►
Description
Don't miss out! Join us at our upcoming event: KubeCon + CloudNativeCon Europe in Amsterdam, The Netherlands from 18 - 21 April, 2023. Learn more at https://kubecon.io The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects.
Avoiding IAC Potholes with Policy + Cloud Controllers - Andrew Martin, ControlPlane
In large organisations, enabling and securing self-serve cloud infrastructure for teams hosting their applications on Kubernetes is hard. Most large organisations implement Enterprise Security Architectures featuring IAC pipelines with Policy as Code frameworks at the outset of their cloud journey, which are found to be not fit for purpose when teams use Kubernetes to provision infrastructure either natively, through services of type Loadbalancer, or using hosted cloud controllers such as Crossplane. In this talk, Rowan will demonstrate how infrastructure and security teams can use policy engines (Kyverno) to secure a model that uses Kubernetes native and hosted cloud controllers (such as Crossplane) to provision infrastructure. This model enables application teams to self-serve, whilst preventing the launch of insecure infrastructure and enforcing compliance and security requirements centrally. To ease adoption of the model, Rowan will open source an example library of policies integrated with OSCAL for commonly used services across AWS, enforcing controls aligned with NIST800-53 in a manner that can be audited by compliance teams, and simplifying the developer experience by enabling the dynamic generation of cloud resources with secure defaults.
A
Thank
you
for
the
work
you
put
in
today
and
I
hope
that
as
much
justice
as
possible,
we
will
be
talking
about
infrastructures,
code
potholes
with
Cloud
controllers.
This
is
the
reverse
intersection
of
of
get
Ops
essentially
and
event
driven
automation.
So,
when
we're
trying
to
do
infrastructure
as
code
with
with
Adventure
of
an
automation,
where
are
the
foot
guns?
How
do
we
fix
things
and
where
can
existing
tooling
come
into
play?
A
So
we're
going
to
talk
about
some
pain
points?
We've
seen
around
configuring
infrastructure
securely
at
scale
within
large
organizations
using
cloud
and
policy
controllers
in
kubernetes
to
address
some
of
these
issues
and,
as
I
say,
a
huge
thanks
to
Rowan
and
Henry.
Very
briefly,
Rowan
runs
the
security
team
at
control.
Plane,
control
plane
is
a
cloud
native
security
consultancy.
We
are
based
out
of
London
UK.
We
have
offices
in
North,
America
and
Asia
Pacific
and
mostly
do
Consulting
for
regulated
Industries.
A
A
B
I
think
should
be
oh,
my
God
food
poisoning
a
couple
of
days
ago,
so
I've
been
unable
to
to
travel
just
wanted
to
introduce
the
talk
before
my
distinguished
role
playing
colleagues
take
over
today.
We're
looking
to
show
how
kubernetes
provisioning
infrastructure,
such
as
load
balances,
can
cause
issues
for
large
organizations
in
regulated
Industries.
B
A
You
Ron
right.
There
are
some
demos.
Fortunately
they
have
been
ASCII
cinemod
for
me,
so
I
can't
book
to
them,
let's
rock
and
roll,
so
using
infrastructure
as
code
policy
I'm.
Sorry,
my
slides
a
little
bit
booked
with
policy
gates
to
ensure
infrastructure
is
securely.
Provisioned
should
form
the
backbone
of
any
Cloud
security
program.
A
We
can
create
infrastructures
code
templates
using
terraform
at
Al
that
hard
codes
secure
by
default
configurations
that
we
can
distribute
and
reuse
for
consumers
of
cloud
infrastructure
in
large
organizations,
and
we
can
back
this
up
by
allowing
users
some
degree
of
customization
adding
policy
Gates
into
pipelines
using
tools
such
as
Sentinel
policy
opa
check
of
Etc.
However,
this
does
not
account
for
infrastructure
provisions
in
an
event
driven
basis
by
Cloud
infrastructure.
A
However,
this
can
bypass
infrastructure
as
code
controls,
going
back
to
everything
to
finders
code
and
get
Ops.
These
things
just
appear
in
our
dashboards
rather
than
being
defined
and
subject
to
policy.
Annotations
can
Define
that
load
balances
configuration
and,
if
unrestricted,
can
create
insecure
infrastructure
by
adding
routes
and
punching
through
otherwise,
theoretically
secure
policies
and
firewalls.
A
We
can
see
from
this
example
that
the
SSL
cert
is
commented
out
and
the
load
balancer
is
internet
facing.
