Update K8s Security CS with Service mesh & OPA

[ragashreeshekar]

Thank you for submitting a Pull Request (PR) to the Cheat Sheet Series.

🚩 If your PR is related to grammar/typo mistakes, please double-check the file for other mistakes in order to fix all the issues in the current cheat sheet.

Please make sure that for your contribution:

• In case of a new Cheat Sheet, you have used the Cheat Sheet template.
• All the markdown files do not raise any validation policy violation, see the policy.
• All the markdown files follow these format rules.
• All your assets are stored in the assets folder.
• All the images used are in the PNG format.
• Any references to websites have been formatted as TEXT
• You verified/tested the effectiveness of your contribution (e.g., the defensive code proposed is really an effective remediation? Please verify it works!).
• The CI build of your PR pass, see the build status here.

If your PR is related to an issue, please finish your PR text with the following line:

This PR covers issue #.

Thank you again for your contribution 😃

[mackowski]

Looks very good thank you.

[mackowski]

any alternatives for it?

[ragashreeshekar]

This topic was one of suggestions and I'm not quite exposed to it. I did some research however couldn't find much resource. Could the team pls help with it? Thanks in advance

[mackowski]

No worries if you done fair research and you did not find anything that is fine. OPA is kind of the standard now so I am happy that you covered it here.

[ragashreeshekar]

Thanks @mackowski.
I have done the research to the best of my understanding, would be happy to add details based of the team's guidance.

[Seppl2202]

Ingress & Egress Control Service mesh adds a layer of security that allows you to monitor and address compromising traffic as it enters the mesh. Istio integrates with Kubernetes as an ingress controller and takes care of load balancing for ingress. This allows you to add a level of security at the perimeter with ingress rules. Egress control allows you to see and manage external services and control how your services interact with them.

While writing my bachelor thesis, I encountered massive issues when using Istio together with Ranger and Azure automization of certificates of exposed services (e.g. a web app): istio/istio#7776

The reason was that Istio used a ressource called "Gateway" to expose a service, while the Azure automatization required an "Ingress" ressource to recognize it for certificate creation.
I read that Istio now has an "Ingress" ressource (https://istio.io/latest/docs/tasks/traffic-management/ingress/), however I am not really familiar with that one. Maybe someone has further information about that?

Pod Security Policies are one way to control the security-related attributes of pods, including container privilege levels. These can allow an operator to specify the following:

Do not run application processes as root.
Do not allow privilege escalation.
Use a read-only root filesystem.
Use the default (masked) /proc filesystem mount
Do not use the host network or process space.

--> I would clearly state that using "hostNetwork:true" will cause NetworkPolicies to be ignored since the Pod will use its host (=the node it runs on) network (The Git issue is from Calico but I encountered that one with all CNI providers I used): projectcalico/felix#1361.
This can cause serious trouble :)

[mackowski]

@ragashreeshekar please address @Seppl2202 and my comments. If you need any help let us know.

[ragashreeshekar]

I have updated the

Ingress & Egress Control Service mesh adds a layer of security that allows you to monitor and address compromising traffic as it enters the mesh. Istio integrates with Kubernetes as an ingress controller and takes care of load balancing for ingress. This allows you to add a level of security at the perimeter with ingress rules. Egress control allows you to see and manage external services and control how your services interact with them.

While writing my bachelor thesis, I encountered massive issues when using Istio together with Ranger and Azure automization of certificates of exposed services (e.g. a web app): istio/istio#7776

The reason was that Istio used a ressource called "Gateway" to expose a service, while the Azure automatization required an "Ingress" ressource to recognize it for certificate creation.
I read that Istio now has an "Ingress" ressource (https://istio.io/latest/docs/tasks/traffic-management/ingress/), however I am not really familiar with that one. Maybe someone has further information about that?

Pod Security Policies are one way to control the security-related attributes of pods, including container privilege levels. These can allow an operator to specify the following:
Do not run application processes as root.
Do not allow privilege escalation.
Use a read-only root filesystem.
Use the default (masked) /proc filesystem mount
Do not use the host network or process space.

--> I would clearly state that using "hostNetwork:true" will cause NetworkPolicies to be ignored since the Pod will use its host (=the node it runs on) network (The Git issue is from Calico but I encountered that one with all CNI providers I used): projectcalico/felix#1361.
This can cause serious trouble :)

Thanks for your review and suggestions. Please advise how we could handle the "Ingress & Egress Control using service mesh", as far as I understand from the review, It may be better to remove that section. Kindly let me know.

I have updated the draft with the second comment, updated version commit - 1584fdd

Thanks again!

[ragashreeshekar]

Thanks @Seppl2202 @mackowski for your time and review, part of the review comments have been addressed, I have added comments where I need some clarifications, please go through them and let me know your thoughts.

[mackowski]

Thanks @ragashreeshekar!

[ragashreeshekar]

If it looks good, could we merge it to the active CS?
Please let us know how we could proceed if otherwise. Thanks in advance.

[mackowski]

Yeh it looks well. I will merge it. Thank you @ragashreeshekar for your woirk!

[mackowski]

LGTM