No matter what we own, one thing that we always love to do is to customize it. We do it to either make them look and feel the way we want or to have a better sense of control over them. That small nudge to tweak things does always linger in our minds when we are looking at a Kubernetes cluster and feel that we need a finer grip over security things.
From a security perspective, Kubernetes have admission controllers that allow us to control which API requests to go and which cannot. There are around 30+ native admission controllers that come with Kubernetes. We’ll be using OPA Gatekeeper as our admission controller. There are a lot of reasons for this with one being the fact that Gatekeeper uses “Rego” as the policy language which makes it easier to write policies. Another reason is that Gatekeeper lets us use the same template and just use different input parameters instead of having multiple templates for different inputs. More references can be found here.
This blog is a collection of different OPA use case scenarios where using policies proves to be quite useful.
Each category will have a series of blog posts, with each post based on a specific use case scenario, explaining the policy that is being implemented and also talks about why that is required in an organization. Going through all these posts will definitely help to get a better understanding of how the policies are written and why they are needed.
If you want to learn how to send the gatekeeper logs to EFK, you can read the following article.
Categories of OPA use case scenarios:
- NetworkPolicy Guardrail
- Restrict NetworkPolicy Management to Specific Users
- Enforce Namespace Restrictions for Robust NetworkPolicy Enforcement
- Restrict Namespace and Pod Selectors in NetworkPolicies
- Restrict Ingress Traffic Label Selectors in NetworkPolicies
- Restrict Ingress Ports in NetworkPolicies
- RBAC Guardrail
- Storage Classes Guardrail
- CI/CD Guardrail
- Pod Security Guardrail
Thank you for reading! – Setu Parimi
Sign up for the blog directly here.
Check out our professional services here.
Feedback is welcome! For professional services, fan mail, hate mail, or whatever else, contact [email protected]