Slide 1

Slide 1 text

©2021 VMware, Inc. Tanzu Mission Control における Open Policy Agent (OPA) の利⽤ Jul. 7, 2021 CTO, North Asia (Japan, Korea and Greater China) Motonori Shindo / motonori_shindo

Slide 2

Slide 2 text

2 ©2021 VMware, Inc. 進藤 資訓 (Motonori Shindo) 東京電⼒ in 1988 • CMU, School of Computer Science Ascend à CoSine à Proxim ファイブフロント Nicira à VMware Viptela à Cisco VMware Again in 2018 ⾃⼰紹介 Twitter : @motonori_shindo Facebook : https://www.facebook.com/motonori.shindo Linkedin : https://www.linkedin.com/in/motonorishindo/ Blog : https://blog.shin.do

Slide 3

Slide 3 text

3 ©2021 VMware, Inc. Kubernetes と OPA のインテグレーション - Gatekeeper Kubernetes API Server と OPA の 間のブリッジとして 動作 API Server が Gatekeeper の Webhook をトリ ガー 課したい制約を Rego で記述 Source: https://kubernetes.io/blog/2019/08/06/opa-gatekeeper-policy-and-governance-for-kubernetes/

Slide 4

Slide 4 text

4 ©2021 VMware, Inc. Policy Template と Policy Instance Resource apiVersion: templates.gatekeeper.sh/v1beta1 kind: ConstraintTemplate metadata: name: k8srequiredlabels spec: crd: spec: names: kind: K8sRequiredLabels validation: # Schema for the `parameters` field openAPIV3Schema: properties: labels: type: array items: string targets: - target: admission.k8s.gatekeeper.sh rego: | package k8srequiredlabels violation[{"msg": msg, "details": {"missing_labels": missing}}] { provided := {label | input.review.object.metadata.labels[label]} required := {label | label := input.parameters.labels[_]} missing := required - provided count(missing) > 0 msg := sprintf("you must provide labels: %v", [missing]) } apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sRequiredLabels metadata: name: ns-must-have-gk spec: match: kinds: - apiGroups: [""] kinds: ["Namespace"] parameters: labels: ["gatekeeper"]

Slide 5

Slide 5 text

5 ©2021 VMware, Inc. Tanzu Mission Control に組み込まれている Security Policy

Slide 6

Slide 6 text

6 ©2021 VMware, Inc. Tanzu Mission Control で提供されている Policy Template

Slide 7

Slide 7 text

7 ©2021 VMware, Inc. Policy の例 – tmc-require-labels

Slide 8

Slide 8 text

8 ©2021 VMware, Inc. Policy の例 – tmc-require-labels apiVersion: templates.gatekeeper.sh/v1beta1 kind: ConstraintTemplate metadata: name: tmc-require-labels : targets: - target: admission.k8s.gatekeeper.sh rego: | package tmcrequirelabels violation[{"msg": msg, "details": {"missing_labels": missing}}] { provided := {label | input.review.object.metadata.labels[label]} required := {label | label := input.parameters.labels[_].key} missing := required - provided count(missing) > 0 msg := sprintf("You must provide labels with keys: %v", [missing]) } violation[{"msg": msg}] { value := input.review.object.metadata.labels[key] expected := input.parameters.labels[_] expected.key == key expected.value != "" expected.value != value msg := sprintf("Label <%v: %v> must match the value: %v", [key, value, expected.value]) } { "parameters": { "labels": [ { "value": "production", "key": "env" }, ] }, "review": { "object": { "apiVersion": "apps/v1", "kind": "Deployment", "metadata": { "labels": { "app": "nginx", "env": "production" }, }, }, } } Admission Review Request (関連部分のみ) ConstraintTemplate フルバージョンの Admission Review Request は ここ

Slide 9

Slide 9 text

9 ©2021 VMware, Inc. Audit の例

Slide 10

Slide 10 text

10 ©2021 VMware, Inc. VMware HANDS-ON LABS / HOL-2132-01-MAP https://labs.hol.vmware.com/HOL/catalogs/catalog/1212

Slide 11

Slide 11 text

©2021 VMware, Inc. Thank You