Home
Contribute Contact Us Browse all meetings
Home Contribute Contact Us Browse all meetings
Cloud Native Computing Foundation / KubeCon + CloudNativeCon Europe 2020 - Virtual / 4 Sep 2020
Cloud Native Computing Foundation / KubeCon + CloudNativeCon Europe 2020 - Virtual / 4 Sep 2020
Previous Meeting Next Meeting
Add meeting Rate page Subscribe
youtube image
From YouTube: Cloud Native Policy Deep Dive - Zhipeng Huang, Huawei & Erica von Buelow, Red Hat

Description

Don’t miss out! Join us at our upcoming events: EnvoyCon Virtual on October 15 and KubeCon + CloudNativeCon North America 2020 Virtual from November 17-20. Learn more at https://kubecon.io. The conferences feature presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects.

Cloud Native Policy Deep Dive - Zhipeng Huang, Huawei & Erica von Buelow, Red Hat

In this session we will discuss many open source initiatives that the Policy WG have been discussing, including policy formal verification, Policy Violation CRD, Runtime Policy Interface and so forth

https://sched.co/ZeuS

A

Okay, welcome to the kubecon europe uh virtual summit. This is the policy working group deep dive session, um I'm from huawei and america.

B

Hi, I'm erica from red hat.

A

Okay, uh we're going to be talking about all the development uh happening in the policy working group in kubernetes, as well as at the sincere seek security level. Okay, we'll be just basically talking through all the interesting things.

A

Okay, uh this is who we are from the markdown files.

B

uh Join us regularly on wednesdays or every other wednesdays, around 4 p.m. We should update that yeah.

A

Eight a.m: pacific yeah.

B

In the morning.

B

Yes, that's why I missed it several times: it's good for east coast and europe, especially.

A

Yep so.

B

We're working to provide an overall architecture that describes current policy related implications and discussing everything else, future policy and policy architecture for kubernetes and how that extends into the cloud native ecosystem, yep.

A

We have been running for like two years, almost two years now.

B

Yep.

A

Yeah.

B

uh Yeah as long as, basically around the acquisition of korva.

A

Does something.

B

Couple acquisitions later we're still at it because turns out policy still matters.

A

Okay, I think yeah this lies about, um so I think we we've been seeing like trends uh like uh tidal waves, um so kubernetes uh like envoy uh no doubt is the first wave about the cognitive platform. uh Then we see the emphasis on prometheus jaeger. Open tracing people are starting to focusing on the observability, and now I think people are really uh turning attentions to policies and securities right.

A

We using oppa are making like uh big stages, uh cloud native uh top notary from the miu team, and we see falco and a couple other really interesting.

A

Projects yep, I think this is where uh me and robert getting into really interesting discussion on the slide.

B

And what is cloud native policy.

A

What is cloud is your policy. Well, this is, I think that the bully points are um like the things we hope uh the client policy could become. um So I think it goes beyond auditing and compliance by that I mean like, for we are seeing things for like resource management and uh probably many other interesting areas. So it's a all-encompassing.

A

A policy is an all-encompassing uh thing.

A

And I think robert makes a good point like it's via a a correct tooling. That policy could help automate like security and many other areas, but policy itself um rarely automates security, yeah and yeah policies are usually like logics. So it's definitely it's definitely different from config.

A

I've been having problems about like uh uh just having a yamo based config system. You call it a declarative system, it's not.

B

Not necessarily.

A

Yeah not necessarily so, but if you have a policy based system, it's it will be a really nice declarative system, meaning you could talk logic uh like human, readable logic to that system. Yeah. That's very declarative, okay, end to end abstraction yeah. We are not there yet, but hopefully we can have like uh the policy descriptions and policy driven mechanism on each layer.

A

um So we see oppa for the um the policy control on a pretty high level. um I think for.

B

A policy agent.

A

Yeah open policy agent, uh we have like psyllium um for a like policy toward ebpf. We have falco doing things for runtime policy, that's pretty low level right and hopefully, in the near future, we can have a multi-layer.

