Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Enhance OPA policies #19

Closed
Morriz opened this issue Dec 9, 2019 · 9 comments
Closed

Enhance OPA policies #19

Morriz opened this issue Dec 9, 2019 · 9 comments
Assignees
@rawc0der
Labels
Task Scrum task

Comments

@Morriz
Copy link
Contributor

Morriz commented Dec 9, 2019
edited
Loading

We want our opa policies to also limit access to the following resources:

  • istio stuff
  • ResourceQuota
  • ?
@Morriz Morriz created this issue from a note in Otomi Container Platform (To Do) Dec 9, 2019
@Morriz Morriz added this to the MVP NS on AKS milestone Dec 9, 2019
@Morriz Morriz removed this from To Do in Otomi Container Platform Dec 9, 2019
@Morriz Morriz added this to To do in Otomi Stack via automation Dec 9, 2019
@Morriz Morriz added this to In Progress in Otomi Container Platform Dec 10, 2019
@Morriz Morriz moved this from In Progress to To Do in Otomi Container Platform Dec 10, 2019
@Morriz Morriz removed this from To do in Otomi Stack Dec 10, 2019
@Morriz Morriz changed the title implement OPA policies for apps (via gw plugin) implement OPA admission hook (chart) and create policies Jan 14, 2020
@githubcdr
Copy link
Contributor

We'll use opa-gatekeeper (v3) for this, this is the latest version of OPA for Kubernetes.

How is Gatekeeper different from OPA?

Compared to using OPA with its sidecar kube-mgmt (aka Gatekeeper v1.0), Gatekeeper introduces the following functionality:

  • An extensible, parameterized policy library
  • Native Kubernetes CRDs for instantiating the policy library (aka "constraints")
  • Native Kubernetes CRDs for extending the policy library (aka "constraint templates")
  • Audit functionality

I've added examples Constrains in the opa-gatekeeper branch, this includes policies per team namespace; nonroot, nohostnetwork and required labels.

@Morriz Morriz moved this from To Do to In Progress in Otomi Container Platform Feb 3, 2020
@Morriz Morriz mentioned this issue Feb 17, 2020
Closed
@Morriz Morriz removed this from the MVP NS milestone Mar 31, 2020
@Morriz Morriz added this to the Sprint 2 milestone Mar 31, 2020
@rnugraha rnugraha changed the title implement OPA admission hook (chart) and create policies create OPA policies May 19, 2020
@rnugraha rnugraha removed this from the Sprint 2 milestone May 19, 2020
@Morriz
Copy link
Contributor Author

Morriz commented Aug 11, 2020

This framework exists and rules should be enforced again after carefully making resources meet their criteria

@Morriz Morriz changed the title create OPA policies Update/activate OPA policies Aug 11, 2020
@Morriz
Copy link
Contributor Author

Morriz commented Sep 28, 2020
edited
Loading

@githubcdr see here comments from closed duplicate issue:

See below

On Thu, 10 Sep 2020 at 16:09, cDR notifications@github.com wrote:

Do we want to set quotas on the namespace or enforce them using OPA?

opa is nicer and allows pre deploy linting

Limitrange and OPA seems to be a weird combo, I'll test this.

Limitrange sux. We should check resource specs in opa. Again better to lint

Do team get a dedicated namespace or will we allow multiple teams in
the same namespace?

one per ns

@Morriz
Copy link
Contributor Author

Morriz commented Oct 19, 2020

only resource constraint template for now

@Morriz
Copy link
Contributor Author

Morriz commented Oct 21, 2020

Do you think you can still do that this week?

@Morriz
Copy link
Contributor Author

Morriz commented Oct 21, 2020
edited
Loading

Whoever will do this task, please upgrade the operator chart by copying the contents of this file:

https://github.com/open-policy-agent/gatekeeper/blob/master/deploy/gatekeeper.yaml

into the templates/gatekeeper.yaml file

and updating Chart.yaml to reflect the new version

@Morriz Morriz moved this from In Progress to In Review in Otomi Container Platform Oct 27, 2020
@Morriz Morriz moved this from In Review to In Progress in Otomi Container Platform Oct 27, 2020
@rawc0der rawc0der self-assigned this Nov 3, 2020
@rawc0der
Copy link
Contributor

rawc0der commented Nov 4, 2020

We should start refactoring all the policies to a common .rego language syntax, since the Konstraint library is going to support input.parameters as part of the core definitions.

PR that started all the mess here - plexsystems/konstraint#80
Nice to see the community reacting so quickly

@j-zimnowoda
Copy link
Contributor

Nice to see the community reacting so quickly
Indeed that is really encouraging

@Morriz
Copy link
Contributor Author

Morriz commented Nov 4, 2020

Awesome!

@Morriz Morriz changed the title Update/activate OPA policies Enhance OPA policies Nov 12, 2020
@Morriz Morriz added the Task Scrum task label Nov 12, 2020
@Morriz Morriz moved this from In Progress to Backlog in Otomi Container Platform Nov 12, 2020
@Morriz Morriz closed this as completed Jan 27, 2021
Otomi Container Platform automation moved this from Backlog to Closed Jan 27, 2021
@srodenhuis srodenhuis removed this from Closed in Otomi Container Platform Jul 8, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@rawc0der rawc0der

Labels
Task Scrum task
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@Morriz @rawc0der @githubcdr @rnugraha @j-zimnowoda