Tanzu Mission Control における Open Policy Agent (OPA) の利用 / OPA in Tanzu Mission Control

Transcript

1. ©2021 VMware, Inc. Tanzu Mission Control における Open Policy Agent

   (OPA) の利⽤ Jul. 7, 2021 CTO, North Asia (Japan, Korea and Greater China) Motonori Shindo / motonori_shindo

2. 2 ©2021 VMware, Inc. 進藤 資訓 (Motonori Shindo) 東京電⼒ in

   1988 • CMU, School of Computer Science Ascend à CoSine à Proxim ファイブフロント Nicira à VMware Viptela à Cisco VMware Again in 2018 ⾃⼰紹介 Twitter : @motonori_shindo Facebook : https://www.facebook.com/motonori.shindo Linkedin : https://www.linkedin.com/in/motonorishindo/ Blog : https://blog.shin.do

3. 3 ©2021 VMware, Inc. Kubernetes と OPA のインテグレーション - Gatekeeper

   Kubernetes API Server と OPA の 間のブリッジとして 動作 API Server が Gatekeeper の Webhook をトリ ガー 課したい制約を Rego で記述 Source: https://kubernetes.io/blog/2019/08/06/opa-gatekeeper-policy-and-governance-for-kubernetes/

4. 4 ©2021 VMware, Inc. Policy Template と Policy Instance Resource

   apiVersion: templates.gatekeeper.sh/v1beta1 kind: ConstraintTemplate metadata: name: k8srequiredlabels spec: crd: spec: names: kind: K8sRequiredLabels validation: # Schema for the `parameters` field openAPIV3Schema: properties: labels: type: array items: string targets: - target: admission.k8s.gatekeeper.sh rego: | package k8srequiredlabels violation[{"msg": msg, "details": {"missing_labels": missing}}] { provided := {label | input.review.object.metadata.labels[label]} required := {label | label := input.parameters.labels[_]} missing := required - provided count(missing) > 0 msg := sprintf("you must provide labels: %v", [missing]) } apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sRequiredLabels metadata: name: ns-must-have-gk spec: match: kinds: - apiGroups: [""] kinds: ["Namespace"] parameters: labels: ["gatekeeper"]

5. 5 ©2021 VMware, Inc. Tanzu Mission Control に組み込まれている Security Policy

6. 6 ©2021 VMware, Inc. Tanzu Mission Control で提供されている Policy Template

7. 7 ©2021 VMware, Inc. Policy の例 – tmc-require-labels

8. 8 ©2021 VMware, Inc. Policy の例 – tmc-require-labels apiVersion: templates.gatekeeper.sh/v1beta1

   kind: ConstraintTemplate metadata: name: tmc-require-labels : targets: - target: admission.k8s.gatekeeper.sh rego: | package tmcrequirelabels violation[{"msg": msg, "details": {"missing_labels": missing}}] { provided := {label | input.review.object.metadata.labels[label]} required := {label | label := input.parameters.labels[_].key} missing := required - provided count(missing) > 0 msg := sprintf("You must provide labels with keys: %v", [missing]) } violation[{"msg": msg}] { value := input.review.object.metadata.labels[key] expected := input.parameters.labels[_] expected.key == key expected.value != "" expected.value != value msg := sprintf("Label <%v: %v> must match the value: %v", [key, value, expected.value]) } { "parameters": { "labels": [ { "value": "production", "key": "env" }, ] }, "review": { "object": { "apiVersion": "apps/v1", "kind": "Deployment", "metadata": { "labels": { "app": "nginx", "env": "production" }, }, }, } } Admission Review Request (関連部分のみ) ConstraintTemplate フルバージョンの Admission Review Request は ここ

9. 9 ©2021 VMware, Inc. Audit の例

10. 10 ©2021 VMware, Inc. VMware HANDS-ON LABS / HOL-2132-01-MAP https://labs.hol.vmware.com/HOL/catalogs/catalog/1212

11. ©2021 VMware, Inc. Thank You