Kubernetes: Enforcing policies using the OPA gatekeeper

Kubernetes Policy enforcement OPA gatekeeper

6 min read | by Jordi Prats

We might call it best-practices or policies but most organizations have some rules about how their applications should run, for example: Do not use the latest tag. Some others might even be required to meet certain compliance requirements to reach some security standard, for example: Do not use NodePort services.

To be able to enforce these policies we can use a policy engine like OPA.

OPA gatekeeper is a validating webhook that enforces CRD-based policies executed by the Open Policy Agent.

To implement these policies as CRDs it uses two objects:

  • A ConstraintTemplate that defines the rule
  • The actual instance of the defined template, allowing you to control (using parameter) when and how it is actually applied the rule

The validating webhook, by default, is ignored when it is returning an error (webhook down or unreachable): During this time constraints will not be enforced, but the audit process is expected to highlight any invalid resources that made it into the cluster.

We can also set it to fail closed by changing the failurePolicy of the ValidatingWebhookConfiguration object to Fail (with the helm chart it is controlled using the validatingWebhookFailurePolicy option) Even though you can always edit or delete a ValidatingWebhookConfiguration since these operations are not subjected to admission webhooks, it can cause circular dependencies where the actions to fix the webhook itself depend on some other action that failed because the webhook is failing: This needs to be carefully considered

OPA gatekeeper installation

To install OPA gatekeeper we can either install the manifests or go for a helm based install, which can't be more straightforward:

helm repo add gatekeeper https://open-policy-agent.github.io/gatekeeper/charts helm install gatekeeper/gatekeeper --name-template=gatekeeper --namespace gatekeeper-system --create-namespace

Policy configuration

In order to start applying our rules we can start writing them from scratch or look at the gatekeeper-library for rules that somebody have already implemented.

They provide a way of installing them using kustomize as follows:

$ kustomize build github.com/open-policy-agent/gatekeeper-library/library | kubectl apply --filename -

But we can choose hand pick which ConstraintTemplate we want to install. For example, to prevent the usage of NodePort we will have to install the following definition:

apiVersion: templates.gatekeeper.sh/v1 kind: ConstraintTemplate metadata:  name: k8sblocknodeport  annotations:  description: >-  Disallows all Services with type NodePort.  https://kubernetes.io/docs/concepts/services-networking/service/#nodeport spec:  crd:  spec:  names:  kind: K8sBlockNodePort  targets:  - target: admission.k8s.gatekeeper.sh  rego: |  package k8sblocknodeport  violation[{"msg": msg}] {  input.review.kind.kind == "Service"  input.review.object.spec.type == "NodePort"  msg := "User is not allowed to create service of type NodePort"  }

Once this constraint is installed, we will be able to create instances of this rule by creating the K8sBlockNodePort object as follows:

apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sBlockNodePort metadata:  name: block-node-port spec:  match:  kinds:  - apiGroups: [""]  kinds: ["Service"]

With this in place we won't be able to create the following object:

apiVersion: v1 kind: Service metadata:  name: demo-nodeport spec:  type: NodePort  ports:  - port: 80  targetPort: 80  protocol: TCP  name: http  selector:  app: pet2cattle

If we try, we will get the following error message:

$ kubectl apply -f nodeportdemo.yaml  Error from server ([block-node-port] User is not allowed to create service of type NodePort): error when creating "nodeportdemo.yaml": admission webhook "validation.gatekeeper.sh" denied the request: [block-node-port] User is not allowed to create service of type NodePort

We can use these objects to fine-tune what we want to block, for example, we can also apply this restriction to a specific namespace as follows:

apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sBlockNodePort metadata:  name: block-node-port spec:  match:  kinds:  - apiGroups: [""]  kinds: ["Service"]  namespaces:  - "test"

With this configuration we will be able to create NodePort services on the namespaces that are not included on the list:

$ kubectl apply -f demonodeport.yaml -n test Error from server ([block-node-port] User is not allowed to create service of type NodePort): error when creating "demonodeport.yaml": admission webhook "validation.gatekeeper.sh" denied the request: [block-node-port] User is not allowed to create service of type NodePort $ kubectl apply -f demonodeport.yaml -n trial service/demo-nodeport created

Audit existing resources

With the OPA gatekeeper installation, there is a Pod that performs periodic evaluations of existing resources against constraints, detecting pre-existing misconfigurations or any object that somehow managed to get past the validating webhook.

