Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Rudder: what is it and what makes it different?

Rudder
February 06, 2023

Rudder: what is it and what makes it different?

🎥 https://youtu.be/rkfxtT861es
🧑 Nicolas Charles
📅 Configuration Management Camp 2023

Rudder is an open source security and configuration management tool that focuses on compliance and continuous audit. It allows users from different teams and background to configure and extract data through both the UI and API, providing a fast feedback loop. Since its first release 10 years ago, Rudder has been used by organizations of all sizes, from small installations to large deployments of over 15,000 nodes.

In this talk, we will introduce Rudder and explain what sets it apart from similar tools. We will also discuss the current evolution of Rudder towards operational security and its impact on the product. If you are new to Rudder or interested in learning more about compliance and configuration management, this talk is for you.

Rudder

February 06, 2023
Tweet

More Decks by Rudder

Other Decks in Technology

Transcript

  1. Rudder
    What is it, and what makes it different?
    1

    View Slide

  2. Outline
    This talk presents Rudder.
    It starts with an introduction to the tool, and continue with its recent evolutions

    View Slide

  3. Introduction
    Nicolas CHARLES
    Head of Customer Service
    Co-founder of Rudder
    French
    Father

    View Slide

  4. A Brief Overview
    4

    View Slide

  5. All rights reserved
    Agnostic automation
    Asset management
    Automation features
    Continuous configuration
    Standard compliance
    General Architecture
    Multiplatform
    & Multi-OS

    View Slide

  6. All rights reserved
    Node
    Management
    Multiplatform lightweight agent. A Node is a system with a
    rudder agent installed on it
    Each Node with an agent is automatically added to the
    environment and Rudder will recover all information from it.
    Agnostic automation
    Asset management
    Automation features
    Continuous configuration
    Standard compliance
    General Architecture

    View Slide

  7. All rights reserved
    Full System
    Inventory
    Each Node has a dynamic inventory.
    Agnostic automation
    Asset management
    Automation features
    Continuous configuration
    Standard compliance
    General Architecture

    View Slide

  8. All rights reserved
    Full System
    Inventory
    Each Node has a dynamic inventory.
    It can be extended with properties (key=value), optionally
    synced by REST API with other tools like CMDB.
    Agnostic automation
    Asset management
    Automation features
    Continuous configuration
    Standard compliance
    General Architecture

    View Slide

  9. All rights reserved
    Groups Two group types: Dynamic or Static.
    With Dynamic group, you can add Node based on various
    criteria from inventory or custom properties from Nodes.
    Each group can have its own properties and nodes inherit their
    properties from the groups.
    Agnostic automation
    Asset management
    Automation features
    Continuous configuration
    Standard compliance
    General Architecture

    View Slide

  10. All rights reserved
    Continuous
    Configuration
    Unlike orchestration tools, Rudder will keep your configuration up to date
    and in a targeted configuration state
    With Orchestration
    With Rudder
    You will always find your configuration as defined in the initial state.
    Agnostic automation
    Asset management
    Automation features
    Continuous configuration
    Standard compliance
    General Architecture

    View Slide

  11. All rights reserved
    Rudder provide a graphical solution to build the desire state of
    configuration
    Visual
    configuration
    builder
    Agnostic automation
    Asset management
    Automation features
    Continuous configuration
    Standard compliance
    General Architecture

    View Slide

  12. All rights reserved
    Audit or
    Enforce
    Two modes:
    ● The audit mode ensures that our configuration meets the
    requirements. It doesn't make any changes, it only makes a
    simple verification.
    ● The enforce mode will make changes only if the
    configuration does not match to what has been defined.
    This is known as remediation.
    Agnostic automation
    Asset management
    Automation features
    Continuous configuration
    Standard compliance
    General Architecture

    View Slide

  13. All rights reserved
    Rudder
    Architecture
    Every 5 minutes, agents pull their configuration to the Rudder server, and
    perform a local checking.
    In Enforce mode, agent will automatically remediate all drift from desired
    configuration and report the new status.
    Agnostic automation
    Asset management
    Automation features
    Continuous configuration
    Standard compliance
    General Architecture

    View Slide

  14. All rights reserved
    Rudder
    Node
    Push Mode Pull Mode
    - Manual Synchro Needed
    - Many Streams to Open
    - Network Availability
    + Asynchronous
    + Security Enhanced
    + Constant Conformity
    Agnostic automation
    Asset management
    Automation features
    Continuous configuration
    Standard compliance
    General Architecture

    View Slide

  15. What’s new?
    15

    View Slide

  16. Evolution toward operational security
    Rudder users can prove their compliance and improve their security posture

    View Slide

  17. Evolution toward operational security
    Rudder users can prove their compliance and improve their security posture
    System administrators, cloud users and also security teams in charge of hardening will
    excel thanks to Rudder.
    Continuous hardening, control and audit of the Security Posture, application of
    security standard recommendations, patch management application can be fulfilled by
    Rudder.

