- stackconf online 2021 | Why you should take care of infrastructure drift
- stackconf online 2021 | On-call done right: how even a developer can help
- stackconf online 2021 | Autoscaling with HashiCorp Nomad
- stackconf online 2021 | Continuous Security – integrating security into your pipelines
- stackconf online 2021 | Kubernetes Native Continuous Deployment with FluxCD, Flagger, and Linkerd
- stackconf online 2021 | Help, My Datacenter is on Fire
- stackconf online 2021 | Continuous Security – Integrating Security into your Pipelines
- stackconf online 2021 | Fuzzing: Finding Your Own Bugs and 0days!
- stackconf online 2021 | Monitoring Microservices The Right Way
- stackconf online 2021 | Policy-as-code in Kubernetes with Gatekeeper
- stackconf online 2021 | Stretching the Service Mesh Beyond the Clouds
- stackconf online 2021 | Stretching the Service Mesh Beyond the Clouds
- stackconf online 2021 | Spot the Anti-Pattern
- stackconf online 2021 | How DevOps changed the way we operate software
- stackconf online 2021 | We accidentally created a Cloud on our IBM Cloud
- stackconf online 2021 | The Tyranny of Taylorism and how to spot Agile BS
- stackconf online 2021 | First hand experience: How Nextcloud stayed productive during COVID-19
- stackconf online 2021 | Reference Architecture for a Cloud Native Digital Enterprise
- stackconf online 2021 | How we finally migrated an eCommerce-Platform to GCP
- stackconf online 2021 | Introducing Thola – A tool for Monitoring and Provisioning Network Devices
- stackconf online 2021 | Setup Min.io and Open Policy Agent for a multi purpose scientific platform
- stackconf online 2021 | GitOps: yea or nay?
- stackconf online 2021 | The Importance of Visuals in Teaching Code and Reducing Bias
- stackconf online 2021 | Enabling multi-cloud and breaking vendor lock-in with Cloud Sidecar
- stackconf online 2021 | Pragmatic App Migration to the Cloud: Quarkus, Kotlin, Hazelcast and GraalVM in action
- stackconf online 2021: Data Driven Security
- stackconf online 2021 | Platform as a Product
stackconf online 2021 is over and was a full success. It was all about open source infrastructure solutions in the spectrum of continuous integration, container, hybrid and cloud technologies. We’re still excited about all of our experts sessions and the large number of participants who joined us from all over the world. In the following you get an insight about one of our talks.
At stackconf online 2021 Ara Pulido from Datadog talked about „Embracing change: Policy-as-code for Kubernetes with OPA and Gatekeeper“.
What is Kubernetes
Kubernetes is a Container orchestration platform to help you run your containerized applications in production. It provides Role-based Access Control (RBAC) which allows operators to define in a very granular manner which identity is allowed to create or manage which resource. But RBAC does not allow us to control the specification of those resources. So the use of the Open Policy Agent (OPA) Gatekeeper.
What is Open Policy Agent (OPA)
A Policy Rule that governs the behavior of a software service.
The Open Policy Agent (OPA) is an open source project, a policy engine for Cloud Native environments and also a policy engine that can be located with your service. It can be integrated as a sidecar, host-level daemon, or library. On the OPA Website we can find a list of OPA Integrations, use-cases and related projects.
What is Open Policy Agent Gatekeeper
The Open Policy Agent (OPA) Gatekeeper is an admission controller that validates requests to create and update Pods on Kubernetes clusters, using JSON over HTTPS.
Example
In this example, we want to make sure that all labels required by the policy are present in the Kubernetes resource manifest.
To do this, we have to build our Rego query with th help of Gatekeeper. This consists of a package containing a violation definition. The violation defined the input data, the condition to be matched, and a message which gets returned in case of a violation.
This is done by wrapping our query into a ContrainTemplate resource:
apiVersion: templates.gatekeeper.sh/v1beta1
kind: ConstraintTemplate
metadata:
name: k8srequiredlabels
spec:
crd:
spec:
names:
kind: K8sRequiredLabels
listKind: K8sRequiredLabelsList
plural: k8srequiredlabels
singular: k8srequiredlabels
validation:
# Schema for the `parameters` field
openAPIV3Schema:
properties:
labels:
type: array
items: string
targets:
– target: admission.k8s.gatekeeper.sh
rego: |
package k8srequiredlabels
violation[{„msg“: msg, „details“: {„missing_labels“: missing}}] {
provided := {label | input.review.object.metadata.labels[label]}
required := {label | label := input.parameters.labels[_]}
missing := required – provided
count(missing) > 0
msg := sprintf(„you must provide labels: %v“, [missing])
}
We not yet defined which label we require our Kubernetes resources to have. We also did not yet define on which Kubernetes resources we like to have this policy applied too. To do this, we have to create another manifest called Constraints:
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRequiredLabels
metadata:
name: ns-must-have-gk
spec:
match:
kinds:
– apiGroups: [„“]
kinds: [„Namespace“]
parameters:
labels: [„gatekeeper“]
So Gatekeeper makes reuse of policy simple and the Host must be unique among all Ingresses.
Under https://github.com/open-policy-agent/gatekeeper-library we find all Gatekeeper library.
I liked that the topic was told explicitly with even live examples, and found the speaker awesome. In the comments you could tell people were happy to be at the conference.
Full talk and more from and about stackconf
Watch the the whole talk by Ara Pulido:
stackconf 2022 will take place in Berlin. The final date will be announced soon. If you want to learn more about infrastructure solutions in advance you have the possibility to take look at our archive where you can find all slides and videos from this year’s stackconf.
0 Kommentare