Require basic best practices of Kubernetes deployments using OPA Gatekeeper with Rancher

Transcript

1. Require basic best practices of Kubernetes deployments using OPA Gatekeeper

   with Rancher Jacky Hung lhhungx@gmail

2. Outline • Problem • OPA Gatekeeper ◦ Admission controllers ◦

   Dynamic admission control ◦ Gatekeeper ◦ OPA ◦ Rego ◦ Constraint templates and constraints • Practice with Rancher ◦ Installing OPA Gatekeeper with Rancher v2.6 ◦ Applying a constraint template ◦ Applying a constraint ◦ Verification • Other OPA use cases

3. If you want to enforce best practices to your org

   like this... • General policies ◦ All images must be from approved repositories ◦ All pods must have resource limits ◦ All ingress hostnames must be globally unique ◦ Disallow NodePort services ◦ Disallow “latest” container image tag ◦ Require speicfic labels or annotations ◦ Require container probles • Pod security policies ◦ Disallow running as root ◦ Disallow privileged containers ◦ Allow only specific hostPath volumes

4. Deprecation of PodSecurityPolicy • Kubernetes 1.21 starts the deprecation process

   for PodSecurityPolicy. • The current plan is to remove PSP from Kubernetes in the 1.25 release. • PSP has some serious usability problems that can’t be addressed without making breaking changes. • New "PSP Replacement Policy." for the feature. https://kubernetes.io/blog/2021/04/06/podsecuritypolicy-deprecation-past-present-and-future/

5. OPA Gatekeeper architecture https://kubernetes.io/blog/2019/08/06/opa-gatekeeper-policy-and-governance-for-kubernetes/

6. Admission controllers https://kubernetes.io/blog/2019/03/21/a-guide-to-kubernetes-admission-controllers/ https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/ • E.g. ◦ DefaultStorageClass ◦ NamespaceExists

   ◦ NamespaceLifecycle ◦ PodSecurityPolicy • Admission webhooks

7. Dynamic admission control • MutatingAdmissionWebhook • ValidatingAdmissionWebhook • Avoiding deadlocks

   in self-hosted webhooks • Avoiding operating on the kube-system namespace https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/

8. Gatekeeper • An extensible, parameterized policy library. • Native Kubernetes

   CRDs for instantiating the policy library (aka “constraints”). • Native Kubernetes CRDs for extending the policy library (aka “constraint templates”). • Audit functionality.

9. Open Policy Agent (OPA) • Pronounced “oh-pa”. • General-purpose policy

   engine. • OPA’s high-level declarative policy language: Rego. • Can enforce policies in microservices, Kubernetes, CI/CD pipelines, API gateways, and more. https://www.openpolicyagent.org/docs/latest/

10. Rego • It’s declarative. • Rego Playground. • There are

    a lot of out-of-the-box templates for common use cases. https://www.openpolicyagent.org/docs/latest/#rego https://www.openpolicyagent.org/docs/latest/policy-language/

11. Constraint templates and constraints https://open-policy-agent.github.io/gatekeeper/website/docs/constrainttemplates

12. Enforcement action • deny • dryrun • warn (available in

    Gatekeeper v3.4+ with Kubernetes v1.19+) https://open-policy-agent.github.io/gatekeeper/website/docs/violations

13. Audit • Reading Audit Results ◦ Prometheus Metrics ▪ gatekeeper_audit_last_run_time

    ▪ gatekeeper_violations ◦ Constraint Status ◦ Audit Logs • Configuring Audit ◦ --constraint-violations-limit=20 ◦ --audit-interval=300

14. Admission Webhook Fail-Open or Fail-Closed • failurePolicy: ◦ Ignore (default)

    ◦ Fail • Admission Deadlock

15. Rancher • Provisioning and managing Kubernetes clusters with web UI.

    • Integrate OPA Gatekeeper starting from v2.5.

16. Installing OPA Gatekeeper on Rancher v2.6 #1

17. Installing OPA Gatekeeper on Rancher v2.6 #2

18. Installing OPA Gatekeeper on Rancher v2.6 #3 Can change: constraintViolationsLimit

    e.g. 600

19. OPA Gatekeeper will show on Rancher

20. Example: Disallow “latest” image tags #1 • The constraint template

    • The constraint • Verification examples: 1, 2, 3

21. The constraint template

22. Add the constraint template • Apply the “disallow image tag”

    constraint template using kubectl.

23. The constraint

24. Add the constraint • Apply the “disallow image tag” constraint

    using kubectl.

25. Verification example: Allowed

26. Apply the verification example: Allowed

27. Verification example: Disallowed 1

28. Apply the verification example: Disallowed 1

29. Verification example: Disallowed 2

30. Apply the verification example: Disallowed 2

31. If there are existing violations or in dryrun mode

32. Show existing violations of the constraint

33. OPA Gatekeeper official policy library https://github.com/open-policy-agent/gatekeeper-library

34. Other OPA use cases • Service RBAC implementation • Microservice

    authorization

35. Q & A