Author: Aurora Li


Do you remember spending tens of hours to prove that your environment is in compliance? Are you in endless meetings with teams on what they should not do in the environment you manage? Now we will introduce you the tool that automates the processes of security and compliance on your Anthos clusters – Policy Controller.

Policy Controller

Anthos Policy Controller is a dynamic controller that checks, audits, and enforces your clusters’ compliance with policies. It is built from the Open Policy Agent (OPA) Gatekeeper project. Currently Policy Controller is integrated into Anthos Config Management (ACM) and can be enabled through ACM.

In short, Policy Controller acts as an extra gate in front of Anthos API server. To perform any actions to your Anthos resources, API requests are sent to Anthos API server. With Policy Controller in place, the API requests are examined by Policy Controller before hitting API server. If a request violates any policies defined in the cluster, Policy Controller will reject the request, thus Anthos cluster takes no action. At the same time, Policy Controller also watches existing resources in the Anthos cluster and performs audits on those.

To define a policy, you need two components:

  • A constraint template provides the schema of a constraint and describes how the constraint should be enforced. Anthos provided a collection of constraint templates for common use cases.
  • A constraint is used to inform the Policy Controller the parameters the constraint template should be used. Here you can customize based on your organization’s security and compliance requirements.

Enabling Policy Controller

Policy Controller can be enabled through the ACM configuration:

# config-management.yaml
apiVersion: configmanagement.gke.io/v1
kind: ConfigManagement
metadata:
  name: config-management
spec:
  # clusterName is required and must be unique among all managed clusters
  clusterName: <Cluster Name>
  git:
    syncRepo: <ACM Repo>
    syncBranch: <ACM Branch>
    secretType: ssh
    policyDir: <ACM Directory>
  # Set to true to install and enable Policy Controller
  policyController:
    enabled: true
    # Uncomment to prevent the template library from being installed
    # templateLibraryInstalled: false
    # Uncomment to disable audit, adjust value to set audit interval
    # auditIntervalSeconds: 0

With spec.policyController.enabled set to true, ACM will schedule deployment of Policy Controller with the constraint template library. Once deployment has succeeded, the following changes can be seen:

  • The namespace gatekeeper-system and gatekeeper-controller-manager pod will be deployed (this will take a few minutes to finish):
    $ kubectl get pods -n gatekeeper-system
    NAME                                             READY   STATUS    RESTARTS   AGE
    gatekeeper-controller-manager-7b8f7ccf54-dcczj   1/1     Running   0          3m39s
    
  • The template library will be installed. This library covers most common use cases to protect your cluster.
    $ kubectl get constrainttemplate
    NAME                                      AGE
    allowedserviceportname                    5m5s
    destinationruletlsenabled                 5m5s
    disallowedauthzprefix                     5m5s
    k8sallowedrepos                           5m5s
    # Truncated output
    

:information_source: Note that you can also create and install your own template if your use case is not covered in the template library.

Creating Constraints

Here is where we translate companies’ security & compliance requirements into a format that Anthos Policy Controller can consume.

Below is an example constraint built using the template K8sPSPPrivilegedContainer from the library. This will deny any creations or updates of pods in default namespace to have privileges (root access) to the cluster nodes. This constraint can protect your Anthos cluster nodes/host from being affected by compromised workloads on the cluster.

# cluster/no-privileged.yaml
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPPrivilegedContainer
metadata:
  name: psp-privileged-container
spec:
  match:
    kinds:
      - apiGroups: [""]
        kinds: ["Pod"]
    namespaces:
      - "default"

If you try to create a pod requesting previliged mode after this constraint applies, you will receive a denial error spontaneously.

cat <<EOF > pod.yaml
apiVersion: v1
kind: Pod
metadata:
  name: nginx
  labels:
    app: nginx
spec:
  containers:
  - name: nginx
    image: gcr.io/google-containers/nginx
    ports:
    - containerPort: 80
    securityContext:
      privileged: true
EOF

kubectl apply -f pod.yaml
Error from server ([denied by psp-privileged-container] Privileged container is not allowed: nginx, securityContext: {"privileged": true}): error when creating "pod.yaml": admission webhook "validation.gatekeeper.sh" denied the request: [denied by psp-privileged-container] Privileged container is not allowed: nginx, securityContext: {"privileged": true}

On the other hand, you can also audit your Anthos cluster using Policy Controller. For instance, if a disallowed deployment is already running before the constraint gets applied, you can see the violation from audit report:

$ kubectl describe K8sPSPPrivilegedContainer psp-privileged-container
Name:         psp-privileged-container
Namespace:
Labels:       app.kubernetes.io/managed-by=configmanagement.gke.io
# Truncated output
Status:
  Audit Timestamp:  2020-07-13T18:38:14Z
  By Pod:
    Enforced:             true
    Id:                   gatekeeper-controller-manager-7b8f7ccf54-dcczj
    Observed Generation:  2
  Total Violations:       1
  Violations:
    Enforcement Action:  deny
    Kind:                Pod
    Message:             Privileged container is not allowed: nginx, securityContext: {"privileged": true}
    Name:                nginx
    Namespace:           default
Events:                  <none>

Moreover, a constraint can be switched to dryrun mode for testing purpose. This lets you monitor violations without actively blocking transactions.

Benefits

Anthos Policy Controller is a great tool to secure and comply your Anthos cluster.

  • Fully automated security workflow

    Forget about manual audit! Policy controller automatically checks your deployments’ manifests and prevents any variation from your organizations’ policies. Audit reports for Anthos clusters are available any time directly from the clusters without extra tools.

  • Enforcement at scale

    Policy Controller works perfectly with ACM. ACM ensures that all constraints are deployed and active on all managed clusters. This feature not only automates the preparation and configuration of new Anthos clusters, but also prevents constraints from being accdentally deleted from the clusters.

  • Customization

    Policy controller provides the framework to enforce and audit constraints. Constraint templates and constraints can be fully customized to fit your needs. There are also lots of resources from open source community on constructing your templates and constraints.

In conclusion, equipping your Anthos clusters with Policy Controller is a great way to enforce and audit your security and compliance requirements for Anthos. If you are interested to learn more about Anthos Day 2 operations or Policy Controller, please leave a comment or check out our Anthos Blueprint Solutions for more details.

//take the first step

Tagged:



//comments


//blog search


//other topics