Require basic best practices of Kubernetes deployments using OPA Gatekeeper with Rancher

Slide 1

Slide 1 text

Require basic best practices of Kubernetes deployments using OPA Gatekeeper with Rancher Jacky Hung lhhungx@gmail

Slide 2

Slide 2 text

Outline ● Problem ● OPA Gatekeeper ○ Admission controllers ○ Dynamic admission control ○ Gatekeeper ○ OPA ○ Rego ○ Constraint templates and constraints ● Practice with Rancher ○ Installing OPA Gatekeeper with Rancher v2.6 ○ Applying a constraint template ○ Applying a constraint ○ Veriﬁcation ● Other OPA use cases

Slide 3

Slide 3 text

If you want to enforce best practices to your org like this... ● General policies ○ All images must be from approved repositories ○ All pods must have resource limits ○ All ingress hostnames must be globally unique ○ Disallow NodePort services ○ Disallow “latest” container image tag ○ Require speicﬁc labels or annotations ○ Require container probles ● Pod security policies ○ Disallow running as root ○ Disallow privileged containers ○ Allow only speciﬁc hostPath volumes

Slide 4

Slide 4 text

Deprecation of PodSecurityPolicy ● Kubernetes 1.21 starts the deprecation process for PodSecurityPolicy. ● The current plan is to remove PSP from Kubernetes in the 1.25 release. ● PSP has some serious usability problems that can’t be addressed without making breaking changes. ● New "PSP Replacement Policy." for the feature. https://kubernetes.io/blog/2021/04/06/podsecuritypolicy-deprecation-past-present-and-future/

Slide 5

Slide 5 text

OPA Gatekeeper architecture https://kubernetes.io/blog/2019/08/06/opa-gatekeeper-policy-and-governance-for-kubernetes/

Slide 6

Slide 6 text

Admission controllers https://kubernetes.io/blog/2019/03/21/a-guide-to-kubernetes-admission-controllers/ https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/ ● E.g. ○ DefaultStorageClass ○ NamespaceExists ○ NamespaceLifecycle ○ PodSecurityPolicy ● Admission webhooks

Slide 7

Slide 7 text

Dynamic admission control ● MutatingAdmissionWebhook ● ValidatingAdmissionWebhook ● Avoiding deadlocks in self-hosted webhooks ● Avoiding operating on the kube-system namespace https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/

Slide 8

Slide 8 text

Gatekeeper ● An extensible, parameterized policy library. ● Native Kubernetes CRDs for instantiating the policy library (aka “constraints”). ● Native Kubernetes CRDs for extending the policy library (aka “constraint templates”). ● Audit functionality.

Slide 9

Slide 9 text

Open Policy Agent (OPA) ● Pronounced “oh-pa”. ● General-purpose policy engine. ● OPA’s high-level declarative policy language: Rego. ● Can enforce policies in microservices, Kubernetes, CI/CD pipelines, API gateways, and more. https://www.openpolicyagent.org/docs/latest/

Slide 10

Slide 10 text

Rego ● It’s declarative. ● Rego Playground. ● There are a lot of out-of-the-box templates for common use cases. https://www.openpolicyagent.org/docs/latest/#rego https://www.openpolicyagent.org/docs/latest/policy-language/

Slide 11

Slide 11 text

Constraint templates and constraints https://open-policy-agent.github.io/gatekeeper/website/docs/constrainttemplates

Slide 12

Slide 12 text

Enforcement action ● deny ● dryrun ● warn (available in Gatekeeper v3.4+ with Kubernetes v1.19+) https://open-policy-agent.github.io/gatekeeper/website/docs/violations

Slide 13

Slide 13 text

Audit ● Reading Audit Results ○ Prometheus Metrics ■ gatekeeper_audit_last_run_time ■ gatekeeper_violations ○ Constraint Status ○ Audit Logs ● Conﬁguring Audit ○ --constraint-violations-limit=20 ○ --audit-interval=300

Slide 14

Slide 14 text

Admission Webhook Fail-Open or Fail-Closed ● failurePolicy: ○ Ignore (default) ○ Fail ● Admission Deadlock

Slide 15

Slide 15 text

Rancher ● Provisioning and managing Kubernetes clusters with web UI. ● Integrate OPA Gatekeeper starting from v2.5.

Slide 16

Slide 16 text

Installing OPA Gatekeeper on Rancher v2.6 #1

Slide 17

Slide 17 text

Installing OPA Gatekeeper on Rancher v2.6 #2

Slide 18

Slide 18 text

Installing OPA Gatekeeper on Rancher v2.6 #3 Can change: constraintViolationsLimit e.g. 600

Slide 19

Slide 19 text

OPA Gatekeeper will show on Rancher

Slide 20

Slide 20 text

Example: Disallow “latest” image tags #1 ● The constraint template ● The constraint ● Veriﬁcation examples: 1, 2, 3

Slide 21

Slide 21 text

The constraint template

Slide 22

Slide 22 text

Add the constraint template ● Apply the “disallow image tag” constraint template using kubectl.

Slide 23

Slide 23 text

The constraint

Slide 24

Slide 24 text

Add the constraint ● Apply the “disallow image tag” constraint using kubectl.

Slide 25

Slide 25 text

Veriﬁcation example: Allowed

Slide 26

Slide 26 text

Apply the veriﬁcation example: Allowed

Slide 27

Slide 27 text

Veriﬁcation example: Disallowed 1

Slide 28

Slide 28 text

Apply the veriﬁcation example: Disallowed 1

Slide 29

Slide 29 text

Veriﬁcation example: Disallowed 2

Slide 30

Slide 30 text

Apply the veriﬁcation example: Disallowed 2

Slide 31

Slide 31 text

If there are existing violations or in dryrun mode

Slide 32

Slide 32 text

Show existing violations of the constraint

Slide 33

Slide 33 text

OPA Gatekeeper ofﬁcial policy library https://github.com/open-policy-agent/gatekeeper-library

Slide 34

Slide 34 text

Other OPA use cases ● Service RBAC implementation ● Microservice authorization

Slide 35

Slide 35 text

Q & A