Kubernetes, as we know, coordinates a highly available cluster of computers that are connected to work as a single unit. Kubernetes contains a number of abstractions that allow deployment of containerized applications to the cluster without attaching them to individual machines.
In short, Kubernetes is –
In this post, I’ll explain what Kubernetes policies are and how they can help you manage and secure the Kubernetes cluster. We would also be looking at why we need a policy engine to manage, author the policies.
Cross posted from : InfoQ.com
In simplest terms, policies define what end-users can do on the cluster and possible ways to ensure that clusters are in compliance with organization policies. Policies could be of type Governance, for example, to meet some of the organizational conventions or it could be to meet legal requirements or to enforce best practices.
Policy-enablement empowers organizations to take control of Kubernetes operation and ensure that clusters are in compliance with organization policies.
Simplified Operations | Governance team can make updates to policies at any time without recompilation or redeployment of services. |
Ease of Policy Enforcement | 100% Fully Automated deployment, discovery and enables uniformity of policy deployment, compliance, conflicts etc., |
Automated discovery of violations, conflicts | |
Flexible to the changing requirements | Policy authors can read, write, and manage rules without any need for special development or operational knowledge. |
Key benefits of Policy Enablement
By default, containers run with unbounded compute resources on a Kubernetes cluster. To limit or restrict you have to implement appropriate policies in the following ways:
As you can see from above there is NO single security configuration for Kubernetes. For example, to define what a specific user can do, the groups they belong to, the actions they can perform on various Kubernetes resources (pods, deployments, services, etc), the network and pod security policies that apply to the objects they create, etc. cannot be expressed as rules across different policy components.
Due to the lack of single-point security solution, ensuring compliance manually can be error-prone and frustrating. There is a need for a lightweight general-purpose policy engine that and allows developers to operate independently without sacrificing compliance and also ensures ease of policy enforcement, automated discovery of violations, conflicts. Policy Authors would be also able to author and deploy custom policies that control the behavior of the service’s policy-enabled features.
Open Policy Agent Gatekeeper enforces policies and strengthens governance on the Kubernetes cluster. Following are the key functionalities it provides:
Kubernetes provides Admission controller webhooks (HTTP Callbacks) to intercept admission requests before they are persisted as objects in Kubernetes, OPA Gatekeeper uses the same for making policy decisions from the API Server. Once all object modifications are complete, and incoming object is validated by the API server, validating admission webhooks are invoked and they can either reject or accept requests to enforce policies.
Gatekeeper enforces CRD-based policies executed by Open Policy Agent and thus enables users to have customize admission control via configuration.
In this example, we would be defining a new constraint template and constraint that requires all labels to be present and valid. Here, I’m going to use the samples that come up with the OPA Gatekeeper installation.
To deploy a released version of Gatekeeper on the cluster with a prebuilt image, run the following command.
kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper/master/deploy/gatekeeper.yaml
We have our Kubernetes cluster ready, let’s install Gatekeeper with a prebuilt image.
Gatekeeper Role, CRDs are now installed. The next step is to create a new constraint template to enforce labels on the namespace to be present and valid.
ConstraintTemplate defines what needs to be enforced and the schema of the constraint. Here if you notice the openAPIV3Schema and targets the constraint field allows users to fine-tune the behavior of a constraint.
apiVersion: templates.gatekeeper.sh/v1beta1
kind: ConstraintTemplate
metadata:
name: k8srequiredlabels
spec:
crd:
spec:
names:
kind: K8sRequiredLabels
listKind: K8sRequiredLabelsList
plural: k8srequiredlabels
singular: k8srequiredlabels
validation:
# Schema for the `parameters` field
openAPIV3Schema:
properties:
labels:
type: array
items: string
targets:
- target: admission.k8s.gatekeeper.sh
rego: |
package k8srequiredlabels
violation[{"msg": msg, "details": {"missing_labels": missing}}] {
provided := {label | input.review.object.metadata.labels[label]}
required := {label | label := input.parameters.labels[_]}
missing := required - provided
count(missing) > 0
msg := sprintf("you must provide labels: %v", [missing])
}
Install ConstraintTemplate
with the following command
kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper/master/demo/basic/templates/k8srequiredlabels_template.yaml
ConstratintTemplate
is created, the next step is to define constraint and apply it to Namespace.
Following constraint uses the K8sRequiredLabels
constraint template defined in the previous step. The next step is to use constraints to make sure the gatekeeper label is defined on all namespaces.
