►
From YouTube: Enforcing Automatic mTLS With Linkerd and OPA Gatekeeper - Ivan Sim, Buoyant & Rita Zhang, Microsoft
Description
Join us for Kubernetes Forums Seoul, Sydney, Bengaluru and Delhi - learn more at kubecon.io
Don't miss KubeCon + CloudNativeCon 2020 events in Amsterdam March 30 - April 2, Shanghai July 28-30 and Boston November 17-20! Learn more at kubecon.io. The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects
Enforcing Automatic mTLS With Linkerd and OPA Gatekeeper - Ivan Sim, Buoyant & Rita Zhang, Microsoft
Whether you are operating a 5-node or a 500-node Kubernetes clusters, ensuring the integrity and security of the traffic among your workloads is something that should be taken seriously. As your team grows, it is important to automate the application and management of different mTLS policies. In this talk, Ivan and Rita will share with you how Linkerd and Gatekeeper work together to automate and enforce mTLS policy in production. They will show you how easy it is to encrypt all east-west traffic using Linkerd’s zero config automatic mTLS feature. Then, you will see how Gatekeeper is used to define, enforce and audit every workload entering your cluster to ensure configuration is valid and conformant to policy.
https://sched.co/UaY7
A
Thanks
for
coming
everybody,
so
this
talk
is
about
enforcing
em
TLS,
using
linker,
D
and
OPA
gatekeeper,
just
by
way
of
it
giving
us
a
chance
to
get
to
know
you
folks
better.
How
many
of
us
are
currently
using
link
to
D
by
show
of
hands
a
number
of
you.
How
many
of
you
are
currently
currently
using
open
gate
keeper?
A
Okay,
great
cool,
you
folks,
are
in
the
right
place.
So
here's
the
outline
for
the
top
we're
gonna
start
off
by
presenting
a
very
high-level
description
of
the
problem
and
solution
that
the
rest
of
the
talk
is
going
to
focus
on,
and
then
we
are
going
to
break
the
ice
a
bit
by
introducing
ourselves
then
from
there.
We're
gonna
spend
a
very
short
amount
of
time.
A
So
all
of
us
come
to
cube
Con,
because
there
is
a
set
of
problems
that
we
really
want
to
solve.
I
assume.
The
reason
you
are
here
this
afternoon
is
because
one
of
the
problems
you
need
to
tackle,
we
walk
around
securing
it's
west
traffic
within
your
kubernetes
clusters,
with
encryptions
and
identity
based
authentication.
A
B
A
The
stage
with
me
this
afternoon
is
Rita
Jiang
she's,
a
software
engineer
from
Microsoft
and
she's
a
maintainer
of
the
open
gate,
keeper
project.
So
what
is
M
TLS
mutual
TLS
not
to
be
confused
with
multiplex
cos?
The
put
it
simply
is
that
process
where
two
entities
try
to
confirm
each
other's
identity
using
TLS
some
certificates.
A
But
to
again,
to
put
it
simply,
M
TLS
introduces
a
number
of
additional
steps
into
the
well-known
TLS
handshake
process,
a
protocol
rather
whereby
the
server
after
issuing
us
and
responding
with
a
server
hallow
request
and
the
server
certificate.
It
also
issue
a
request
to
the
client
and
said:
hey
wait
a
minute
before
we
continue
show
me
your
client
certificate
and
after
both
parties
receive
each
other's
certificates,
they
will
attempt
to
verify
and
confirm
each
other's
identity
by
checking
the
digital
signatures
within
the
cert.
Are
you
who
you
claim
you
are.
A
A
Where
did
they
come
from
who
created
them
and
when
they
were
created?
What
sort
of
configurations
went
into
the
tools?
Can
you
trust
the
tools
if
the
assets
are
stored
in
the
vaults
who
have
access
to
those
walls
and
when
the
CS,
the
certificate
signing
request,
was
first
issue?
What
sort
of
settings
went
in
there?
A
The
other
challenge
that
I
had
personally
experienced
is
getting
everyone
on
board.
