►
From YouTube: Lightning Talk: The Successful Recipe to Secure Your Fleet of... - Mathieu Benoit & Poonam Lamba
Description
Don’t miss out! Join us at our upcoming event: KubeCon + CloudNativeCon Europe 2023 in Amsterdam, The Netherlands from April 17-21. Learn more at https://kubecon.io. The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects.
Lightning Talk: The Successful Recipe to Secure Your Fleet of Clusters: GitOps + Policies + Service Mesh - Mathieu Benoit & Poonam Lamba, Google
With GitOps you could deploy any Kubernetes resources: Apps, configs, policies, infra, etc. Is it your case? How do you ensure security and compliance across your multiple clusters? Let's see in action how you could bring more security and governance across the fleet of your clusters thanks to both Service Mesh and Policies, in a GitOps way. The demos will illustrate a series of Gatekeeper policies violations and fixes in order to secure your Service Mesh setup, your clusters and your workloads. And because shifting left security guardrails is important, we’ll also illustrate how you could catch such policy violations in your Continuous Integration (CI) system, before actually applying these resources in your Kubernetes clusters.
A
So
we
will
be
talking
about
a
successful
recipe
to
secure
your
Fleet
of
clusters
using
github's
policies
and
service
mesh.
All
this
in
10
minutes
so
we'll
cover
the
ingredients
of
our
recipe,
which
is
github's,
Opa
gatekeeper
is
still
will
bring
it
all
together
using
a
architecture
diagram,
and
we
will
do
a
demo.
A
And
yes,
our
slides
are
available
at
this
link.
So
if
you
download
the
PDF,
you
will
have
access
to
all
of
our
slides.
The
first
ingredient
of
our
recipe
is
githubs.
If
you
have
a
small,
you
know
a
few
clusters,
you
can
always
do
some
context.
Switching
you
can
connect
to
your
clusters.
You
can
do
a
cube.
Ctl
apply
to
apply
the
configs
policies,
deploy
your
application
and
that
works
well.
A
But,
as
you
start
having
a
large
number
of
clusters,
tens
or
hundreds
or
thousands
of
clusters,
that
approach
typically
falls
apart,
very
quickly
and
oftentimes.
If
you
have
a
large
Enterprise,
there
are
people
within
your
Enterprise
who
have
to
work
with
one
another,
such
as
a
security
admin,
a
platform,
admin
application
developers
and
operators,
because
security
is
everybody's
responsibility.
A
So
you
can
you
can
do
this
by
having
a
single
source
of
Truth
for
your
configs,
for
your
policies
and
for
your
app
manifests
and
typically
the
way
you
can
build
this
system
at
scale.
Is
you
can
you
can
have
you
can
build
CI,
CD
pipelines
from
your
git
and
use
a
use,
a
product
like
config,
sync
or
Argo
CD?
To
sync
those
configs
onto
your
clusters,
so
moving
on
and
we'll
we'll
show
you
how
all
of
these
different
personas
work
with
one
another
using
git
in
our
architecture
diagram.
A
The
second
ingredient
of
our
recipe
is
Opa.
Gatekeeper,
Opa
gatekeeper
enables
you
to
write
policy
as
code
and
provides
you
multiple
enforcement
points
for
your
policies,
so
starting
with
CI
CD,
you
know
you
can
shift
way
left
using
open,
GateKeeper
and
then
the
second
step
is
during
the
admission
time
you
can
check
if
the
incoming
resources
allowed
on
your
cluster
or
not
and
and
after
the
effect.
A
Moving
on
the
third
ingredient
of
our
recipe
is
istio.
We
won't
go
into
details
of
everything
that
istio
does,
but
for
this
talk,
istio
enables
the
service
to
service
communication
securely
at
scale,
and
it
also
helps
with
traffic
shaping
consistent
observability
for
your
services
and
applications,
and
it
is
a
layer.
7
Roxy
has
a
control,
plane
and
data
plane.
So
moving
on
you
know
now
we
talked
about
all
the
three
ingredients
for
our
recipe
and
I
will
hand
it
over
to
Matthew
to
bring
everything
together.
B
B
But
finally,
what
we
want
to
do
is
having
this
enforcement
of
policies
of
gatekeeper
policies
in
our
case,
at
different
level.
Right
one
example
could
be
locally
on
the
pre-commit
hook
with
the
apps
operator,
designing
and
coding
their
own
policies
and
actually
manifest
sorry,
but
evaluating
against
the
policies
designed
by
the
security
admin
right.
The
Second
Step
could
be
on
a
pull
request,
review
right
or
measure
request
if
you're
using
gitlab
another
step.
The
third
step
here,
like
prenup
Illustrated,
having
actually
Opa
gatekeeper
as
an
admission
controller
in
your
clusters,
right
different
level
of
enforcement.
B
So
actually,
let's,
let's
see
a
day
more
about
that
here.
What
we
want
to
show.
You
is
actually
a
repo
that
you
could
reuse
here
and
we
have
different
folders,
where
we
are
deploying,
for
example,
in
Grace
Gateway
right.