A

Policy mechanisms, then we have the anterior abstraction like every year at every layer. We have a way to talk to them, using logic, uh to talk to them and yeah bring libraries to a cloud right. It's it's it's human toxin logic, not config files. That's that's that's machine language, but yeah that that's just something I I thought.

B

Yeah it's a whereas config is you're about it's, not the policy can be configured and configuration can yeah they're related, but not the same yeah. I think that's interesting. That policy is the dynamic in some sense, or how do you take a set of principles and make decisions based on dynamic data in a.

A

Cluster.

B

Sorry, I forget, I'm the one pushing next whoops, okay,.

A

Yep, I I I think I incorporate a lot of robert's comments already here yeah, um so uh I think he he made a great point. uh Controls are needed um because human policies defines what controls and uh what implements that control.

A

Yeah. That's that's very nicely put and we have very domain specific policy implementations.

A

And hopefully, on the like the expression, evaluation, heuristic level, we can have something really generalized and uh also the architecture we can. We can have something really general.

A

Yeah, I think yeah quickly go over the yeah. This is how policy working will interact with other seeks.

A

Yeah.

B

Basically, all of them, but.

A

Yeah we are pulling the strings so.

A

Mustard.

B

Yeah some of the places, though, that it really interacts or when you're talking about the network, which is the first area people often think about configuring fire.

B

Cloud native's, even bigger than that.

A

Yeah.

B

Just is this walking on your screen: nope nope. ah There we go.

B

Anyway, okay.

A

Anyway, you got a picture.

B

Here we go.

A

Yeah, let's see.

B

Next,.

A

Next,.

B

Here we go.

A

I think we can also quickly go over the things we already already done.

B

Yeah, some of the areas that we've been exploring are on the very abstract side is some formal verification.

B

How do we go from a set of yaml files to knowing that it does what you want it to.

A

Do.

B

So we have some.

B

Example of it.

A

Yeah, I think this is robert's uh guardian proposal.

A

Yeah.

B

I think you see this a lot of how do you know that no one has access to a given resource when you have defined policies in terms of dynamic or labels or label selectors, for instance, in our back system.

A

Can.

B

You take some amount of okay. Well, we can actually go through and figure that out formally and make sure that what you intended and how you described your intent, work.

B

We have a pilot project called guardian. Please come and participate.

A

A lot of.

B

Math, all you mathy people out there.

A

Yeah.

B

Perfect place to come in.

B

I mean who doesn't love some math, maybe hey all right.

A

All right.

B

So go for it.

A

Yeah yeah, we we haven't done a lot uh in this year, but in the past the white paper yeah, the really interesting part is we did a lot of case studies uh in like interesting project and that the team came over to talk about what uh what they are using policy for and uh what they are hoping policy could could achieve.

B

Yeah we try to keep tabs on all the projects that are coming up and connect. People as needed to you know, make and find common patterns see what's catching on where, for instance, kubernetes is lacking or where there can be some collaboration.

B

We will get to some of the collaboration later.

A

Yep.

B

Also, we get to geek out and ask questions to all of the really cool projects. So if these are interesting, uh you can check on youtube and for the presentations.

A

Yep.

B

Lots of kubernetes oppa, so open policy agent, gatekeeper project for using open policy agent for kubernetes policy, admission controller.

B

Istio, of course, the cl uh surface mesh helium is also. Is it considered a service mesh at all.

A

As well, you know, I think sediment is like a level uh level.

B

uh Yeah.

A

Network networking policy.

B

The uh with the.

A

uh

B

Yeah, though, uh using bpf, we yeah.

A

Yeah they're funny yeah yeah, fun.

B

Area spoofy spire for service discovery and automation, tough notary in total toto and obtain about securing the supply chain.

B

Caverno.

B

That's another kubernetes policy, admission control, no cloud custodian, verifying your cloud configurations and like aws, for instance, with am policies.

B

K rails.

A

From cruz from the sales driving.

B

Startup and yeah, and then we dove in a little bit more to pod security policies and how they can be work with gate or how gatekeeper can implement pod security policies.

A

Yup.

B

Let's see.

A

We weren't looking.

B

Do you want to talk about okay,.