Saying
yeah,
you
have
service
air
trying
to
talk
to
service
B
via
TLS.
Can
you
can
we
ensure
that
they
both
got
at
the
same
time?
If
service
is
TLS
and
the
other
one
doesn't
there
needs
to
be
some
sort
of
stopgap
solution
in
between,
but
for
how
long?
For
how
many
releases
and
for
those
of
us
who
manage
and
implement
our
own
account
certificate
authority
solution,
I'm
sure
we
can
appreciate
that
amount
of
time
and
effort
goes
into
maintaining
these
components.
A
A
So
why
use
linka
d4m
TOS?
Why
trust
Lincoln
D
well
for
one
I'm,
biased,
but
I
do
think
it
is
secure.
Just
couple
of
months
ago,
like
yeah,
we
link
here
the
pass
time.
Penetration
test
and
security
audit
code
audit
conducted
by
a
third-party
company
secure
security
company
sponsored
by
the
Linux
Foundation,
is
the
SEF,
and
the
team
is
proud
to
share
that.
A
We
passed
the
test
with
flying
colors
and
you
can
read
about
all
the
details
of
the
audit
in
that
link
there
and,
in
addition,
lickity
also
provides
a
simple
and
consistent
way
to
row.
Our
MPLS
a
workload
is
either
in
the
mash
or
not
in
the
mash
and
there's
only
one
way
to
top
in
and
there's
only
one
way
to
opt-out,
an
MTS
is
enabled
by
default
with
zero
config.
A
So
no
yeah
Mo's
and
you
guys
may
have
fun
note
notice
that
done
this
morning
during
the
keynotes
in
the
next
couple
releases,
we
are
going
to
make
an
TRS
and
mandatory
thing.
Then
you
will
work
by
default
and
it
will
continue
to
work
by
default
and
you
will
continue
to
work
seamlessly
for
all
your
workloads
link.
A
So
what
is
link
adiy?
It
is
an
open
source
service,
mash
prod
solution
for
kubernetes.
It
is
a
CN
CF
project
and
it
offers
an
array
of
really
cool
feature
for
the
purpose
of
this
talk.
We
are
just
going
to
focus
on
the
automatic
mpls
part,
so
we're
gonna
switch
over
to
a
demo
time.
You
mean
the
first
part
of
the
demo
we
are
going
to
need
to
deploy.
Two
namespaces
on
the
left
is
the
link
of
the
control
plane
namespace,
with
all
the
link
in
the
control
plane
parts
in
there
and
to
the
right.
B
Next,
we're
gonna
actually
install
a
Cardian
in
the
cluster
for
the
very
first
time
and,
as
you
can
see,
linked
ID
has
a
really
nice
install
CLI
and
one
command,
and
you
get
everything
out
of
the
box.
Just
really
nice.
So
here
we're
gonna,
run
the
control
playing
status
command.
Just
to
check
the
status
of
all
the
link
ad
components
make
sure
they
all
come
up
successfully.
A
It's
the
terminal,
if
I
am,
is
that
I
think
it's
a
bug
in
the
game,
the
care
console
if
I
like
and
launch
this,
if
I
change
the
font
size
that
I
keep
repeating
my
counter
the
standard
output
here
but
I
assure
you.
This
is
waiting
for
the
Prometheus
and
container
to
come
up.
So
what
this
has
happening,
I
can
show
you
guys
what
that.
A
That
emoji
application
looks
like
I
think
we
so
again,
nothing
surprising
there.
It's
just
an
application
that
with
web
front
and
to
backends
that
allows
us
to
vote
for
our
favorite
emojis
and
one
of
the
donor.
Emoji
is
intentionally
broken
just
to
generate
like
I'm
some
faults
and
errors
in
there.
Alright.
B
Let's
come
back,
okay,
the
control
point
components
are
all
up
and
running
next
we're
gonna
use
case
nib,
which
is
a
cube
CTL
plugin
that
allows
us
to
use
TCP,
dump
and
wire
shards
to
actually
look
at
the
traffic
from
our
pot,
and
we
can
actually
sniff
the
traffic
that
allows
us
to
actually
see
the
payload
and,
if
I'm,
a
bad
guy.
