Home
Contribute Contact Us Browse all meetings
Home Contribute Contact Us Browse all meetings
Cloud Native Computing Foundation / Cloud Native Security Conference North America 2021 / 30 Oct 2021
Cloud Native Computing Foundation / Cloud Native Security Conference North America 2021 / 30 Oct 2021
Previous Meeting Next Meeting
Add meeting Rate page Subscribe
youtube image
From YouTube: Strengthening Supply Chain Security By Enforcing Policies Using OPA G... Rita Zhang & Sertaç Özercan

Description

Don’t miss out! Join us at our next event: KubeCon + CloudNativeCon Europe 2022 in Valencia, Spain from May 17-20. Learn more at https://kubecon.io The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects.

Strengthening Supply Chain Security By Enforcing Policies Using OPA Gatekeeper on Kubernetes- Rita Zhang & Sertaç Özercan, Microsoft

Open Policy Agent (OPA) Gatekeeper is a general-purpose policy engine for Kubernetes and provides various means to validate and mutate Kubernetes resources to enforce policies. In many of these scenarios, this data has to be either built-in, static or user-defined. However, to strengthen supply chain security this data needs to be dynamic, and is usually stored in external services, such as container registries. With Gatekeeper external data feature, Gatekeeper offers a provider-based model to enforce policies to strengthen supply chain security by validating artifacts like checking for image vulnerabilities, image signatures, software bill of materials (SBOM). In this talk, we are going to talk about how OPA Gatekeeper can be used to enforce policies to validate container images and secure your Kubernetes cluster.

A

Hi welcome to the section in this session we'll talk about how open policy agent gatekeeper can help you to strengthen your supply chain security. I'm rita.

B

Hello, I'm sartech. We are maintainers of the oppa gatekeeper project.

A

So uh first you might ask well what is gatekeeper. um Well, gatekeeper is a customizable kubernetes emission and mutation webhook. It helps us enforce policies and strengthen governance. It enforces policies executed by the open policy agent, a policy agent for cloud native environments, and it is a cncf graduated project.

A

Let's see how you can leverage it to extend supply chain security and governance in your kubernetes environment, all right. So, let's uh dive a little deeper in gatekeeper for supply chain security with external data feature. Gatekeeper can now be used for validating and mutating kubernetes objects using the data that is coming from external data sources in a generic and plugable way.

A

Gatekeeper is an interface to external data sources such as image registries, and it is developed using a provider-based model so that the specific external data logic can be written by providers outside of gatekeeper.

B

And let's look at some potential use cases for validation. For example, we have image signing. We can check whether an image is signed or not. Another example is image vulnerabilities.

B

You can check if an image of critical vulnerabilities, for example, and then on the mutation side, we can mutate an image tracked to a digest uh so which helping us to uh pin to a specific uh shot digest for for a uh for an image and um another example of a mutation is uh we could use um active directory or ldap directory uh to mutate uh labels and or annotations to add owners, so you can tell who created those communities, objects.

A

Do we get to see this in action? Yes,.

B

Let's do a demo.

A

Awesome.

B

Yeah, let's start with our demo and we're going to look at take a look at our cluster first here you can see our gatekeeper controller manager and gatekeeper audit pods here.

B

And let's look at our providers next uh here you can see there are the the registered providers uh with gatekeeper. They basically uh map to services that are running behind these deployments, such as the treaty provider.

A

Or tag to digest.

B

Provider.

B

So in next we are going to look at our assign crd, which is the mutation crd. One.

A

Of the mutation crds.

B

For gatekeeper, so you can see that this.

B

This object uh takes a an image and uh for for all containers, and then it uses the external data data source, which is value at location, which means the images images value by using the tag to digest provider, to mutate, the value of the image to the same um value of the image, a pendant would it with the image image digest and in the next example, we are going to take a look at the the deployment file here you can see uh the tag which, which does not have uh contain a sha in here, is the the one uh with the digest already included.

B

So we should see the first one to mutate. Well, the second one does not get mutated. So let's go ahead and deploy our deployment.

B

And then, let's take.

A

A look at uh the object.

B

As I mentioned earlier, we could see that the first um container got mutated with the digest, while second one still has the same digest.

A

Very cool.

B

And then the next one uh we want to take a look at is the cosine provider. uh Cosine provider is a validation based uh provider where um you can check the if a container image uh is is signed or not using the cosine project in six store- and um this is our gatekeeper constraint, template uh where we pass the container image to the external data source and we basically check the response from the.

B

External data provider- and then here you can see our constraint, which has the enforcement action denied. So we we should uh didn't, deny the deployment if it is not signed, and then in here you can see a test deployment which is an unsigned image. uh This is like a pause image which is not signed, so we are going to go ahead and deploy this, and we should see our container should be denied.

B

And uh like we mentioned um it did get declined because it does not contain a valid cosine image and then so, let's look at a a signed image. So in this case we are looking at the distributor, static uh latest tag and we're going to deploy that, and this should go and be created.

A

All right, so next, let's look at how we can use this feature to block vulnerabilities here, as you can see, is a gatekeeper, constraint, template which contains the rego that says hey for any containers. We want to talk to the trivia provider, which provides us with vulnerability data right. The attribute does a lot of scanning and returns the number of vulnerabilities and the high low or medium, and based on that, then uh you know we in the in our policies.

A

We can decide if we want to deploy or block the vulnerability or not or or maybe return a warning right. So here uh next we're gonna, deploy this constraint, template and.

A

And here gatekeeper will basically reach out to trivia provider, and then here, as you can see, we have a constraint and the constraint says: okay enforcement action is worn, so I don't actually want to block, but just give people a warning that they're deploying something bad- and here, as you can see, is an example deployment that contains vote. That may contain a vulnerability, and here we are using alpine as our example image and as soon as I deployed this, let's see what trivia returns.

A

All right, and here, as you can see, it returns a warning. It's telling us hey for this alpine image. You have 30 vulnerabilities, but we're not actually going to block the deployment all right. uh Next, um let's see how it will work for a phone, an image- that's not vulnerable right um here, as you can see we're using uh the static digitalist image. Let's see if, um if we're right, let's see if see, if trivia identifies any vulnerability all right, so it was true yeah all right.

A

Next, we have the aad use case, in which case you know a lot of companies.

A

A lot of organizations want to identify owners of kubernetes resources, and here we are leveraging mutating the mutation feature in gatekeeper, which, as you can see here, is a custom resource called assign metadata, which says hey for you know for config maps that I'm deploying I want to provide a label called owner and that data actually comes from a provider called aad provider right and that data will then be mapped, as it would then be used as the owner label for these configmap resources.

A

So let's take a look at how that works.

A

So we're going to apply this assign metadata resource and then and then now, as you can see, we have a test config map and once we apply it, let's see if it actually gives us the label.

B

It looks like you're applying that with a specific user.

A

Yes, you're, and this is the user, the aad user, all right, let's take a look if the mutation is working.

B

Yeah, it looks like I, the labels got mutated and that's my yeah.

A

It's you, so it works great all right. That was a fun demo um hope you enjoyed the demonstration of many many use cases that you can actually start applying in your organization with gatekeeper and the new external data feature we would love to get feedback from from the community, so definitely come. Give us feedback and open issues in github and slack and join us in our weekly community call.

A

Thank you. Thank you.