A

Yeah um yeah, so I I think jim especially gene has done a lot of work. uh Really great work and yeah kiberno is a. Can we see another policy engine in addition to oppa.

A

For kubernetes, oh.

B

But oprah as a whole system right that contains a a link policy, specific language to implement a database to store the policies. uh The you know, certain plugins, the agents to help you enforce the policy.

B

That's really powerful, but sometimes that's more than everyone wants for kubernetes one of the things. There are certain kind of cases that you would like to just define in some kubernetes resources have a standardized way and have that enforced within the cluster.

A

Yeah.

B

Running so that's where caverno comes coming in, where upon creating a namespace, what kind of certain resources automatically need to be created, for instance, uh role, bindings and other controls uh block those who shouldn't be able to do something and more specific validation or mutation control, markings resources automatically with certain labels, or you know, directing pods uh in their scheduling automatically based on the namespace or validating that only certain labels are used.

B

Those sorts of things.

A

Yep.

A

Cloud custodian, I think cloud consulting is another really interesting project.

A

They are mostly like working on the cloud level right. They.

B

Yeah they there is into clear boundary necessarily between, like your cluster, your workloads and the platform. The cloud or you know, resources it's running on so securing that all across a consistent way is important.

A

Yeah.

B

Multi-Cloud is a big thing these days, but that means how do you consistently?

B

You might use terraform to consistently provision your infrastructure, but now how do you ensure that you have your policies and access controls, for instance, for all of the different clouds done correctly.

A

Yep.

B

That is where cloud custodian comes in.

A

That's a nice pitch for the multi-cloud story,.

B

It's it's a big use case.

A

Oh yeah, yeah yeah definitely.

B

All right here we go.

A

Yeah, I I still remember they. uh They had a great presentation, I think they mentioned they. They actually use google groups for for their like um uh tendencies, uh system, which is really really interesting.

B

Thinking from their base from like the uh employee level, all the way down.

A

Yeah, I think.

B

That makes sense.

A

Yeah dimension, they are running a really big workload uh on kubernetes and, like each department, has to be isolated uh from each other for for whatever reason, and then they have the k rail developed to deal with their specific uh situations.

B

Hard security policies.

A

So, what's the latest I I haven't been able to catch up with that.

B

um I need to check the latest on that issue. uh What issue is it.

A

Like has psp entirely, like retired and other things going to gatekeeper.

B

No, that that is, in some sense, never 100 going to happen.

B

I will find.

B

The issue at some point.

A

Okay,.

B

Once.

B

Google docs can load.

B

I swear there.

B

Was.

B

Okay, that was a.

B

Bad.

B

Sorry.

A

No worse well, anyways seek off session. Possibly we will mention the progress on psp.

B

Esps are a necessary and used kubernetes built-in mechanism to ensure pods that don't have proper provisions are run in less privileged contexts. It has it languishes in beta right now.

B

One of the problems with dlc policy is: how do you safely turn on policy without breaking everyone?

B

How do you move forward? How do you, how do you change policies safely, especially when changing a policy can make it? So you can't change a policy if you do it wrong.

B

So one way, though, if you already are using oppa gatekeeper, is a great way to basically get the same functionality.

B

All right moving down the stack.

A

Okay,.

A

Rpi initiative has this like.

A

Came to any fruition.

B

Run there is the there are run time policy.

A

Yeah, I only remember we did we did. uh We did couple sessions with the falco team, but.

B

Yeah.

A

Lost track on how how how things, uh how things.

B

Went.

A

Yeah, but this is, uh I think this is one really interesting thing for policy to uh to happen on low level, a really low level.

B

Yeah part of the, but when we say runtime it's when you have, you know your containers or other workloads literally executing instructions. How do you.

A

Secure that yeah.

B

One way is to have agents on the node in various ways that are reading policies, checking for violations blocking violating actions.

A

I think they can even combine the rpi with with sitting, so you have policy checkings, run time for the pause and you can checking on the part networking something violated.

A

And you can you, can you can do all the things with ebpf.

A

Just writing some.

A

Ebpf programs check upon those just.

B

Following along with the evolution from monitoring to policy,.

B

It's the next natural place, all right.

A

All right.