We have tree main ways of checking the audit results:

  • Prometheus Metrics: provides an aggregated look at the number of audit violations
  • Constraint Status: Violations are listed in the status field of the corresponding constraint
  • Audit Logs: At each run, the audit pod emits JSON-formatted logs with information about the violations

For example, if we had an existing NodePort service before applying the K8sBlockNodePort constraint we will be able to see the violations on it's status:

$ kubectl describe K8sBlockNodePort block-node-port Name: block-node-port Namespace:  Labels: <none> Annotations: helm.sh/hook: post-install,post-upgrade API Version: constraints.gatekeeper.sh/v1beta1 Kind: K8sBlockNodePort (...) Spec:  Match:  Kinds:  API Groups:  Kinds:  Service Status:  Audit Timestamp: 2022-03-28T21:34:21Z  By Pod:  Constraint UID: 3640d4af-dead-beef-a123-26bc96100f3e  Enforced: true  Id: gatekeeper-audit-b8af6ac78c-pf6pr  Observed Generation: 3  Operations:  audit  mutation-status  status  Constraint UID: 3640d4af-dead-beef-a123-26bc96100f3e  Enforced: true  Id: gatekeeper-controller-manager-b8af6ac78c-9btw4  Observed Generation: 3  Operations:  mutation-webhook  webhook  Constraint UID: 3640d4af-dead-beef-a123-26bc96100f3e  Enforced: true  Id: gatekeeper-controller-manager-b8af6ac78c-w9dw7  Observed Generation: 3  Operations:  mutation-webhook  webhook  Constraint UID: 3640d4af-dead-beef-a123-26bc96100f3e  Enforced: true  Id: gatekeeper-controller-manager-b8af6ac78c-qq847  Observed Generation: 3  Operations:  mutation-webhook  webhook  Total Violations: 1  Violations:  Enforcement Action: deny  Kind: Service  Message: User is not allowed to create service of type NodePort  Name: demo-nodeport  Namespace: trial Events: <none>

And on the audit pod as well:

$ kubectl get pods -n gatekeeper-system NAME READY STATUS RESTARTS AGE gatekeeper-audit-b8af6ac78c-pf6pr 1/1 Running 0 43h gatekeeper-controller-manager-b8af6ac78c-9btw4 1/1 Running 0 43h gatekeeper-controller-manager-b8af6ac78c-w9dw7 1/1 Running 0 43h gatekeeper-controller-manager-b8af6ac78c-qq847 1/1 Running 0 9h $ kubectl logs gatekeeper-audit-b8af6ac78c-pf6pr -n gatekeeper-system (...) {"level":"info","ts":1648496316.0117562,"logger":"controller","msg":"starting update constraints loop","process":"audit","audit_id":"2022-03-28T21:38:36Z","constraints to update":"map[{K8sBlockNodePort constraints.gatekeeper.sh/v1beta1 block-node-port}:{map[apiVersion:constraints.gatekeeper.sh/v1beta1 kind:K8sBlockNodePort metadata:map[annotations:map[helm.sh/hook:post-install,post-upgrade] creationTimestamp:2022-03-23T22:11:42Z generation:3 managedFields:[map[apiVersion:constraints.gatekeeper.sh/v1beta1 fieldsType:FieldsV1 fieldsV1:map[f:status:map[]] manager:gatekeeper operation:Update time:2022-03-23T22:11:42Z] map[apiVersion:constraints.gatekeeper.sh/v1beta1 fieldsType:FieldsV1 fieldsV1:map[f:metadata:map[f:annotations:map[.:map[] f:helm.sh/hook:map[]]] f:spec:map[.:map[] f:match:map[.:map[] f:kinds:map[]]]] manager:terraform-provider-helm_v2.4.1_x5 operation:Update time:2022-03-23T22:11:42Z]] name:block-node-port resourceVersion:166046384 uid:0364a4df-d8e9-44fe-b131-0e602961f3bc] spec:map[match:map[kinds:[map[apiGroups:[] kinds:[Service]]]]] status:map[auditTimestamp:2022-03-28T13:32:21Z byPod:[map[constraintUID:0364a4df-d8e9-44fe-b131-0e602961f3bc enforced:true id:gatekeeper-audit-6c78cb88bf-9btw4 observedGeneration:3 operations:[audit mutation-status status]] map[constraintUID:0364a4df-d8e9-44fe-b131-0e602961f3bc enforced:true id:gatekeeper-controller-manager-b8af6ac78c-w9dw7 observedGeneration:3 operations:[mutation-webhook webhook]] map[constraintUID:0364a4df-d8e9-44fe-b131-0e602961f3bc enforced:true id:gatekeeper-controller-manager-b8af6ac78c-qq847 observedGeneration:3 operations:[mutation-webhook webhook]] map[constraintUID:0364a4df-d8e9-44fe-b131-0e602961f3bc enforced:true id:gatekeeper-controller-manager-b8af6ac78c-nr6pn observedGeneration:3 operations:[mutation-webhook webhook]]] totalViolations:1 violations:[map[enforcementAction:deny kind:Service message:User is not allowed to create service of type NodePort name:demo-nodeport namespace:trial]]]]}]"}

Posted on 29/03/2022

Categories