Docker Rosenheim Meetup -Policy & Governance for Kubernetes

Our team is happy to present you a very hot topic in a world of Kubernetes – Policy & Governance for Kubernetes. Due to the current situation, we decided to host our Docker Rosenheim meetup via the widely popular video platform YouTube. Our Docker community leader Nico Meisenzahl will guide you through this topic and show some useful demos. For all those interested in this topic, the replay of our Meetup is available here:

Here is an english version of the meetup Policy & Governance for Kubernetes for our international audience.

Policy & Governance für Kubernetes

So, why do we need Governance and Policy for Kubernetes? Kubernetes provides Role-based Access Control (RBAC) which allows Operators to define in a very granular manner which identity is allowed to create or manage which resource. But RBAC does not allow us to control the specification of those resources. As already mentioned this is a necessary requirement to be able to define the policy boundaries. Some examples are:

  • whitelist of trusted container registries and images
  • required container security specifications
  • required labels to group resources
  • permit conflicting Ingress host resources
  • permit publicly exposed LoadBalancer services

This is where Policy and Governance for Kubernetes comes in. But let me first introduce you to Open Policy Agent. Open Policy Agent is the foundation for policy management on Kubernetes or even the whole cloud-native ecosystem.

Open Policy Agent

Open Policy Agent (OPA) is an open-source project by styra. It provides policy-based control for cloud-native environments using a unified toolset and framework and a declarative approach. Open Policy Agents allows decoupling policy declaration and management from the application code by either integrating the OPA Golang library or calling the REST API of a collocated OPA daemon instance.

With this in place, OPA can be used to evaluate any JSON-based inputs against user-defined policies and mark the input as passing or failing. With this in place, Open Policy Agent can be seamlessly integrated with a variety of tools and projects. Some examples are:

  • API and service authorization with EnvoyKong or Traefik
  • Authorization policies for SQL, Kafka and others
  • Container Network authorization with Istio
  • Test policies for Terraform infrastructure changes
  • Polices for SSH and sudo
  • Policy and Governance for Kubernetes
https://www.openpolicyagent.org/

Open Policy Agent policies are written in a declarative policy language called Rego. Rego queries are claims about data stored in OPA. These queries can be used to define policies that enumerate data instances that violate the expected state of the system.

OPA Gatekeeper — the Kubernetes implementation

Open Policy Agent Gatekeeper got introduced by Google, Microsoft, Red Hat, and styra. It is a Kubernetes Admission Controller built around OPA to integrate it with the Kubernetes API server and enforcing policies defined by Custom Resource Definitions (CRDs).

The Gatekeeper webhook, gets invoked whenever a Kubernetes resource is created, updated, or deleted which then allows Gatekeeper to permit it. In addition, Gatekeeper can also audit existing resources. Polices, as well as data, can be replicated into the included OPA instance to also create advanced queries that for example need access to objects in the cluster other than the object under current evaluation.