It
is
easy
to
footgun
or
intentionally
bypass
policy.
In
this
way,
trying
to
provision
a
load
balancer
via
infrastructure
is
code
like
terraform
and
then
integrate
it
with
kubernetes,
which
gives
us
something
that
we
can
apply
policy
to
is
more
difficult,
PODS
of
node
scale,
with
non-static
IPS,
of
course,
and
encoding.
These
targets
into
the
balancing
pool
of
a
load
balancer
is
difficult.
A
In
fact,
you
can
end
up
using
a
controller
to
do
this.
Whilst
you
might
end
up
with
something
that's
compliant
to
policy,
you
complicate
life
for
developers
and
operators,
so
The
Logical
way
to
ensure
these
types.
These
Services
of
type
load
balancer
are
secure,
is
to
use
a
policy
engine
such
as
caverno
or
open
GateKeeper.
A
That
persistence
then
feeds
into
the
policy
into
the
provisioning
engine,
and
then
the
infrastructure
is
either
permitted
to
deploy
or
not
based
on
the
presence
of
that
entity,
using
admission
controllers
and
Cloud
controllers.
In
tandem,
we
have
a
single
enforcement
points
for
application
and
infrastructure,
with
policy
defined
as
code.
A
There
are
now
quite
a
few
Cloud
infrastructure
controller
projects
such
as
AWS,
ack,
Google,
config
connects
and
cross
plane,
and
these
broadly
follow
the
operator
pattern.
Custom
resources
within
the
cluster
paired,
with
reconciling
controllers
for
managing
Cloud
infrastructure,
the
benefits
of
this
approach.
A
There
is
potentially
less
developer
complexity,
as
plus
the
tenants
are
consuming
a
single
kubernetes
deployment
pipeline
for
applications
and
related
infrastructure.
There
is
a
you
build
it.
You
run
it
concertina
of
of
runtime,
SRE,
devopsy
style,
risk
and
management.
Here
this
won't
work
for
all
organizations.
A
So,
of
course,
this
is
then
Reliant
upon
a
lack
of
mutation
for
these
entities
coming
through
the
kubernetes
API,
because
we
get
back
into
the
same
situation
where,
if
we
don't
have
a
an
offline
representation
of
the
realized
cluster
State.
Well,
then
we've
got
a
Reconciliation
Gap,
even
if
the
operator
thinks
it's
done.
The
right
thing,
because
the
mutate
mutating
admission
controller
has
added
in
those
extra
annotations
or
sidecars
all
custom
resource
definitions.
In
this
case,
the
controller
pattern
provides
some
drift
protection
with
those
caveats.
A
The
infrastructure's
code
configuration
that
we
would
do
traditionally
so
some
early
projects
in
this
space
to
find
the
single
controller
per
cloud
service
API,
but
the
reality
is
that
creating
infrastructure
securely
is
not
only
about
creating
one
service
and
setting
specific
configuration
options.
These
are
the
guard
rails,
removing
knobs
and
dials
in
order
to
stand
up
a
secure
by
default
configuration
often,
we
also
require
other
pieces
of
infrastructure
in
place.
A
Take
S3,
which
we
will
discuss
a
little
bit
more
today.
Not
only
do
we
need
to
create
the
buckets
and
configure
it
properly,
but,
additionally,
we
need
to
create
the
IM
roles
and
users
for
access
to
those
buckets,
the
KMS
keys
for
back-end,
encryption,
etc,
etc.
Presumably
some
population
of
the
bucket
as
well
cross
plane
as
a
project,
looks
to
address
some
of
this
issue.
For
us
it
is
a
cncf.
Incidentally,
this
is
a
project
that
control
plane
is
often
mistaken,
for
cross-plane
is
a
cncf
incubating
project
that
enables
platform
teams
to
build
abstractions.
A
A
A
Excuse
me,
I'm
having
trouble
with
this
guy
in
much
the
same
way
as
terraform
providers
take
some
time
to
come
to
maturity.
So
we
see
the
same
sort
of
underlying
integration
Point
here.
Ultimately,
we
are
configuring
distributed
systems,
and
so
we
expect
things
to
fail.
Resilience
needs
to
be
built
into
controllers
and
shaking
out
bugs
just
takes
a
bit
of
time.
A
A
We
need
a
cluster
on
which
to
install
cross
plane
itself,
unironically,
that's
provisioned
via
terraform,
in
the
repo
that
we
will
open
source
to
support
this
talk,
but
the
biggest
issues
that
we
see
for
many
large
organizations.
They
have
all
infrastructure
defined
as
code
with
configurations
vetted
using
policy
engines.
A
A
So
we
need
to
establish
trust
in
a
security
model
for
provisioning
cloud
infrastructure
via
kubernetes
controllers,
and
we
will
look
at
how
we
do
that.
We
have
a
proof
of
concept
project
that
demonstrates
that
we
can
address
these
controls
and
be
in
a
good
place
from
a
security
standpoint
when
widespread
adoption
occurs,.
A
The
library
that
we
will
open
open
source
here
to
be
made
public
soon
I
will
do
that
after
the
talk
contains
libraries
of
validating
policy
for
S3
and
RDS
provisioned
using
the
cross
plain
Community
AWS
provider,
these
libraries
are
aligned
to
nist
853,
Rev
5.
and
instead
of
generating
mountains
of
policy
and
yaml,
that
might
ultimately
be
forgotten.
We
also
started
to
look
at
how
to
make
those
policies
enable
the
documentation
of
compliance
in
an
automated
manner.
A
A
A
Okay,
so
what
we've
been
doing
is
making
sure
there
are
no
existing
cluster
policies.
The
cluster
has
just
had
caverno
and
cross
plane
installed
on
it.
The
policies
we've
created
for
S3
exists
in
the
ls
policy.
From
the
previous
moments,
preventing
Public
Access
encryption
enforcement
HTTP
get
requests
Etc.
This
is
what
a
typical
caverno
cluster
policy
looks
like
in
this
case,
we're
ensuring
the
S3
bucket
object
was
configured
with
KMS
server-side
encryption
by
default
and
a
validation
failed.
In
that
case,
the
object
was
rejected
from
the
cluster,
preventing
the
launch
of
insecure
configuration.
A
A
A
Okay,
we've
validated
that
they
exist,
so
we've
created
a
bucket
called
the
authorized
bucket
that
satisfies
all
of
these
policies.
This
is
the
first
30
odd
lines
of
that
documents,
but
when
we
apply
it
on
its
own
to
the
cluster,
it
will
fail
because
a
bucket
policy
to
deny
HTTP
get
requests
needs
to,
firstly
exist
and
reference
our
buckets
to
satisfy
the
security
requirements.
A
Next,
we
will
look
at
the
required
cross-plane
bucket
policy.
This
is
attached
to
our
authorized
bucket
through
the
bucket
name
reffield,
which
is
incoming
on
eight
and
nine
lines.
Eight
and
nine
there.
As
you
can
see,
the
policy
denies
all
requests
that
have
AWS
secure
transport,
set
the
false
on
lines:
18,
19
and
24
and
25.
A
A
It
will
take
a
moment
for
the
bucket
to
show
as
ready,
because
the
S3
server
logging
is
on
a
best
effort
basis,
and
it
can
take
some
time
for
the
bucket
itself
to
report
it's
ready
and
then,
finally,
when
applying
the
basic
buckets,
it
will
be
rejected
on
multiple
counts.
There
we
go
so
that
is
the
bucket
which
we
expected,
but
now
the
basic
bucket
will
be
rejected
and
with
a
caverno
test
filed
for
sure
ensure
the
policies
are
behaving.
A
A
A
So
that's
a
first
view
for
how
this
can
be
achieved,
so
we've
just
created
more
yaml
to
throw
at
the
cluster
without
fully
defining
where
our
controls
come
from
and
I
appreciate
the
frustration
this
brings
and
how
difficult
managing
yaml
policy
at
scale
truly
is.
There
are
entire
talks
on
that.
One
of
our
colleagues
control
plane
by
the
name
of
Mr
Chris
Nesbitt
Smith
has
a
fantastic
talk,
called
versioned
policy
as
code
which
looks
at
how
to
make
policy
changes
across
massive
government
organizations.
A
Here
we
get
into
oscow
so
using
our
scale
documents
as
a
source
of
Truth
for
the
enforced
policies,
a
huge
thanks
to
Mr
Brent
Keller,
who
is
the
author
of
The
tooling,
that
we'll
look
at
in
a
moment.
We
have
the
open
security
controls
assessment
language
going
on
here.
This
is
a
collaborative
project
run
by
nist.
It
is
machine,
readable
representations
of
control,
catalogs
control,
based
lines,
system,
security
plans
and
assessment
plans
and
results.
