The inherent issues with cloud-native apps • Building, maintaining, and upgrading access control • Dev access is a Tightrope act - Too much / too little access for troubleshooting • Tracking - monitoring, logging, and audit-logs • Correct monitoring is data that works for you • Are we seeing it right? Impersonation

  9. Epic | February 2021 Introduction Building, maintaining, and upgrading access

    control Keeping track of all changes and understanding the relations between them and your services

  10. Epic | February 2021 Introduction Dev Access is a Tightrope

    Act • Not all relevant personnel have access to enough context and data to troubleshoot properly • Finding the right balance between having access to data and keeping it secure (or encapsulated?)

  11. Epic | February 2021 Introduction Data that Works For You

    • Setting up the right metadata (user data, what role or permission he had at this point in time, account type, location) • Creating proper monitors or dashboards to alert you only when critical - i.e. reducing noise

  12. Epic | February 2021 Introduction Tracking - monitoring, logging, and

    audit-logs Context is key - Who did what? When did it happen? How did it affect other components?

  13. Epic | February 2021 Introduction Are we seeing it right?

    Impersonation • Troubleshooting without being able to see the system from the users perspective hides bugs • It works on my machine -> it works for my user -> it works for my role

  14. Komodor <> Epsagon | May 2021 Best practices for access

    control, with rapid troubleshooting in mind Troubleshooting Permissions in Cloud-Native Products

  15. Epic | February 2021 Introduction Best Practices • Decouple policy

    and code • Realtime policy updates • Policy as Code / Gitops • Backoffice + interfaces • Build access with troubleshooting in mind • Tags and annotations

  16. Epic | February 2021 Introduction Authorization Tools & Open Source

    OPA - Open Policy Agent • Policy evaluation / enforcement engine • Decouple policy from code • Write policies in .rego files • Classic scenario - infrastructure authZ • Especially k8s • Manage OPA • authorization data and policy • Challenge - keeping OPAs up-to-date

  17. Epic | February 2021 Introduction Authorization Tools & Open Source

    OPAL - Open Policy Administration Layer

  18. Introduction Authorization interfaces Back-office policy editor Embeddable user management

  19. Introduction Explore relevant exceptions Troubleshooting Tools Old-School Troubleshooting Understand who

    changed what Check the CI pipeline Check pods status Check the CI pipeline Check current alert Explore relevant exceptions Review the alert’s metrics Check account activity Review the latest code changes

  20. Introduction Troubleshooting Tools Meet Komodor!

  21. Introduction Introduction Sarah, the DevOps, gets an alert from PagerDuty

    Troubleshooting using Komodor

  22. Introduction Introduction Once the alert is triggered, Komodor shows the

    affected service and the latest relevant events so Sarah can easily triage the issue.

  23. Introduction Introduction When switching to Komodor, Sarah sees the service

    full activity, including events from K8s, Github, Datadog and config changes.

  24. Introduction Introduction Sarah reviews the event to deep dive into

    the deploy details.

  25. Introduction Introduction When she looks into the k8s diff, she

    notices the replicas were changed.

  26. Introduction Introduction Sarah decides to scale up the service so

    she returns to the service view and triggers a predefined script. Success!

  27. Komodor <> Epsagon | May 2021 Q&A Troubleshooting Permissions in

    Cloud-Native Products