I
should
be
able
to
see
all
this
stuff
in
clear
text.
Right,
mm-hmm,.
A
B
A
B
Okay,
so
next
we're
gonna
run,
link
ID
and
direct
to
see
if
we
can
actually
inject
a
link
or
a
proxy
into
our
application,
and
this
should
actually
automatically
enable
em
TLS
for
our
service
of
our
components
and,
as
you
can
see,
length
of
the
inject
actually
injects
a
psych
psych,
our
proxy
container,
into
that
each
component,
and
as
this
is
updating,
we
see
that
it
now
has
two
containers,
as
opposed
to
the
previous
installation.
Has
one,
and
so
now
you
see
the
proxy
sidecar
has
been
added.
A
A
A
Question:
it's
Oh
magic
nah,
it's
really
simple!
Actually,
so
what
happened
when
we
run
the
linker,
the
injection
so
reading?
We
reading
this
diagram
from
left
to
right.
So
when
we
we
run
like
him,
the
linker,
the
inject
command
on
like
a
yam
or
workload
nginx
or
my
sequel
or
whatever,
is
in
the
CLI,
simply
no
taste
on
the
yamo
with
a
special
annotation,
and
that
is
enough
to
tell
the
api
server
to
call
into
the
omission
web
hook.
So
what
so?
A
With
the
mutated
yamo,
we
pipe
it
into
cube
how
to
apply,
which
sends
the
object
to
the
api
server
in
the
api
server
takes
the
kubernetes
object.
I
mean
yeah
the
object
through
what
we
call
the
emission
phase
and
during
the
mutating
phase,
the
api
server
actually
calls
out
to
the
linker.
The
proxy
injector
deployment,
which
is
an
emission
web
hook,
and
the
proxy
injector,
take
the
object
mutated
by
inserting
an
additional
citecar,
which
is
the
link
of
the
proxy
sidecar
into
the
object
and
return.
A
So
what
happened
after
a
service
or
an
application
is
injected
with
the
link
of
the
proxy
again
reading
this
diagram
from
left
to
right
as
part
of
the
proxy
startup
process,
it
will
issue
a
certificate,
signing
request
and
send
it
to
the
identity
service,
which
is
the
internal
certificate
authority
component
of
the
control
plane.
So
the
proxy
actually
embeds
is
identity
into
that
signing
request,
and
they
also
said
along
the
service,
account
token
to
the
identity
service.
So,
essentially
we
take.
A
I
want
to
stress
that
also
like
the
private
key
that
was
used
to
sign
the
CSR,
its
historian
memory
and
he
lives
and
dives
the
proxy.
So
he
never
leaves
account
that
the
container
or
the
pod
now
so.
How
does
the
proxy
knows
about
his
identity?
I
mentioned
earlier
that
we
bind
the
proxies
identity
with
this
kubernetes
service
account
that
a
part
of
the
users?
So
there
are
a
number
of
environment
variables
which
we
defined
as
part
of
the
proxy
containers
back.
So
this
will
tell
the
aprox.
Is
your
identity?
A
Local
name
is
that
second
environment
variable
there
and
then
this
is
where
you
can
find
a
service
account
token
file.
This
is
the
trust
route
that
you
can
use
for
future
communication,
and
this
is
the
endpoint
of
the
identity
service,
so
just
very
straightforward,
and
it's
something
that
you
can
just
look
at
and
debug.
A
The
endpoints
and
all
the
IP
addresses
and
we
receive
that
information.
And
then
you
package
it
up
into
something
that
we
call
service
profile
and
then
send
it
back
to
the
fou-fou
proxy,
and
now
the
food
processor
will
know.
Okay,
the
the
bar
proxy
is
at
10.0
tens.
One
two
and
you
also
have
some
extra
information
about
it.
Can
the
bar
proxy
participate
in
TLS?
For
example,
can
it
do
retries?
We
can
like
start
doing
like
NGO
RPC
load,
balancing
there,
that
sort
of
things
so
from
there
like
that
here
are
some
handshake.
