I will provide a link to a Rego playground with my policy examples at the end of this article. Thankfully, OPA provides an amazing Rego Playground where you can test out policies and learn through experimentation. I would highly encourage you to read the docs, but you can still follow along with this article if you don’t have any experience (you just might get lost). Creating your own DSL is going to be this generation’s version of “should I invent a new binary format for this project?”Īnyway, joking aside, Rego takes some getting used to (and I’m definitely not great at it yet). There are many robust, high-level languages (Python, Go, shudder Javascript) that provide clear, easily readable ways to express logic. I would strongly caution you against testing this in a production cluster, but YOLO is the official motto of Kubernetes, so do whatever you want. While Gatekeeper sounds like the future of the OPA project for K8s, it’s still in beta and the docs mostly involve “look at these examples on Github.” I’d love to revisit it once it’s a bit further along.Īnd that’s about it! If you’re running minikube (or any K8s distribution) and have OPA installed through their tutorial, you should be able to follow along with me here. The pod (or even Kubernetes resource) is irrelevant in this article, and just gives me something to test my kubectl annotate commands against.įor those familiar with OPA, you’ll also notice that I’m using “regular” OPA-Kubernetes, and not the newer OPA Gatekeeper. I’m also running a simple nginx pod that I will use to demonstrate the admission control decisions throughout this article. For the sake of simplicity, this article doesn’t cover any of that (and you could subsequently remove those flags from the container arguments, if you wanted to). This allows you to access existing Kubernetes objects in your OPA policies, instead of just looking at the fields sent in the admission request. The tutorial also uses -replicate and -replicate-cluster settings to force OPA to periodically cache the overall state of the Kubernetes cluster. You should use a real certificate signed by a real CA. I installed OPA using their Kubernetes tutorial, but be aware this isn’t the way you’d want to deploy it in production. However, these instructions should be applicable with any Kubernetes installation that supports OPA (e.g., has ValidatingAdmissionWebhook enabled, which is the default in the last several K8s versions). I’m running minikube version 1.20.0, which runs Kubernetes version 1.20.2, on my local laptop. Environment Setupīefore I get started, let me go over my local environment that I used for this article. While this approach might not hit every attack scenario, it’s a good start. In this article, I’ll walk through how you could use OPA to mitigate the attack laid out in Jared’s article (again, if you haven’t read it: go do that first). While OPA isn’t limited to Kubernetes, it’s a natural fit for a ValidatingAdmissionWebhook (and the project itself provides the resources necessary to deploy it as one). The idea behind OPA tracks pretty closely with the strategy behind a ValidatingAdmissionWebhook: a JSON blob goes into OPA, it evaluates some rules, and it returns a response. OPA is a powerful project that provides a framework for authorization. I became passively interested in the ValidatingAdmissionWebhook pattern a few years ago when I saw an Open Source Summit presentation about the Open Policy Agent (OPA). Their implementation is also very easy: they’re just webservers that receive JSON requests from Kubernetes and reply back with their disposition (accept or reject). While ValidatingAdmissionWebhook may sound intimidating, it’s a simple concept: inspect API calls to Kubernetes for CRUD operations on resources, and make decisions about whether or not those actions should be permitted. If you’re unfamiliar with admission controllers in Kubernetes, I’d recommend a look over the official docs. It’s a great read and a clever idea, especially since most K8s admins probably pay little attention to what is going on with their annotations.Īs I was reading his article, I kept thinking to myself: this seems like something that a ValidatingAdmissionWebhook could prevent. My friend Jared Stroud recently wrote a great article about abusing annotations in Kubernetes as storage space for malicious payloads. Using OPA to block malicious annotations in Kubernetes
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |