Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Review OPA Gatekeeper as a possible tool for testing #3

Closed
5 of 6 tasks
taylor opened this issue Feb 7, 2020 · 4 comments
Closed
5 of 6 tasks

Review OPA Gatekeeper as a possible tool for testing #3

taylor opened this issue Feb 7, 2020 · 4 comments
Assignees
@wvwatson @williscool @denverwilliams
Labels
3 pts research workload
Projects
CNF Test Suite
Milestone
MVP: CNF Conforma...

Comments

@taylor
Copy link
Collaborator

taylor commented Feb 7, 2020
edited by lixuna
Loading

Goal: Review using OPA Gatekeeper validate that CNFs continue to carry traffic when appropriate policies are enforced

Tasks:

  • Research OPA Gatekeeper
  • Create an outline
  • Create a rough draft
  • Peer review of draft
  • Iterate as needed, peer review (optional)
  • Add content to markdown

ref: s43
@taylor taylor added this to To do in CNF Test Suite Feb 7, 2020
@taylor taylor mentioned this issue Feb 7, 2020
Closed
@taylor taylor added the research label Feb 7, 2020
@lixuna lixuna changed the title Review OPA Gatekeeper as a possible tool for testinng Review OPA Gatekeeper as a possible tool for testing Feb 10, 2020
@taylor taylor moved this from To do to In progress in CNF Test Suite Feb 11, 2020
@wvwatson
Copy link
Collaborator

OPA vs K-rails

OPA is more rigorous and all inclusive than K-Rails. OPA and Gatekeeper seem to be more configurable and should be able to handle more edge cases than K-Rails. OPA seems to be becoming the standard within the K8s community. OPA has more forks/stars/contributes OPA requires more configuration out of the box.

K-rails has a monitor mode that allows default 'violations' to be monitored and reported on. K-rails has default violations/policies that need very little configuration. The violations are stored in a log and can be scraped. This can be useful for testing a cluster for containers that have privileged mode turned on, among other things.

@wvwatson
Copy link
Collaborator

Open Policy Agent is an open source, general-purpose policy engine that unifies policy enforcement across the stack. OPA Gatekeeper provides first-class integration between OPA and Kubernetes.

We can use OPA for at least one CNF Conformance test, and possibly more. The steps for using OPA and OPA Gatekeeper would be as follows:

  1. Deploy Gatekeeper using Helm in the potential CNF's cluster
helm install mesosphere-staging/gatekeeper --name gatekeeper
  1. Create a privileged pod policy constraint template
kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper/master/library/pod-security-policy/privileged-containers/template.yaml
  1. Create the privileged pod policy constraint
kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper/master/library/pod-security-policy/privileged-containers/constraint.yaml
  1. Test that the constraint is enforced
kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper/master/library/pod-security-policy/privileged-containers/example.yaml
  1. Check the output for errors
Error from server ([denied by psp-privileged-container] Privileged container is not allowed: nginx, securityContext: {"privileged": true}): error when creating "https://raw.githubusercontent.com/open-policy-agent/gatekeeper/master/library/pod-security-policy/privileged-containers/example.yaml": admission webhook "validation.gatekeeper.sh" denied the request: [denied by psp-privileged-container] Privileged container is not allowed: nginx, securityContext: {"privileged": true}

@wvwatson wvwatson moved this from In progress to Review in progress in CNF Test Suite Feb 11, 2020
@taylor
Copy link
Collaborator Author

taylor commented Feb 12, 2020

@nickolaev peer review?

@lixuna lixuna moved this from Needs Peer Review to Reviewer approved in CNF Test Suite Feb 12, 2020
@lixuna lixuna moved this from Reviewer approved to Done in CNF Test Suite Feb 12, 2020
@lixuna lixuna closed this as completed Feb 18, 2020
@lixuna lixuna added the 3 pts label Mar 4, 2020
@lixuna lixuna added this to the CNF Conformance Workload Tests milestone Apr 15, 2020
@wvwatson
Copy link
Collaborator

https://hackmd.io/SssiDL4kTNiKfWlkhgqaCg

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@wvwatson wvwatson

@williscool williscool

@denverwilliams denverwilliams

Labels
3 pts research workload
Projects
CNF Test Suite
  
Done
Milestone
MVP: CNF Conformance Workload Tests
Development

No branches or pull requests
5 participants
@taylor @wvwatson @williscool @lixuna @denverwilliams