A
We
just
start
so
if
I
were
to
switch
back
over
to
my
mini
cubed,
constant
right
now
and
I
type
in
cube,
color
apply
or
keep
I'll
run.
You
will
see
that
I
can't
deploy
any
and
every
sort
of
workload
to
my
cluster
again,
probably
what
we
don't
want
for
our
production
environment
right
so
currently
like
I'm
in
Lincoln
D.
B
All
right,
so
how
many
of
you
have
heard
about
open
this
morning?
How
evasive
it
is
right,
so
we
are
taking
this
opportunity
to
talk
about
gatekeeper,
which
is
basically
the
customizable
kubernetes
admission
webhook
that
allows
you
that
helps
you
enforce
policies
in
your
organization
and
also
strengthen
governance
of
all
the
clusters
that
you
have
to
manage.
So
again,
it's
based
on
an
OPA,
and
it
is
something
that
is
creative,
so
that
you,
the
administrator,
can
can
create
and
define
your
policies
via
configurations,
not
code.
B
And
let's
talk
about
some
of
the
motivations
behind
the
project,
so
I
know
a
lot
of
companies
probably
have
a
lot
of
policies
that
they
have
in
in
place,
and
a
lot
of
Menace
traders
really
want
a
way
to
control
what
the
end
users
can
actually
do
on
the
cluster.
So
this
really
helps
with
that,
and
wouldn't
it
be
nice
to
also
have
a
solution
that
helps
you
ensure
your
clusters
are
always
in
compliance
to
your
company
policies
and
in
any
given
time.
B
Wouldn't
it
be
nice
if
there's
a
solution
that
actually
allows
you
to
see.
Hey
looks
like
these
resources
have
issues
and
they're
out
of
compliance
and
here's
how
I
can
read
mediate,
those
those
issues
and,
last
but
not
least,
when
it
also
be
nice
to
preview
the
new
policies
that
you
have
created
in
the
company
into
a
lot
of
these
production
clusters.
Now
a
lot
of
us
actually
create
policies
or
they're.
New
policy
requests
like
that
are
creative
for
existing
clusters.
That's
been
running
for
for
a
long
time.
B
So
that's
basically
the
background
behind
why
the
gatekeeper
project
was
created,
we're
currently
at
the
three
in
the
project
and,
as
you
can
see,
this
is
a
diagram
of
what
the
project,
what
the
components
look
like
and
again
at
the
heart
of
gatekeeper,
is
OPA,
which
is
the
policy
agent
that
actually
executes
all
the
actual
Rago
rules
that
you
create
now
today.
It
is
mostly
for
validating
a
mission
and
it
has
been
implemented
to
run
in
yours.
B
It
can
be
used
for
your
CI
CD
pipelines
and
the
policies
are
actually
written
as
CRTs
now
so
what
happens
is
you
can
then
define
and
create
your
policies
by
writing
the
regul
as
templates,
and
you
can
think
of
them
as
functions
for
your
other
policies
that
you
are
actually
going
to
create
instances
for
and
when
you
create
a
policy
instance.
That's
when
you
actually
pass
in
the
parameters
for
these
rules.
B
Okay,
what
are
the
resources
that
are
out
of
compliance
and
what
are
the
resources
that
are
not
meeting
this
particular
policy
and
also
we've
introduced
the
dry-run
concept
in
the
most
recent
release,
which
really
enables
gradual
rollout
to
build
confidence
in
the
policies
that
you're
rolling
out
for
everybody
else
and
last
but
not
least,
I
want
to
thank
Microsoft,
Google,
Red,
Hat,
CBA
thyra
for
creating
this
project
and
replicas
for
donating.
The
gatekeeper
named.
A
Cool,
so
right
now
we
are
gonna
continue
with
the
second
part
of
our
demo
and
we're
gonna
run.
I
can
continue
that
demo
script
on
the
same
Mini
Cooper
cluster.
By
the
way,
it's
not
pre-recorded.
You
know
it
is
a
real
like
a
mini
Q
cluster
and
I
have
a
used
mini
cube
just
so
that
can
I
can
get
a
sniff
to
run.
