Home
Contribute Contact Us Browse all meetings
Home Contribute Contact Us Browse all meetings
VMware / Contour Community Meetings / 11 Aug 2020
VMware / Contour Community Meetings / 11 Aug 2020
Previous Meeting Next Meeting
Add meeting Rate page Subscribe
youtube image
From YouTube: Contour Community Meeting - August 11, 2020

Description

August 11, 2020
News
What have we been working on?
[stevek] exploring Gatekeeper as a validating admission controller
Discussion
Next week

A

Hello, everyone and uh welcome to the contour community meeting today is august 11 20 20.. We have uh just a few things that we want to go through today. So let me share my screen and let's go over them.

A

So steve. You have a topic here.

B

Yeah, um so I think I think two weeks ago, in the community meeting, I was I mentioned that I was working on adding some controls for uh enabling a kind of a contour administrator to set a min and max for some of the different timeout settings that we were adding and the thinking there was that you know a a central contour admin might want to limit, uh say the max timeout range that a user could put on a proxy so that they couldn't just set infinite timeouts for all the different settings.

B

And originally we were thinking about just adding these as uh as new fields into the contour config file. um But we we discussed it some more and and thought that that might not be a the best approach to it for a number of different reasons and also got some feedback from from some users.

B

And so, as coming out of that, I started looking into some other options, particularly around using admission control and james peach recommended looking at gatekeeper, which is related to the opa project, open policy agent project and basically gives you a validating admission controller where you can define opa policies to enforce uh kind of whatever policy you want. um So anyway long story short I've been spending the last a couple of days starting to look into this.

B

I I don't have any experience with it, so part of it is me just getting up to speed on it um and also starting to play around the sea.

B

If this is something that we could sort of integrate with contour and think about what sorts of policies we would want to actually put into gatekeeper, you know early impressions are that I I do think it definitely could be useful. um You know it's. I can definitely see how uh some of the things that we would want when force could be pretty easily expressed uh as policies uh and from my playing around with it. It's you know it's relatively simple to get going, especially if someone else is kind of writing.

B

The the policies or the constraints for you and all you really have to do is apply them with your specific parameters you want um so, but I don't know if we want to make it a kind of a required part of the contour stack.

B

I'm thinking we, you know we might want to position it more as sort of an optional thing where, if users are interested in using it, they can, but if, for whatever reason they don't want to deploy it into their cluster, um contour still works. Fine and and still has some validation for uh for things that aren't exposed through gatekeeper.

A

I think we do have a lot of people using oppa or opa um already, so I'm wondering if we could so this is kind of separate from that project, but still utilizing the policies. Is that correct.

B

Yeah, so it uses opa kind of as the as the engine, so gatekeeper specifically refers to deploying it as a kubernetes validating and mission controller. So it's it's kind of just deploying it in a particular context and there's a kind of a crd model that enables you to define your your policies and your validations.

B

So I think for for anyone who's already using opa, it's a pretty uh a pretty natural extension and odds are, if they're, using it in kubernetes. You know they may already have gatekeeper deployed anyway.

A

So for this, I'm just thinking of a deployment scenario for this, you would first deploy gatekeeper, uh apply the correct policies and then deploy contour right, because otherwise you you wouldn't be able to call on gatekeeper and the policies when you, when you start up contour.

B

Right I mean you, you could deploy it after. You already have a running contour instance, um and what will happen is any new. Any new proxies that are configured will will essentially get run through your gatekeeper policies um and then gatekeeper also has an audit functionality. So it will periodically look at all the existing resources in the cluster that match your your policies and and tell you whether they sort of pass or fail according to the policies, but they won't gatekeeper, won't kick them out of the cluster or make them invalid in any way.

B

It'll just it'll.

C

Let you.

B

Know, hey you're you're out of uh you know, you're violating the policy.

A

Okay, yeah, okay yeah. That makes uh makes it a little easier than to because then you don't need to have a complete green field. Deployment of contour.

B

Right that makes it easier, and that was that was definitely one of the major concerns that was raised. Around kind of embedding. This kind of policy information directly into contour is that it made it more difficult to to start adding policy without having all you know, potentially having existing proxies, get broken by rolling out a new policy if they, if they violated it and gatekeeper, makes that pretty pretty easy.

A

So what what's the uh the main reason for not going with a configuration file? Is it because you can set certain certain settings wrong or what what's the main reason.

B

um I mean if we, you know, if we just expose some things through a config file, I think we would end up having to build a fair amount of the functionality that something like gatekeeper already exposes into contour directly. um I think we would you know we would want something similar to that audit functionality where we could flag things without marking them invalid.

B

um The other, I guess the other issue is that you know. If we're adding things directly to a config file, then every new policy check that we want to add needs to be programmed in the contour. Whereas, with with gatekeeper and opa, um you know end users can can write whatever additional policies they want.

B

um I think we'd probably have a recommended set from contour that we would you know we would suggest that you install, but it would be completely extensible for users to add their own without having to submit pull requests to contour and wait for releases and that kind of thing so a lot more flexibility.

A

Yeah, that would make it a lot easier for for people, as you say, than to do their own custom valid settings so to speak, yep cool um so for for people on the call, are you using opa, oppa or gatekeeper right now.

C

No, yes, we are.

A

Okay, cool, so um would this be useful.

C

So I joined a couple of minutes late, but it sounds like you're looking to integrate gatekeeper with contour.

A

Yeah exactly.