B

And for all of these different things, quite often policy projects like this want to use the standardized kubernetes api to define policies.

B

So one thing we want to do is standardize what that looks like, so that tools can be more easily interchanged and that you know truly built on top of these can interact together. That brings us to our first policy project uh custom resource, the policy report, a project uh sure yeah.

B

Lots of different tools are helping us develop this and eat. You know alpha testing api or you know, engaged what's.

A

What's polaris.

B

Polaris.

A

Is it like a kubernetes project or heaven.

B

uh It is fair wind up, oh yeah, yeah, yeah, polaris um variety of checks to make sure kubernetes, pods and controllers are configured using best practices.

A

Oh cool.

B

Has a dashboard, a validating web hook and a command line tool.

A

Cool.

A

Obviously, a lot of a lot has happened in the policy field.

B

There's always a few projects yeah where then, all right.

A

ah We have a nice table.

B

And we should color this.

A

Cluster image image.

B

uh Where are you looking sorry.

A

Like the tv, the category is image, meaning for docker image.

B

Yeah.

A

uh Scanning yeah, maybe they're for the pre-image security.

B

Yeah, uh you know make sure that you know you're not running malicious containers, this one's from aqua security.

A

Oh cool.

B

So they gave a.

A

Presentation last week.

B

Yeah making a presentation it, you know, make sure that you're running only validated images vulnerabilities with it. It comes with a pretty nice dashboard interface as well. I think it's yeah, mostly uh not some a direct image as a scanner on to show it right now and I think there's some future plans.

B

I.

A

Think.

B

Yeah you just then.

B

Cube cute bench is another sort of conformance might be. I think it's a great category of.

B

Do you have your? Is your cluster set up the way you think it will be.

A

They're using policy for for, like benchmarking, the cluster.

B

I believe uh cube bench is like. Are you following best practices.

A

ah Okay,.

B

Yeah.

A

So they are scanning for, for things.

B

Yeah, do you have the.

B

So this also comes.

A

For like security, best practice like.

B

Cis uh benchmarks.

A

For instance, yeah yeah.

B

Yeah.

A

Okay got it.

B

Yeah yeah, so one of the ways, for instance, some of aqua security pro also has project called starboard. One of the things that they're reporting and running are cis cube programs benchmark tests, so that can also, hopefully soon uh be reported back in the standard format.

A

Oh, that's: pretty cool.

B

As you can see, we have more policy tools and engines and ways to do it than we can keep track of.

A

That we can't ever imagine.

B

What is our policy on policies.

B

Our interface, we have a couple few things the place. The policy report is meant to capture a higher level, not necessarily a my like, second by second uh report, that you know at a report at the level that makes sense for to be stored as a customer resource in kubernetes at cd want it to be flexible enough to show for what all these different tools and compliance needs.

B

Allow enough detail so that you know auditors and cluster admins can understand what has happened or what's going on and why?

B

But it still needs to be clear and standardized enough that standard kubernetes tools can manage it.

B

We have some examples within the um policy prototypes, github repo, I think uh caverno and the uh multi-cluster project from red hat, have some examples submitted of what the kind of policy reports that they would be creating with their tools.

A

Okay, we have scope, um summary results, hey. This is pretty nice.

B

Yeah, I think it's one of those things where it turns out having more input. You get better things and learn things you didn't know. Maybe I should go. uh We have the alpha sort of merged into that repo.

B

uh Any pull, requests or issues are welcome and we're working right now to get more tools directly, implementing it and testing it out, so that you know we can move to beta.

A

Eventually, all.

B

Right so.

A

All right, this is our like um our four deliverables. So far I fit into the big picture. I think so we have crds, we have form of education very interesting. We have the try to have a standard way to interact um and uh the rpi is for the data plane.

B

Cool yeah, okay, please join the conga and.

A

The.

B

Conversation that slide be deleted.

A

uh There's a backup site in case okay, people are interested in smt.

A

What the heck is formal.

B

Verification.

B

Got it all.

A

All right.

B

Please join join us or we'll look forward to seeing we're talking more about policy.

A

Yep, okay, I think that's it for our session. Let me stop.