Troubleshooting Permissions in Cloud-Native Products With Komodor & Authorizon

Transcript

1. Komodor <> Epsagon | May 2021 Troubleshooting Permissions in Cloud-Native

   Products

2. Komodor <> Epsagon | May 2021 Let’s start with the

   basics. Troubleshooting Permissions in Cloud-Native Products

3. Epic | February 2021 Introduction The Inherent Issues with Cloud-Native

   Apps • Distributed • Many changes in many different places (infra, git, k8s, etc.) • Many different stakeholders (in most cases only one person has a full understanding of the system )

4. Epic | February 2021 Introduction Identity Management Authentication JWT Authorization

   authorizon Your Product The IAM waterfall

5. Epic | February 2021 Introduction The Different Stakeholders Internal ◦

   Devs ◦ Ops ◦ Sec ◦ Product ◦ Compliance ◦ Sales External ◦ Customers ◦ Tenants ◦ 3rd-Parties ◦ Partners ◦ Auditors

6. Epic | February 2021 Introduction Building Authorization In the past:

   build on your own … 󰣻 Today: OPA, OPAL, Zanzibar, … 💪

7. Komodor <> Epsagon | May 2021 Why is Cloud-native so

   Hard? Troubleshooting Permissions in Cloud-Native Products

8. Epic | February 2021 Introduction Giving you more to worry

   about... • The inherent issues with cloud-native apps • Building, maintaining, and upgrading access control • Dev access is a Tightrope act - Too much / too little access for troubleshooting • Tracking - monitoring, logging, and audit-logs • Correct monitoring is data that works for you • Are we seeing it right? Impersonation

9. Epic | February 2021 Introduction Building, maintaining, and upgrading access

   control Keeping track of all changes and understanding the relations between them and your services

10. Epic | February 2021 Introduction Dev Access is a Tightrope

    Act • Not all relevant personnel have access to enough context and data to troubleshoot properly • Finding the right balance between having access to data and keeping it secure (or encapsulated?)

11. Epic | February 2021 Introduction Data that Works For You

    • Setting up the right metadata (user data, what role or permission he had at this point in time, account type, location) • Creating proper monitors or dashboards to alert you only when critical - i.e. reducing noise

12. Epic | February 2021 Introduction Tracking - monitoring, logging, and

    audit-logs Context is key - Who did what? When did it happen? How did it affect other components?

13. Epic | February 2021 Introduction Are we seeing it right?

    Impersonation • Troubleshooting without being able to see the system from the users perspective hides bugs • It works on my machine -> it works for my user -> it works for my role

14. Komodor <> Epsagon | May 2021 Best practices for access

    control, with rapid troubleshooting in mind Troubleshooting Permissions in Cloud-Native Products

15. Epic | February 2021 Introduction Best Practices • Decouple policy

    and code • Realtime policy updates • Policy as Code / Gitops • Backoffice + interfaces • Build access with troubleshooting in mind • Tags and annotations

16. Epic | February 2021 Introduction Authorization Tools & Open Source

    OPA - Open Policy Agent • Policy evaluation / enforcement engine • Decouple policy from code • Write policies in .rego files • Classic scenario - infrastructure authZ • Especially k8s • Manage OPA • authorization data and policy • Challenge - keeping OPAs up-to-date

17. Epic | February 2021 Introduction Authorization Tools & Open Source

    OPAL - Open Policy Administration Layer

18. Introduction Authorization interfaces Back-office policy editor Embeddable user management

19. Introduction Explore relevant exceptions Troubleshooting Tools Old-School Troubleshooting Understand who

    changed what Check the CI pipeline Check pods status Check the CI pipeline Check current alert Explore relevant exceptions Review the alert’s metrics Check account activity Review the latest code changes

20. Introduction Troubleshooting Tools Meet Komodor!

21. Introduction Introduction Sarah, the DevOps, gets an alert from PagerDuty

    Troubleshooting using Komodor

22. Introduction Introduction Once the alert is triggered, Komodor shows the

    affected service and the latest relevant events so Sarah can easily triage the issue.

23. Introduction Introduction When switching to Komodor, Sarah sees the service

    full activity, including events from K8s, Github, Datadog and config changes.

24. Introduction Introduction Sarah reviews the event to deep dive into

    the deploy details.

25. Introduction Introduction When she looks into the k8s diff, she

    notices the replicas were changed.

26. Introduction Introduction Sarah decides to scale up the service so

    she returns to the service view and triggers a predefined script. Success!

27. Komodor <> Epsagon | May 2021 Q&A Troubleshooting Permissions in

    Cloud-Native Products