-
Notifications
You must be signed in to change notification settings - Fork 14k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add blog about CEL admission control library #40174
Conversation
/assign sftim |
✅ Pull request preview available for checkingBuilt without sensitive environment variables
To edit notification comments on pull requests, go to your Netlify site settings. |
/unassign sftim |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hi @craigbox
I'm short on capacity to help with optional work - this article included. If you can pick a new future date and find a SIG API Machinery tech reviewer, we / I should be able to do the actual approve.
We'd like the publication date to be in the future at the date we merge. Try the 5th of April?
content/en/blog/_posts/2023-03-23-kubescape-validating-admission-policy-library.md
Outdated
Show resolved
Hide resolved
content/en/blog/_posts/2023-03-23-kubescape-validating-admission-policy-library.md
Outdated
Show resolved
Hide resolved
content/en/blog/_posts/2023-03-23-kubescape-validating-admission-policy-library.md
Outdated
Show resolved
Hide resolved
content/en/blog/_posts/2023-04-05-kubescape-validating-admission-policy-library.md
Outdated
Show resolved
Hide resolved
content/en/blog/_posts/2023-04-05-kubescape-validating-admission-policy-library.md
Show resolved
Hide resolved
content/en/blog/_posts/2023-04-05-kubescape-validating-admission-policy-library.md
Show resolved
Hide resolved
/lgtm |
LGTM label has been added. Git tree hash: 883ec0ef1bf4e52e76357a0cdd2855f36e8373d7
|
@sftim / @nate-double-u / @onlydole - when you're ready, please lmk if we can bring the publication date forward, I took a week in the future as suggestion |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks!
Enough nits here that I'd welcome a follow-up PR, that we merge in before the publication date.
We can publish this as is; it's nice to leave a more maintainable article in the repo if we can.
/approve
/lgtm
content/en/blog/_posts/2023-04-05-kubescape-validating-admission-policy-library.md
Show resolved
Hide resolved
|
||
## Giving CEL a roll - a practical example | ||
|
||
[Kubescape](https://github.com/kubescape/kubescape) is a CNCF project which has become one of the most popular ways for users to improve the security posture of a Kubernetes cluster and validate its compliance. [Its controls](https://github.com/kubescape/regolibrary) — groups of tests against API objects — are built in [Rego](https://www.openpolicyagent.org/docs/latest/policy-language/), the policy language of Open Policy Agent. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
[Kubescape](https://github.com/kubescape/kubescape) is a CNCF project which has become one of the most popular ways for users to improve the security posture of a Kubernetes cluster and validate its compliance. [Its controls](https://github.com/kubescape/regolibrary) — groups of tests against API objects — are built in [Rego](https://www.openpolicyagent.org/docs/latest/policy-language/), the policy language of Open Policy Agent. | |
[Kubescape](https://github.com/kubescape/kubescape) is a CNCF project which has become one of the most popular ways for users to improve the security posture of a Kubernetes cluster and validate its compliance. Its [controls](https://github.com/kubescape/regolibrary) — groups of tests against API objects — are built in [Rego](https://www.openpolicyagent.org/docs/latest/policy-language/), the policy language of Open Policy Agent. |
|
||
[Kubescape](https://github.com/kubescape/kubescape) is a CNCF project which has become one of the most popular ways for users to improve the security posture of a Kubernetes cluster and validate its compliance. [Its controls](https://github.com/kubescape/regolibrary) — groups of tests against API objects — are built in [Rego](https://www.openpolicyagent.org/docs/latest/policy-language/), the policy language of Open Policy Agent. | ||
|
||
Rego has a reputation for complexity, based largely on the fact that it is a declarative query language (like SQL). It [was considered](https://github.com/kubernetes/enhancements/blob/master/keps/sig-api-machinery/2876-crd-validation-expression-language/README.md#alternatives) for use in Kubernetes, but it does not offer the same sandbox constraints as CEL. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit: better to link to a commit and not master (more link a permalink)
|
||
### Show me the policy | ||
|
||
It did not take us long to convert many of our controls and build [a library of validating admission policies.](https://github.com/kubescape/cel-admission-library) Let’s look at one as an example. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It did not take us long to convert many of our controls and build [a library of validating admission policies.](https://github.com/kubescape/cel-admission-library) Let’s look at one as an example. | |
It did not take us long to convert many of our controls and build a [library of validating admission policies](https://github.com/kubescape/cel-admission-library). Let’s look at one as an example. |
|
||
It did not take us long to convert many of our controls and build [a library of validating admission policies.](https://github.com/kubescape/cel-admission-library) Let’s look at one as an example. | ||
|
||
[Kubescape’s control C-0017](https://hub.armosec.io/docs/c-0017) covers the requirement for containers to have an immutable (read-only) root filesystem. This is a best practice according to the [NSA Kubernetes hardening guidelines](https://kubernetes.io/blog/2021/10/05/nsa-cisa-kubernetes-hardening-guidance/#immutable-container-filesystems), but is not currently required as a part of any of the [pod security standards](https://kubernetes.io/docs/concepts/security/pod-security-standards/). |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
[Kubescape’s control C-0017](https://hub.armosec.io/docs/c-0017) covers the requirement for containers to have an immutable (read-only) root filesystem. This is a best practice according to the [NSA Kubernetes hardening guidelines](https://kubernetes.io/blog/2021/10/05/nsa-cisa-kubernetes-hardening-guidance/#immutable-container-filesystems), but is not currently required as a part of any of the [pod security standards](https://kubernetes.io/docs/concepts/security/pod-security-standards/). | |
Kubescape’s [control C-0017](https://hub.armosec.io/docs/c-0017) covers the requirement for containers to have an immutable (read-only) root filesystem. This is a best practice according to the [NSA Kubernetes hardening guidelines](/blog/2021/10/05/nsa-cisa-kubernetes-hardening-guidance/#immutable-container-filesystems), but is not currently required as a part of any of the [pod security standards](/docs/concepts/security/pod-security-standards/). |
content/en/blog/_posts/2023-04-05-kubescape-validating-admission-policy-library.md
Show resolved
Hide resolved
# Install configuration CRD | ||
kubectl apply -f https://github.com/kubescape/cel-admission-library/releases/latest/download/policy-configuration-definition.yaml | ||
# Install basic configuration | ||
kubectl apply -f https://github.com/kubescape/cel-admission-library/releases/latest/download/basic-control-configuration.yaml | ||
# Install policies | ||
kubectl apply -f https://github.com/kubescape/cel-admission-library/releases/latest/download/kubescape-validating-admission-policies.yaml |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit: can we use a stable link that will work even after these are updated to work with v1.27?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't expect them to change, but I'm happy to update the blog post in future if needed to fix.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We're planning a release next month, that won't work with those manifests.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I knew there were some changes in this API in 1.27, but I didn't see that any were breaking?
Do you know why these manifests won't work with 1.27?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
New API version, IIRC (v1alpha2).
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I will update the repository to support v1alpha2
. What is the ETA of this blog?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The only version remained v1alpha1
in 1.27 because there was no breaking change. See https://github.com/kubernetes/api/blob/v0.27.0-rc.0/admissionregistration/v1alpha1/types.go
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sorry, got my KEPs mixed up.
content/en/blog/_posts/2023-04-05-kubescape-validating-admission-policy-library.md
Show resolved
Hide resolved
content/en/blog/_posts/2023-04-05-kubescape-validating-admission-policy-library.md
Show resolved
Hide resolved
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please wrap lines at around 100 characters. That wrapping helps localization teams.
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: sftim The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
This blog post introduces a library of Validating Admission Policies built by converting Kubescape controls from Rego to CEL.