OPA Gatekeeper Support
Capability Summary
InsightCloudSec has implemented Open Policy Agent(OPA) Gatekeeper support to enable you to take advantage of the OPA Gatekeeper feature and ensure your clusters meet policies required to ensure the security and compliance of your Kubernetes infrastructure.
Per the Kubernetes Blog: "Kubernetes allows decoupling policy decisions from the API server by means of admission controller webhooks to intercept admission requests before they are persisted as objects in Kubernetes. Gatekeeper was created to enable users to customize admission control via configuration, not code and to bring awareness of the cluster’s state, not just the single object under evaluation at admission time. Gatekeeper is a customizable admission webhook for Kubernetes that enforces policies executed by the Open Policy Agent (OPA), a policy engine for Cloud Native environments hosted by CNCF."
External References
- Check out a Kubernetes Blog on OPA Gatekeeper
- Learn more about Gatekeeper
- Check out the Gatekeeper Policy Manager on GitHub
Terms
- Constraint - a declaration created by an author (you) for the system around a set of defined requirements. Constraints are written in Rego, a language used by OPA to enumerate instances of data that violate the expected state if the system.
For example, in a system with objects that can be labeled, you can create a Constraint to identify a specific label for each object (billable, point of contact, etc.) - Constraint Template - the format used by OPA to declare new Constraints. They can provide expected parameters and the underlying Rego to enforce their intent.
Use Cases
Example 1
Result: Implement a Constraint to show you coverage by non-compliant clusters
Example 2
Result: InsightCloudSec harvests the individual Constraints (and templates) for easy visibility
Getting Started with Gatekeeper
Prerequisites
- InsightCloudSec
- Kubernetes Local Scanner v. 4.0.1+ OR Kubernetes Remote Scanner
What is Supported?
After you have deployed InsightCloudSec and the Kubernetes Scanner of your choice, InsightCloudSec can harvest 2 new resources.
- Gatekeeper Constraint template: ConstraintTemplate describes both the Rego that enforces the constraint and the schema of the constraint
- Gatekeeper Constraint: Constraints are used to inform Gatekeeper that the admin wants a ConstraintTemplate to be enforced, and how to enforce them
The combination of the Constraint template and Constraints creates enforcement policies on each k8s cluster. Check out the following article for additional details.
- A policy (constraint + template) is specific to the cluster on which it is configured
- InsightCloudSec will harvest and show inventory across all monitored clusters for the two new resource types
Using InsightCloudSec to Assess Gatekeeper
Gatekeeper Assessment Support
InsightCloudSec offers one Insight and two Query Filters to assist in assessing Gatekeeper status and OPA Constraints:
- Query Filters
- Kubernetes Security: Gatekeeper -- Identifies various Kubernetes resources that fail one or more Kubernetes Security checks for Gatekeeper.
- Clusters Missing OPA Constraints -- Enables InsightCloudSec to check for compliance against any Constraints for resources within a Data Collection. If a cluster doesn’t have a full match to the Constraints associated with it (all specified constraints must be deployed on the cluster), the cluster will be marked as non-compliant. This Query Filter currently keys off of the Cloud Accounts resource.
Data Collection Tips
The data collection should be set up with your list of required Gatekeeper constraints. The filter validates against the same list and will show all clusters that are not compliant, i.e., missing one or more of the constraints specified in the data collection.
- Insight
- Validating Gatekeeper Status -- The number of active Gatekeeper deployments does not equal the configured number. Uses the Kubernetes Security: Gatekeeper Query Filter.
Using Automation for Gatekeeper
Once InsightCloudSec has collected details and provided findings, you have the ability to build automation around notifications through our Bot (Automation) capability.
In the example below we've created a template for a Bot that detects new non-compliant clusters. When configuring this Bot, ensure you are scoping it based on the Cloud Account resource type and the Clusters Missing OPA Constraints
Query Filter (and requisite associated Data Collection). The following actions are relevant to assessing OPA Gatekeeper compliance:
- Slack
Integrations
For any of the items above that require third-party integrations refer to our Integrations Overview documentation (which includes links to individual pages for each Integration offered). For the example below, you must have a configured Slack Integration.
json
1{2"resource_id": "divvybot:1:2921",3"name": "OPA Gatekeeper Non-Compliant Cluster",4"description": "",5"notes": null,6"insight_id": null,7"source": null,8"insight_name": null,9"insight_severity": null,10"owner": "divvyuser:1234:",11"owner_name": "John Smith",12"state": "RUNNING",13"date_created": "2023-03-30 17:40:32",14"date_modified": "2023-03-30 17:40:32",15"category": "Security",16"badge_scope_operator": null,17"instructions": {18"resource_types": [19"divvyorganizationservice"20],21"filters": [22{23"name": "divvy.query.k8s_cluster_missing_required_opa_constrains",24"config": {25"constraints": []26},27"collections": {28"constraints": 129}30}31],32"actions": [33{34"name": "slack.action.send_slack_message",35"config": {36"webhook": "...",37"channel": "my-channel",38"username": "InsightCloudSec",39"recipient_tag_keys": [],40"recipient_badge_keys": [],41"message": "A new OPA Gatekeeper non-compliant cluster has been found. Here are the finding details.",42"skip_duplicates": false43},44"run_when_result_is": true45}46],47"groups": [48"divvyorganizationservice:123456"49],50"badges": [],51"exclusion_badges": null,52"hookpoints": [],53"schedule": "{\"_type\": \"Daily\", \"time_of_day\": {\"_type\": \"TimeOfDay\", \"second\": 0, \"minute\": 0, \"hour\": 12}, \"exclude_days\": []}",54"schedule_description": "{\"_type\": \"Daily\", \"time_of_day\": {\"_type\": \"TimeOfDay\", \"second\": 0, \"minute\": 0, \"hour\": 12}, \"exclude_days\": []}"55},56"valid": true,57"errors": [],58"severity": "low",59"detailed_logging": false,60"scope": [61"divvyorganizationservice:123456"62]63}
Creating a OPA Gatekeeper Bot From a Template
To use the template example above
- From your InsightCloudSec platform installation, navigate to Automation>BotFactory.
- . On the BotFactory landing page, navigate to Templates.
- From the Templates tab under BotFactory select the Import Template option and paste the example featured above into the JSON window.
- Click Submit to verify and store the template for future use. Review Creating Bots for more information on next steps.