Policy as Code - Speaker Deck

Slide 1

Slide 1 text

11/16/14 Policy as code DEVOPSDAYS VANCOUVER 2014 @dougbarth

Slide 2

Slide 2 text

11/16/14 POLICY AS CODE Dev Ops

Slide 3

Slide 3 text

11/16/14 POLICY AS CODE DevOps Engineer

Slide 4

Slide 4 text

11/16/14 POLICY AS CODE DevOps Engineer

Slide 5

Slide 5 text

11/16/14 POLICY AS CODE How is babby PagerDuty formed?

Slide 6

Slide 6 text

11/16/14 POLICY AS CODE

Slide 7

Slide 7 text

11/16/14 Reliability is #1 concern POLICY AS CODE

Slide 8

Slide 8 text

11/16/14 SPOFs POLICY AS CODE

Slide 9

Slide 9 text

11/16/14 Failover POLICY AS CODE

Slide 10

Slide 10 text

11/16/14 Scaling POLICY AS CODE

Slide 11

Slide 11 text

11/16/14 Centralized in code Enforced across all infrastructure POLICY AS CODE

Slide 12

Slide 12 text

11/16/14 Benefits Examples Tradeoffs POLICY AS CODE

Slide 13

Slide 13 text

11/16/14 Audit trail for all changes POLICY AS CODE

Slide 14

Slide 14 text

11/16/14 User management POLICY AS CODE

Slide 15

Slide 15 text

11/16/14 LDAP POLICY AS CODE

Slide 16

Slide 16 text

11/16/14 Chef data bags POLICY AS CODE

Slide 17

Slide 17 text

11/16/14 { “id”: “doug”, “comment”: “Doug Barth”, “github_id”: “dougbarth”, “email”: “[email protected]”, “groups”: [“ops”, “wheel”] } POLICY AS CODE

Slide 18

Slide 18 text

11/16/14 How’s it working? POLICY AS CODE

Slide 19

Slide 19 text

11/16/14 POLICY AS CODE

Slide 20

Slide 20 text

11/16/14 POLICY AS CODE

Slide 21

Slide 21 text

11/16/14 POLICY AS CODE

Slide 22

Slide 22 text

11/16/14 Automated checks? POLICY AS CODE

Slide 23

Slide 23 text

11/16/14 Time to convergence POLICY AS CODE

Slide 24

Slide 24 text

11/16/14 Incremental rollout POLICY AS CODE

Slide 25

Slide 25 text

11/16/14 Service discovery POLICY AS CODE

Slide 26

Slide 26 text

11/16/14 HAProxy POLICY AS CODE

Slide 27

Slide 27 text

11/16/14 POLICY AS CODE Client HAProxy Server Server Server Client HAProxy

Slide 28

Slide 28 text

11/16/14 How’s it working? POLICY AS CODE

Slide 29

Slide 29 text

11/16/14 Mostly ok POLICY AS CODE

Slide 30

Slide 30 text

11/16/14 POLICY AS CODE

Slide 31

Slide 31 text

11/16/14 POLICY AS CODE

Slide 32

Slide 32 text

11/16/14 Time to convergence POLICY AS CODE

Slide 33

Slide 33 text

11/16/14 Zookeeper? Consul? POLICY AS CODE

Slide 34

Slide 34 text

11/16/14 All boxes enforce policy POLICY AS CODE

Slide 35

Slide 35 text

11/16/14 Network encryption POLICY AS CODE

Slide 36

Slide 36 text

11/16/14 POLICY AS CODE us-west-1 us-west-2 Linode

Slide 37

Slide 37 text

11/16/14 IPSec Transport POLICY AS CODE

Slide 38

Slide 38 text

11/16/14 POLICY AS CODE

Slide 39

Slide 39 text

11/16/14 POLICY AS CODE spdadd 50.0.0.70 10.0.0.153 any -P out ipsec esp/transport//require; spdadd 10.0.0.153 50.0.0.70 any -P in ipsec esp/transport//require;

Slide 40

Slide 40 text

11/16/14 POLICY AS CODE spdadd 10.0.0.121 10.0.0.153 any -P out ipsec esp/transport//require; spdadd 10.0.0.153 10.0.0.121 any -P in ipsec esp/transport//require;

Slide 41

Slide 41 text

11/16/14 How’s it working? POLICY AS CODE

Slide 42

Slide 42 text

11/16/14 POLICY AS CODE

Slide 43

Slide 43 text

11/16/14 Linux & UDP POLICY AS CODE

Slide 44

Slide 44 text

11/16/14 Time to convergence POLICY AS CODE

Slide 45

Slide 45 text

11/16/14 No perimeter POLICY AS CODE

Slide 46

Slide 46 text

11/16/14 Firewalls POLICY AS CODE

Slide 47

Slide 47 text

11/16/14 POLICY AS CODE Firewall App DB Junk

Slide 48

Slide 48 text

11/16/14 Define firewall chains by role POLICY AS CODE :app - -A app -s 10.0.0.1 -j ACCEPT -A app -s 50.0.0.1 -j ACCEPT

Slide 49

Slide 49 text

11/16/14 Use those chains in firewall definitions POLICY AS CODE -A INPUT -p tcp --dport 3306 -j app -A INPUT -p tcp --dport 3306 -j slave

Slide 50

Slide 50 text

11/16/14 POLICY AS CODE Firewall App DB Junk

Slide 51

Slide 51 text

11/16/14 How’s it working? POLICY AS CODE

Slide 52

Slide 52 text

11/16/14 Long chains POLICY AS CODE

Slide 53

Slide 53 text

11/16/14 O(n) POLICY AS CODE

Slide 54

Slide 54 text

11/16/14 ipset POLICY AS CODE

Slide 55

Slide 55 text

11/16/14 O(1) POLICY AS CODE

Slide 56

Slide 56 text

11/16/14 Time to convergence POLICY AS CODE

Slide 57

Slide 57 text

11/16/14 POLICY AS CODE Developers welcome

Slide 58

Slide 58 text

11/16/14 Developers welcome POLICY AS CODE

Slide 59

Slide 59 text

11/16/14 Developers welcome POLICY AS CODE

Slide 60

Slide 60 text

11/16/14 Developers welcome POLICY AS CODE

Slide 61

Slide 61 text

11/16/14 Centralized in code Enforced across all infrastructure POLICY AS CODE

Slide 62

Slide 62 text

11/16/14 POLICY AS CODE pagerduty.com/jobs SAN FRANCISCO AND TORONTO

Slide 63

Slide 63 text

11/16/14 pagerduty.com/jobs Thank you.