Safe K8s Deployment with Open Policy Agent
Last updated
Was this helpful?
Last updated
Was this helpful?
This demo shows how to enforce security policies for K8s deployments using , and the corresponding project.
For details on the demo application see .
Before diving into the Kubernetes part with let's look into how open policies work in general.
OPA decouples policy decision-making from policy enforcement. When your software needs to make policy decisions it queries OPA and supplies structured data (e.g., JSON) as input. OPA works similar to a BPM engine, or a state machine by decoupling processes from input and output data.
(Source: https://www.openpolicyagent.org)
This example checks if the container image to be deployed on a K8s cluster origins from a trusted container registry called (myreg.com).
(Source: https://www.openpolicyagent.org)
Here you first deploy a constraint template and then a corresponding constraint using the template. In this step we will enforce that all Pod specifications require to include a security context disallowing privilege escalation by setting allowPrivilegeEscalation to false.
To enforce this, please execute the script deploy-constraint.sh in this folder.
The application is deployed using the following deployment yaml file k8s/deploy_denied.yaml:
The application is deployed using the following deployment yaml file k8s/deploy.yaml:
This should now be deployed without any error.
Policies in OPA are written using OPA's own language called .
To evaluate and play with you can use
installs an on K8s that contains the to enforce policies for deployments on the Kubernetes cluster.
To install just follow the or use the script deploy-gatekeeper.sh in this folder.
Rego policies cannot be deployed directly into a K8s cluster, instead uses the .
First we want to see the in action so that our deployment is denied because of allowing privilege escalation. The corresponding container image is pulled from docker hub repository.
You will get an error message from the denying the deployment.
Now we want to see that accepts our deployment because of disallowing privilege escalation now. The corresponding container image is pulled from docker hub repository.