A
So
there
are
three
documents
that
we
will
dig
into
here:
catalogs
are
collections
of
controls
maintained
by
an
organization
or
by
a
standards
body,
so
in
this
case
we'll
be
referencing
nist
853,
which
has
been
codified
into
our
scale.
Forests
at
173,
000
lines
of
yaml
profiles,
baselines
of
selected
controls
and
so
nist
has
high
medium
and
low
bass
lines
for
at
least
853.
But
we
can
also
create
profiles
for
specific
components
such
as
an
S3
profile
that
details
all
of
the
nist
1800
853
controls
applicable
to
S3.
A
Finally,
component
definitions
are
a
more
detailed
description
of
controls,
supported
in
a
given
implementation,
referencing
a
control
from
a
profile
so
to
build
Oscar
documents
for
S3.
We
were
lucky
enough
to
have
this
information
available
to
us.
The
AWS
config
rule
set
mapped
to
the
list,
853
rev,
5,
I'm
sure
he's
taking
the
Mickey
out
of
me.
A
Now
is
public
shown
in
the
top
left
table
here
from
this
we
distill
the
nist
IDS
into
oscow
profile
for
S3,
which
is
shown
on
the
right,
and
we
wrote
Governor
policy
equivalent
to
intent
and
spirits
of
the
AWS
config
rules,
Cal
component
document
for
Lula
to
Leverage
I'll.
Just
repeat
that
last
bit,
some
semi
butchered
it,
we
wrote
Governor
policy
for
Lula
into
Oscar,
so
the
documentation
here
shows
how
the
aforementioned
this
standard
control
IDs
from
the
S3
profile
are
addressed.
A
You
can
see
on
this
slide
references
to
the
S3
profile
documents,
the
nist
control
IDs
within
that
profile,
followed
by
a
description
of
the
control
and
a
caverno
policy
block.
This
block
is
an
amendment
to
the
Oscar
component
definition
leveraged
by
Lula
and
proposed
by
the
lular
team
and
for
context.
Oscow
is
still
a
format
under
development
designed
to
stimulate
discussion
and
an
ecosystem
of
tooling,
so
nist
are
collaborative
when
taking
suggestions
from
the
industry
around
modifications
to
Oscar
document
structures.
A
Lula
is
a
tool
by
the
right
honorable,
Mr,
Brandt,
Keller
and
team
at
defense,
unicorns
the
bridge
the
gap
between
the
expected
configuration
required
for
compliance
and
the
actual
reality
of
configuration.
It
takes
the
component
definition
as
shown
previously
and
leverages
the
caverno
CLI
to
run
generated
Governor
policies
against
the
cluster
or
static
manifests.
A
A
The
important
lines
we're
looking
for
are
lines
28
when
they
turn
up
again
yep
line
28,
where
we
reference
the
nist,
853
catalog,
and
then
from
line
30
downwards.
We
can
see
the
list
of
control
IDs
from
nists,
which
can
be
satisfied
with
the
correct
configuration
of
S3
and
the
rest
of
the
file
continues
like
so.
A
A
We
reference
the
S3
profile
shown
previously
and
then
the
implemented
requirements
for
that
profile
are
listed
below
each
requirement
has
its
own
uid
line.
34
the
control
of
these
references,
the
control
from
the
nist
profile,
which
is
line
35,
followed
by
a
description
field
where
we
place
the
name
corresponding
to
the
AWS
config
rule.
We
have
Rewritten
in
caverno
and
the
rules
block,
which
is
a
port
of
proveno
policy
used
by
Lula
in
the
component
definition
we
have
just
I
mean
just
have
implemented
One
requirement,
and
that
is
the
S3
version.
Life
cycle
policy,
enablement.
A
A
Yes,
it
is
absent,
so
without
policy
we
can
launch
this
into
the
cluster
and
have
a
vulnerable
bucket
in
our
estate.
That
is
not
what
we
want,
we're
proving
the
negative
case
in
order
to
lock
it
down
bad
news
for
the
cluster,
so
we'll
now
run
Lula
to
assess
compliance
against
requirements
in
the
component
definition
and
see
that
it
fails.
As
expected,
there
is
a
compliance
violation
which,
when
you
look
up
the
uid
and
the
component
definition,
is
the
lack
of
S3
version
life
cycle
policy.
A
A
A
We've
written
a
script
that
uses
the
uids
to
match
the
policy
to
match
the
policy
files
with
implemented
requirements
in
the
S3
component
definition
and
renamed
the
file
and
caverno
policy
name.