Otherwise,
if
I
use
kind
like
container
based
communities
and
case
it
won't
run
anyways
tangent.
So
we
are
in
the
part
of
the
demo.
A
We
are
going
to
install
gatekeeper
and
then
we're
gonna
install
that
insecure
emoji
application
again
this
time
around
into
a
different
name
space,
and
then
we
will
see
how
like
am
gatekeeper,
is
able
to
detect
there.
There
is
some
insecure,
like
a
workload
within
my
clusters,
because
it
violated
some
of
the
empty
our
requirements.
It
will
raise
like
some
audit
events
and
then
we
will
see
how
we
can
resolve
it
by
again,
injecting
the
dosung
workload
with
the
link
to
the
proxy
and
enable
em
TLS
gonna
switch
over
to
my
terminal.
B
B
Alright,
so
here
what
we're
gonna
do
is
admit
some
of
the
namespaces
from
our
policies.
Just
because
you
know
we
know
like
queue
system
and
gatekeepers
are
not
the
namespaces
that
we
care
about
to
for
our
for
this
particular
policy
and
the
way
we
do
that
is
by
adding
this
namespace
label
that
we
already
know
so
once
this
is
done.
C
B
Are
going
to
install
the
MT
LS
constrain
template
so,
as
I
mentioned
earlier,
the
constrain
templates
are
really
where
the
Rago
objects
live.
So
now
the
constrain
templates
are
deployed,
and
next
we're
going
to.
Let's
take
a
look
at
what
that
Rago
looks
like
right.
We
talked
about
it
so
much
here,
let's
see
all
right.
So,
let's
see
so
here
we
have
a
CR
D
and
it
is.
B
It
actually
defines
what
the
policy
c
rd
looks
like
so
here,
as
you
can
see,
there's
the
spec
for
the
CR
D
for
this
kind
name,
link,
Rd
mutual
TLS
right.
It
could
be
whatever
you
want,
and
so
with
this,
what
this
kind,
every
other
policy
instance
that
you
create
thereafter
will
be
based
on
this
type
right,
and
so,
as
you
can
also
see
down
below,
is
where
we
have
the
actual
Rago
the
logic
for
how
we're
defining
what
the
policy
is.
B
Gonna,
look
like
what
resources
gonna
actually
process
and,
as
you
can
see,
we
have
bunch
of
spec
validations,
right
and-
and
here's
how
we
know
like
hey,
looks
like
this
container
doesn't
actually
have
the
link
or
D
proxy
enabled.
There's
no
proxy
sidecar
running
for
the
there's,
no
link
or
D
proxy
sidecar
running
next
to
my
application,
and
it
looks
like
there's
no
annotation
that
is
required
to
ensure
that
link
or
the
linker.
B
These
automatic
em
TLS
has
turned
on,
and
next
there's
a
bunch
of
environment
variables
that
we
know
that
is
required
for
mutual
tell
us
to
actually
be
enabled
and
working.
And
therefore
these
are
the
things
that's
in
the
spec
that
we're
looking
for
and
it's
missing
and
if
any
one
of
these
requirements
is
missing.
That's
one
as
you.
If
you
look
at
the
top,
that's
one
we
we
say:
okay,
looks
like
this:
there's
a
violation
and
then
go
ahead
and
display
this
error
message
to
your
users
so
that
they
know
hey.
B
B
B
C
B
Here,
as
you
can
see,
the
last
audit
ran
at
this
time,
which
is
like
30
seconds
ago
and
then
here
all
the
violations
in
the
cluster
are
now
identified
and,
as
you
can
see,
the
these
are.
These
were
the
components
in
the
Emoji
grain
application
and
they've
been
flagged
as
hey.
It
looks
like
you,
don't
have
MPLS
turn
on,
so
how
do
we
actually
now
that
I
know
these
are
the
issues?
What
do
I,
how
do
I
actually
get
myself
out
of
this?
Well,
we
can
inject.
B
B
All
right-
and
so
here
are
just
some
examples
of
things
that
we
thought
that
would
be
cool
features
for
for
your
applications.