    View Slide

  18. All rights reserved
    In Rudder 7.x we introduced features around patch
    management:
    ● List available updates
    ● Full system updates
    Patch
    management
    Patch management
    Configuration
    synchronization
    YAML
    Improved compliance

    View Slide

  19. All rights reserved
    In Rudder 7.2, we improved the synchronization of
    configuration between environments
    ● API to export an object with its dependent objects
    ○ Rule + Groups + Directives + Techniques
    ● API to import and replace said object
    In Rudder 7.3, option to import rules without groups
    Configurations
    Import/Export
    Patch management
    Configuration
    synchronization
    YAML
    Improved compliance

    View Slide

  20. All rights reserved
    Rudder 7.3: transpiler from YAML to agent language
    ● Storage format for the Technique Editor
    ● Stable format for sharing/exporting/importing
    YAML
    Patch management
    Configuration
    synchronization
    YAML
    Improved compliance

    View Slide

  21. All rights reserved
    Rudder 7.3: transpiler from YAML to agent language
    Based on rudderc component:
    ● Takes a YAML technique and local generic methods
    ● Validate the correctness of the technique
    ● Generates the content
    ● Provides a compile-and-run command to test the
    Technique, without a Rudder server
    YAML
    Patch management
    Configuration
    synchronization
    YAML
    Improved compliance

    View Slide

  22. All rights reserved
    Rudder 7.3: Compliance per directive
    New tab on the Directive page for Compliance of the
    directive
    Improved
    compliance
    Patch management
    Configuration
    synchronization
    YAML
    Improved compliance

    View Slide

  23. All rights reserved
    Rudder 7.3: Compliance per directive
    New tab on the Directive page for Compliance of the
    directive
    Exportable in CSV
    Improved
    compliance
    Patch management
    Configuration
    synchronization
    YAML
    Improved compliance

    View Slide

  24. All rights reserved
    Rudder 8.x: Make compliance more useful
    Improved
    compliance I want to find out what is red on that node.
    Then, I want to find similar nodes - but I don't know
    what similar is, I need to explore.
    Next I need to choose relevant attributes to make
    the problem understandable - inventory parts,
    applied directives, etc
    Finally I want to export data in an
    actionable format - csv, xls, json
    Patch management
    Configuration
    synchronization
    YAML
    Improved compliance

    View Slide

  25. All rights reserved
    Rudder 8.x: Explore & Extract non-compliance
    ○ query
    ● pull
    ● spanning several data providers
    ● homogeneous/powerful query language
    ● extensible backend
    ● structured, filtered result set
    ○ transversal security (authorizations)
    ● some data can not be viewed by some role
    ○ export in CSV / Excel / …
    Improved
    compliance
    Patch management
    Configuration
    synchronization
    YAML
    Improved compliance

    View Slide

  26. All rights reserved
    Rudder 8.0: GraphQL
    ● Simple query language
    ● Works on patterns
    ● ask fields on objects
    ● no built-in boolean logic, etc
    ● Based on typed schema
    ● Backend agnostic, easily extendable
    ● Notion of authorization at data
    Improved
    compliance
    Patch management
    Configuration
    synchronization
    YAML
    Improved compliance

    View Slide

  27. All rights reserved
    Rudder 8.0: GraphQL
    ● This is a BIG evolution
    ○ provide stable foundation for higher level needs
    ● Goals:
    ○ validate that it actually work for us
    ■ get performance data points & user
    feedbacks
    ○ expose low level engine as soon as 8.0
    ■ with some "Beta" warning sign
    ● scope for 8.0:
    ○ core schema
    ■ nodes, groups, directives, techniques, rules...
    ○ some queries on them
    ○ know how to extend
    Improved
    compliance
    Patch management
    Configuration
    synchronization
    YAML
    Improved compliance

    View Slide

  28. Demo
    28

    View Slide