C

Yeah well so, yes, I think I think this could be useful, but I guess my question is: um is this different from the external authorization design that you did because in theory the external auth capability, you're building, can talk to oprah over grpc right? This would be a different integration.

B

uh I think this would be different, so I think you know this would we would use gatekeepers as an admission controller for new http proxies and basically use it for validating um that? The proxy configuration is, you know, meets your policy, and so it could be a mix of validating things like every proxy has a unique fqdn.

B

It could be enforcing uh minimum and maximum values for some of the settings uh for some timeout settings, uh et cetera. So.

C

So yeah, I think this would be useful as there's a couple of specific use cases for us. One is, we think we want to disable people being able to sit set infinite, for example, on timeouts and the way that the way that contour implements that with the word infinite is has always bugged me. It's like this seems like the only project that, instead of treating zero dot s as infinite treats zero dot, s is nothing and the word infinite is infinite. But anyway, aside from that, um we think.

A

We wanted to say your infinite.

C

Emoji instead.

C

The the but we're interested in like blocking stuff like infinite we're, actually thinking about writing an open policy for that already and then the other one too um is, and we were thinking, maybe the external authorization provider here is we want to prevent what we're sort of calling crosstalk. So we've got two sets of contours. One is like for pci workloads. We want to basically look at the the source, ip of of the request to say that only these contours can this contour can only accept traffic from this sort of source ip type stuff.

C

So we we've got a couple. Use cases where we think oprah and external author and or gatekeeper would be useful.

B

Cool.

C

And we're just we're moving everything from when I say everything: we've got a ton of oprah right now, but we're migrating that stuff across the gatekeeper for all the you know. The benefits that gatekeeper brings.

A

Oh you're, moving from oppa to gatekeeper.

C

Yeah we've got a bunch of open right now.

A

But.

C

We're migrating a lot of that stuff out of sort of mutating web hooks into more of a gatekeeper service. So it's the same rules we're just migrating how we run them, I'm not super close to it. We've got a guy in our team, that's doing a lot of that work, but we we're basically suffering from sort of opus sprawl right now, and so there are some benefits that I can't articulate super well, there's some benefits around using gatekeeper versus just raw roper.

C

uh From my, I believe, a management point of view and these sort of things.

B

Yeah, I mean the the nice thing and you know I've only been playing with gatekeeper for a couple of days, but kind of all of your constraints and your constraint, templates and constraints are exposed as as custom resource definitions within your cluster. So you can sort of access them in a very kubernetes native way, which is probably helpful for management.

C

Actually, you know one of the things I'm just recalling back on our internal meetings, one of the things that I think that we get away from is having to write, uh write, sort of small um validating workbook code and go so. We've sort of we've been doing these little snippets of of go code and we want to get out of that game too.

C

Just you know not having and we don't need those when we go to a gatekeeper apparently, so we get out of the business of writing that code and then having to maintain the code in terms of go versions and depths and all that sort of stuff. So that's another win. I think.

B

That makes sense.

A

Awesome good discussions, um anything else you want to add here, steve or michael, no.

B

No, I mean you know, I think the next steps are going to be to talk this over some more with the other maintainers. I haven't really had a chance to to talk about that with with others much yet, but we'll sort of figure out. You know based on what I've seen so far. If there are additional areas we need to explore and then figure out sort of how to proceed um so more to come. um Just wanted to kind of raise what I've done so far.

A

Sounds good? um Does anyone have any discussion topics that they would like to talk about today? Any um anything you're wondering anything that steve can answer.

D

A link to an issue in the chat window that I was hoping to discuss today, but I have a feeling that I need james and nick on the call to discuss, and this is uh about proceeding with the service api's implementation.

D

um So yeah just trying to move this forward as nick laid out in his most recent comment. We need to start enumerating work that needs to be done in preparation for implementing service apis and then the actual service api's implementation, specific work.

D

So I guess my question would be: is you know I'm not familiar with hackmd? How? How do I make sure that this discussion is identified in the next in next week's meeting? That, I believe, is australia, friendly.

A

So you can just log in with your github uh account on hackmd and add in a line under next week and add what you want to talk about next week.

D

Leave a comment.

A

This is open to everyone, everyone can join in and edit and, of course, we do audits every now and then to make sure that the edits are correct, uh but yeah it's uh open for everyone.

C

I I similarly found like it's not intuitive on how to turn on edit mode in hmd. I think I finally worked it out, but yeah over here.

A

um Edit and view mode.

C

Yes,.

A

That's it or just.

C

I I I'm with whoever the person trying to work that this out is always the same. I'm like how do I edit this thing.

D

Yeah I'm like okay, I'm logged in and you.

C

Know.

D

Okay cool now I know how.

C

To edit, so um it's unlike uh google docs like there's no wysiwyg, which is sort of what I what I was originally stuck on, but yeah.

A

Yeah yeah so just add your stuff in here uh and then we'll bring it up on on next week's call.

D

When is the the date usually posted in this document? For like the next meeting, is that done after this call, or is it yeah.

A

Shortly before.

D

Okay, all right, then I'll keep an eye out on it. So thanks for the direction yeah sure.

A

um Any other questions comments.

C

No, I I just one comment: the the long-running saga of our non-sni clients, in particular the ibm data power gateway. So the team have successfully tested that after we've got the 1.7, so that's a big win for us. So thanks for persisting with that.

B

Great, that's good to hear.

A

Awesome. Well um then, with that um we're gonna end, today's call and uh hope you all have a fantastic rest of the week and see you all next week.

D

Have a good one folks, bye.