We
are
deploying
some
config
for
istio
to
have
some
security
best
practice
in
place.
We
have
application,
but
we
have
also
the
policies
here.
It's
in
one
repo.
It
could
be
multiple
repo
for
the
purpose
of
this
demo.
It's
one
manual
repo
for
all
of
that
right
policies.
B
I,
don't
know
if
you're
familiar
with
gatekeeper,
but
typically
I
have
some
constraints,
and
here
the
constraints
are
all
about
security,
best
practice
and
features
with
istio.
We
took
three
examples:
having
mtls
strict
across
the
mesh
right,
having
also
the
cycle
injection
for
any
namespace
in
this
mesh
and
not
having
anyone
bypassing
from
example,
on
a
pod
having
this
bypassing
annotation
to
opt
out
for
being
part
of
the
mesh.
B
Here
we
are
also
like
I
mentioned,
forcing
the
strict
mtls
for
the
mesh
and
avoiding,
if
you
are
familiar
with
istio
some
concept
where
people
and
apps
operator
could
bypass
actually
the
mesh
wide
configuration
and
that's
part
of
maybe
seven
or
eight
constraints.
Here
we
are
forcing
also
authorization
policies
to
have
fine,
granular
communication
and
policies
in
place
between
the
different
micro
services
within
my
mesh.
What
I
want
to
show
you
here
is
actually
as
an
apps
operator.
B
What
I
want
to
do
is
deploying
an
application
right.
So
if
you
see
it
quickly,
I
have
a
service
account
a
service,
a
deployment,
but
what
I'm
doing
also
is
trying
to
bypass
the
injection
of
my
pod.
My
deployment
right
I'm,
also
not
injecting
the
label
and
this
sidecar
proxy
injection
I'm,
also
disabling
the
mtls
strict.
So
what
I
want
to
show
you
here
is
I'm
not
doing
that
in
a
cluster,
but
look
at
the
pull
request
checks
here.
B
Actually
it
is
a
CI
is
complaining
here
right
and
that's
interesting
information
that
I
could
have
here
and
if
I
look,
for
example,
at
the
summary
of
this
information
here,
I
could
see
in
more
details
that
I'm
running
guitar
test
and
I'm
not
able
to
see
you
in
details
here
for
the
technical
issue
we
had
earlier.
But
here
I'm
running
Gator,
test
Gator
is
a
CLI
provided
by
the
gatekeeper
project.
B
Cncf
project
around
Opa
actually-
and
this
guitar
test
will
help
me
to
test
my
manifest
or
any
manifest
coming
in
in
this
pull
request
against
the
security
policies
and
gatekeeper
policies
of
my
company.
So
here
I
could
see
a
very
I
could
fail
fast
and
shifting
left
the
evaluation
of
such
constraint
right
so
I'm,
making
sure
that
the
apps
operator
are
not
at
all
bypassing
such
security,
best
practice
for
istio
and
I'm
not
waiting
to
have
that.
Actually
in
my
cluster
right.
B
B
Gator
got
a
successful
here,
validation
and
the
rest
of
the
demo
that
you
could
reproduce
with
the
GitHub
repo
is
about
hey
I'm,
a
platform,
admin
and
I.
Don't
want
to
get
to
merge
this
pull
request
to
deploy
this
application
from
the
apps
operator.
I
want
to
test
that
on
a
staging
cluster
pre-prod
cluster
right.
So,
for
example,
here
what
we
are
doing
is
actually
targeting
this
configuration
for
githubs,
config,
sync
and
targeting
not
anymore
the
main
branch.
But
we
are
targeting
this
feature.
Branch
I
want
to
test
it
and
deploy
it
synchronize.
B
This
application
manifest
with
the
staging
cluster
right.
So
here
what
I
could
do,
but
we
don't
have
time
for
that.
Merge
a
pull
request
and
seeing
the
deployment
on
the
cluster
testing
and
seeing
that
it's
injected
in
my
mesh
with
security,
best
practice
and
that's
the
end-to-end
flow
for
making
sure
that
any
deployment
is
actually
secure
and
following
the
best
practices
and
that's
that's
it.
For
the
demo.
A
A
If
you
use
Google
cloud
or
gke,
you
can
also
try
policy
controller
which
is
actually
based
on
top
of
a
gatekeeper
and
you
you
get
value
out
of
it
really
quickly
and
then
last,
but
not
not
the
least.
On
the
right
hand,
side,
you
see
some
additional
checks
like
if
Mutual
TLS
is
enabled
on
your
on
your
mesh
or
not
along
with
some
other
policies,
and
you
get
the
the
status
of
all
of
these
out
of
the
box.
A
Again,
there
is
a
link
to
the
demo.
There
is
another
talk
in
the
same
room
in
one
hour
where
Matthew
is
gonna,
go
a
little
bit
more
deeper
into
building
and
deploying
the
oci
artifacts
with
home
charts.
The
github's
way
and
I
will
be
available
on
the
Google
booth
p25
on
Thursday,
and
if
you
have
any
questions
about
policy,
you
know
come
find
me.
Kubernetes
governance,
security,
compliance.