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRequiredLabels
metadata:
name: ns-must-have-gk
spec:
match:
kinds:
- apiGroups: [""]
kinds: ["Namespace"]
parameters:
labels: ["gatekeeper"]
match
field, which defines the scope of objects to which a given constraint will be applied.
kinds
accept a list of objects with apiGroups and kinds of fields that list the groups/kinds of objects to which the constraint will apply.namespaces
is a list of namespace names. If defined, a constraint will only apply to resources in a listed namespace.labelSelector, namespaceSelector
is a standard Kubernetes label and namespace selector.Install above Constraint with the following command
kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper/master/demo/basic/constraints/all_ns_must_have_gatekeeper.yaml
ConstratintTemplate
is created, the next step is to define constraint and apply it to Namespace.
The following constraint uses the K8sRequiredLabels constraint template defined in the previous step. The next step is to use constraints to make sure the gatekeeper label is defined on all namespaces.
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRequiredLabels
metadata:
name: ns-must-have-gk
spec:
match:
kinds:
- apiGroups: [""]
kinds: ["Namespace"]
parameters:
labels: ["gatekeeper"]
match
field, which defines the scope of objects to which a given constraint will be applied.
kinds
accept a list of objects with apiGroups and kinds of fields that list the groups/kinds of objects to which the constraint will apply.namespaces
is a list of namespace names. If defined, a constraint will only apply to resources in a listed namespace.labelSelector, namespaceSelector
is a standard Kubernetes label and namespace selector.Install above Constraint with the following command
kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper/master/demo/basic/constraints/all_ns_must_have_gatekeeper.yaml
Now that ConstraintTemplate & Constraint is enabled, let’s try out to create new namespace without label.
As you can see, OPA Gatekeeper has prevented namespace creation without labels. Next, we can look at the example on how to set container limits policy.
In this example, we would be defining a new constraint template and constraint that requires container limits to be specified during the definition of Pod.
We are going to reuse the Kubernetes cluster with Gatekeeper components installed in the previous demo. Our first step is to define the constraint template.
ConstraintTemplate defines what needs to be enforced and the schema of the constraint. Here limits are defined in k8scontainterlimits_template.yaml
.
Install ConstraintTemplate
with the following command
kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper/master/demo/agilebank/templates/k8scontainterlimits_template.yaml
The next step is to define constraints to make sure that CPU and memory should be equal or less than 200m and 1Gi limits.
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sContainerLimits
metadata:
name: container-must-have-limits
spec:
match:
kinds:
- apiGroups: [""]
kinds: ["Pod"]
parameters:
cpu: "200m"
memory: "1Gi"
Now that we have ConstraintTemplate & Constraint created, let’s try out creating new resources without limits.
apiVersion: v1
kind: Pod
metadata:
name: opa
namespace: production
labels:
owner: me.agilebank.demo
spec:
containers:
- name: opa
image: openpolicyagent/opa:0.9.2
args:
- "run"
- "--server"
- "--addr=localhost:8080"
kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper/master/demo/agilebank/bad_resources/opa_no_limits.yaml
As you can see, ConstraintTemplate & Constraint
restricts the pod creation without limits.
Congrats! We have successfully enforced policies with the OPA Gatekeeper Policy engine.
To uninstall Gatekeeper policy engine, first clean up old Constraints, ConstraintTemplates, and the Config resource in the gatekeeper-system namespace and then uninstall Gatekeeper. Currently, the uninstall action only removes the Gatekeeper system. This will make sure all finalizers are removed by Gatekeeper. Otherwise, the finalizers will need to be removed manually.
Though Open Policy Agent Gatekeeper enables Kubernetes administrators to have fine-grained policy-based control across the stack but applying policies are not without challenges because of the complex nature of deploying applications.
Like this post? Don’t forget to share it!
Operating a business often entails balancing tight schedules, evolving market dynamics, and shifting consumer requirements.…
Of course, every site has different needs. In the end, however, there is one aspect…
In today's digital-first world, businesses must adopt effective strategies to stay competitive. Social media marketing…
62% of UX designers now use AI to enhance their workflows. Artificial intelligence (AI) rapidly…
The integration of artificial intelligence into graphic design through tools like Adobe Photoshop can save…
The cryptocurrency trading world has grown significantly in recent years, with automation playing a key…
This website uses cookies.