According
to
the
first
word
in
the
description
for
the
corresponding
implemented
requirements,
which
is
our
AWS
config
rule
online
37..
A
A
And
finally,
when
we
deploy
the
authorized
buckets,
it
is
permitted
to
the
cluster
because
it
is
compliant
with
all
of
our
policy,
magical,
fabulous
and
wonderful.
We
can
subsequently
validate
compliance
using
Lula
with
the
added
benefit
of
preventing
a
vulnerable
bucket
being
launched
in
the
first
place.
A
What
we're
looking
for
is
the
final
step
for
a
policy
to
be
generated
outside
by
something
slightly
better
tested.
Of
course,
we'd
like
to
understand
whether
that's
something
we
can
build
into
the
tool.
If
that
is
found
useful,
we
welcome
any
feedback
on
the
next
steps.
This
is
something
that
we
have
some
utility
with
from
clients.
A
We
need
to
build
them
into
security,
architectures
for
kubernetes
and
Beyond
any
of
our
Cloud
infrastructure
deployment
techniques.
They
enable
not
only
the
initial
case,
the
load
balancer
service,
but
can
also
be
used
more
widely
across
a
large
organization
to
enable
self-service
infrastructure
provisioned
by
infrastructure
controllers.
There
are
a
lot
of
developments
in
that
space
that
could
prove
exciting.
A
Sorry,
where
you
can
in
an
automated
way
tell
if
audio
infrastructure
and
kubernetes
applications
are
compliant
with
policy
standards,
while
simultaneously
enforcing
those
standards
from
a
single
source
of
Truth.
Thank
you
very
much
to
the
authors
of
this
talk.
I
hope
I
did
them
Justice
and
thank
you
for
your
attention.
A
C
It's
like
a
real
runtime
environment,
but
definitely
from
the
perspective
of
like
establishing
those
control
catalogs
those
are
available
for
a
variety
of
different
standards
and
then
from
there
you
know,
I
think
we've
seen
a
couple.
Different
entities
that
are
starting
to
dive
in
and
kind
of
own
PCI,
for
instance,
has
been
explored
pretty
pretty
recently,
as
well
as
other
kind
of
oscow
related
tooling,
such
as
compliance,
Trestle
kind
of
exploring
these
same
spaces.
C
C
Like
from
this
perspective,
I'd
say:
no:
maybe
there
are
tools
out
there.
Maybe
there
are
different
ways
of
accomplishing
this.
That
can
do
the
job,
and
maybe
the
answer
is
yes.
In
those
cases,
Lula
from
this
perspective
is
very
highly
focused
on
like
kind
of
a
inheritance
model
of
like
this
is
my
infrastructure,
or
this
is
my
application.
Here
are
the
controls
that
it
satisfies
or
that
you
can
inherit,
but
then,
from
that
perspective
right,
it's
very
focused
in
nature,
so
that
you
might
still
utilize,
like
a
GRC
tool.
C
Governance
risk
compliance
to
provide
you
with
that.
You
know
high
level
abstraction
of
Lula
might
be
the
the
runtime
component.
That's
looking
at
very
specific
composable
modules.
That's
then
you
know
producing
compliance
reports
and
then
exporting
those
out
to
a
GRC
tool
that
is
defining
relationships
defining
like
how
to
look
at
the
high
level
picture
of
all
of
your
environment,
or
you
know,
provide
filtering
into
different
aspects.
A
A
C
I'd
say
largely:
the
answer
is
no
right.
Now
it's
going
to
be
kind
of
based
upon.
How
are
you
crafting
the
inputs
that
you're
providing
to
like
a
tool
such
as
Lula
and
they're,
trying
to
develop
like
if
there
is
a
you
know,
duplication
across
those?
How
are
you
performing
that
and
another
thing
that
we
kind
of
want
to
look
at
here
in
the
very
short
term?
C
Is
you
know
having
this
evolve
from
not
only
CLI
driven,
but
also
like
something
that
is
maybe
more
event
driven
in
your
environment
that
can
be
able
to
perform
this
validation
at
a
kind
of
a
lower
layer
so
that
you
know,
if
only
this
one
piece
has
changed,
then
maybe
we
can
go
and
find
you
know
not
only
one
identify
where
there
are
duplicates,
but
then
it
with
that
be
able
to.
You
know,
prevent
the
need
to
rerun
validation
against
the
whole
environment
over
again
and
hey.
Only
this
application
in
this
namespace
has
changed.