You
know
in
terms
of
securing
your
services
that
we
didn't
quite
have
time
for
this
demo,
so,
for
example,
ensuring
that
you
have
policies
that
that
actually
checks-
hey
all
your
applications
are
actually
actually
HTTPS.
Only
making
sure
that,
in
all
your
ingresses
have
unique
host
names,
services
should
have
globally
unique
selectors
and
yeah.
A
So
some
additional
rules
that
we
can
implement
using
Rago
is
to
make
sure
that
can
that
admission
request
we
talked
about,
like
campus,
has
some
sort
of
user
ID
being
defined
in
them?
So
you
make
sure
the
workload
is
actually
submitted
by
someone
running
Cairo
apply
with
that
appropriate
the
authentication
and
at
number
five
you
know
some
of
you
may
have
noticed.
We
actually
run.
A
We
deployed
insecure,
green
emoji
application
plus,
then
we
install
open
gate
keeper,
and
we
did
that
on
purpose,
because
we
want
to
be
able
to
show
off
that
there
audit
violation
events,
but
in
like
a
real
production
environment.
You'll
probably
do
it
the
other
way
around,
where
you
will
install
gate
keeper
first
and
then
you
just
reject
outright
anything
that
is
not
MPLS
compliant.
Finally,
like
I'm
linked
to
this
store,
like
really
rich
on
information
about
the
traffic
and
the
matrixes
in
Prometheus,
and
that
include
like
and
whether
the
traffic
is
TOS
or
not.
A
So
if
any
story
in
prometheus
guess
what
I
can
like
hook,
it
up
to
alert
manager-
and
you
said
to
notify
me
based
on
the
matrix
in
Prometheus,
that
hey
I,
we
just
detected
some
ninety
hours
traffic
coming
from
this
particular
source,
so
yeah,
very
cool
and
hands-on
stuff
that
we
can
all
try.
But
just
don't
have
time
for
it
today.
A
B
Now,
for
OPA
there
are
various
ways
of
reaching
out
there
slack
with
us,
so
the
open
policy
agent
has
its
own
slack,
there's
also
kubernetes
policy
channel
in
there
we're
always
hanging
out
there.
So
if
you
have
questions
feel
free
to
ask
and
of
course,
open
issues
and
we're
always
looking
for
feedback
to
make
this
thing
better
and
we
have
a
weekly
Tuesday
at
2
p.m.
call.
If
anybody
wants
to
join
well.
D
F
A
Currently,
like
for
external
resources,
I
can
toss
our
because
it's
outside
of
the
mash,
so
Lincoln
D
is
at
the
moment
as
an
look
after
securing
those
those
traffic.
So
you'd
be
up
to
your
application
to
because,
like
also
like,
if
it
is
using
like
a
different
kind
of
cert
empty,
the
Lincoln
a
proxy
will
be
able
to
see
it
right.
Cuz,
it's
all
encrypted,
unless
it
man
in
the
middle
of
your
traffic,
which
is
not
good.
B
Know
the
policy
stays
the
same
well
as
long
as
like
the
policy
author.
As
long
as
that
gets
updated
per
the
policy,
you
want
to
apply
or
reinforce
the
policy
just
enforces
at
a
mission
time
which
we
didn't
get
to
Stroh,
but
essentially
once
you're
out
of
the
big
8
or
whatever,
then
the
audit
results
won't
catch
it.
So
if
you
had
like
a
way
to
raise
alerts,
it
won't
even
come
up.
C
A
So
that's
that's
a
good
question.
I
can
I
think
we're
so
right
now,
like
link
at
the
out-of-the-box,
doesn't
support
like
endpoint
authorization
so
usually
like
when
users
bring
that
out,
we
would
ask
them
with
network
policies
with
labels
and
selectors
and
IP
addresses
help
with
it.
But
if
they
want
something
more
fine-grain,
they
can
I
think
eventually
it
will
require
some
sort
of
policy
enforcement
and
a
partnership
of
some
sort
between
Minka
T
and
also.