OPA Gatekeeper Support

Capability Summary

InsightCloudSec has implemented Open Policy Agent(OPA) Gatekeeper support to enable you to take advantage of the OPA Gatekeeper feature and ensure your clusters meet policies required to ensure the security and compliance of your Kubernetes infrastructure.

Per the Kubernetes Blog: "Kubernetes allows decoupling policy decisions from the API server by means of admission controller webhooks to intercept admission requests before they are persisted as objects in Kubernetes. Gatekeeper was created to enable users to customize admission control via configuration, not code and to bring awareness of the cluster’s state, not just the single object under evaluation at admission time. Gatekeeper is a customizable admission webhook for Kubernetes that enforces policies executed by the Open Policy Agent (OPA), a policy engine for Cloud Native environments hosted by CNCF."

External References

Terms

  • Constraint - a declaration created by an author (you) for the system around a set of defined requirements. Constraints are written in Rego, a language used by OPA to enumerate instances of data that violate the expected state if the system.

    For example, in a system with objects that can be labeled, you can create a Constraint to identify a specific label for each object (billable, point of contact, etc.)
  • Constraint Template - the format used by OPA to declare new Constraints. They can provide expected parameters and the underlying Rego to enforce their intent.

Use Cases

Example 1
Is a cluster compliant with Gatekeeper enforcement policy? Different sets of Constraints may be enforced on specific environments. And, as a user I’d like to easily understand which clusters (doesn’t) comply with a specific set of Constraints.

Result: Implement a Constraint to show you coverage by non-compliant clusters

Example 2
Show me specific Constraint configuration. As a security admin I would like to evaluate the configuration to better understand the Constraint adjustment as a followup for a high failure rate or unexpected high pass rate or to validate that the right namespaces are inspected.

Result: InsightCloudSec harvests the individual Constraints (and templates) for easy visibility

Getting Started with Gatekeeper

Prerequisites

  • InsightCloudSec version 23.3.28 or later
  • Kubernetes Local Scanner v. 4.0.1

What is Supported?

Assuming that you have both the latest version of InsightCloudSec and the Kubernetes Local Scanner InsightCloudSec can harvest two new resources.

  • Gatekeeper Constraint template: ConstraintTemplate describes both the Rego that enforces the constraint and the schema of the constraint

  • Gatekeeper Constraint: Constraints are used to inform Gatekeeper that the admin wants a ConstraintTemplate to be enforced, and how to enforce them

The combination of the Constraint template and Constraints creates enforcement policies on each k8s cluster. Check out the following article for additional details.

  • A policy (constraint + template) is specific to the cluster on which it is configured
  • InsightCloudSec will harvest and show inventory across all monitored clusters for the two new resource types

Using InsightCloudSec to Assess Gatekeeper

Gatekeeper Assessment Support

InsightCloudSec offers one Insight and two Query Filters to assist in assessing Gatekeeper status and OPA Constraints:

  • Query Filters
    • Kubernetes Security: Gatekeeper -- Identifies various Kubernetes resources that fail one or more Kubernetes Security checks for Gatekeeper.
    • Clusters Missing OPA Constraints -- Enables InsightCloudSec to check for compliance against any Constraints for resources within a Data Collection. If a cluster doesn’t have a full match to the Constraints associated with it (all specified constraints must be deployed on the cluster), the cluster will be marked as non-compliant. This Query Filter currently keys off of the Cloud Accounts resource.

      Data Collection Tips

      The data collection should be set up with your list of required Gatekeeper constraints. The filter validates against the same list and will show all clusters that are not compliant, i.e., missing one or more of the constraints specified in the data collection.

  • Insight
    • Validating Gatekeeper Status -- The number of active Gatekeeper deployments does not equal the configured number. Uses the Kubernetes Security: Gatekeeper Query Filter.

Using Automation for Gatekeeper

Once InsightCloudSec has collected details and provided findings, you have the ability to build automation around notifications through our Bot (Automation) capability.

In the example below we've created a template for a Bot that detects new non-compliant clusters. When configuring this Bot, ensure you are scoping it based on the Cloud Account resource type and the Clusters Missing OPA Constraints Query Filter (and requisite associated Data Collection). The following actions are relevant to assessing OPA Gatekeeper compliance:

  • Email
  • Slack

Integrations

For any of the items above that require third-party integrations refer to our Integrations Overview documentation (which includes links to individual pages for each Integration offered). For the example below, you must have a configured Slack Integration.

json
1
{
2
 "resource_id": "divvybot:1:2921",
3
 "name": "OPA Gatekeeper Non-Compliant Cluster",
4
 "description": "",
5
 "notes": null,
6
 "insight_id": null,
7
 "source": null,
8
 "insight_name": null,
9
 "insight_severity": null,
10
 "owner": "divvyuser:1234:",
11
 "owner_name": "John Smith",
12
 "state": "RUNNING",
13
 "date_created": "2023-03-30 17:40:32",
14
 "date_modified": "2023-03-30 17:40:32",
15
 "category": "Security",
16
 "badge_scope_operator": null,
17
 "instructions": {
18
  "resource_types": [
19
   "divvyorganizationservice"
20
  ],
21
  "filters": [
22
   {
23
    "name": "divvy.query.k8s_cluster_missing_required_opa_constrains",
24
    "config": {
25
     "constraints": []
26
    },
27
    "collections": {
28
     "constraints": 1
29
    }
30
   }
31
  ],
32
  "actions": [
33
   {
34
    "name": "slack.action.send_slack_message",
35
    "config": {
36
     "webhook": "...",
37
     "channel": "my-channel",
38
     "username": "InsightCloudSec",
39
     "recipient_tag_keys": [],
40
     "recipient_badge_keys": [],
41
     "message": "A new OPA Gatekeeper non-compliant cluster has been found. Here are the finding details.",
42
     "skip_duplicates": false
43
    },
44
    "run_when_result_is": true
45
   }
46
  ],
47
  "groups": [
48
   "divvyorganizationservice:123456"
49
  ],
50
  "badges": [],
51
  "exclusion_badges": null,
52
  "hookpoints": [],
53
  "schedule": "{\"_type\": \"Daily\", \"time_of_day\": {\"_type\": \"TimeOfDay\", \"second\": 0, \"minute\": 0, \"hour\": 12}, \"exclude_days\": []}",
54
  "schedule_description": "{\"_type\": \"Daily\", \"time_of_day\": {\"_type\": \"TimeOfDay\", \"second\": 0, \"minute\": 0, \"hour\": 12}, \"exclude_days\": []}"
55
 },
56
 "valid": true,
57
 "errors": [],
58
 "severity": "low",
59
 "detailed_logging": false,
60
 "scope": [
61
  "divvyorganizationservice:123456"
62
 ]
63
}

Creating a OPA Gatekeeper Bot From a Template

To use the template example above

  1. From your InsightCloudSec platform installation, navigate to Automation>BotFactory.
  2. . On the BotFactory landing page, navigate to Templates.
  3. From the Templates tab under BotFactory select the Import Template option and paste the example featured above into the JSON window.
  4. Click Submit to verify and store the template for future use. Review Creating Bots for more information on next steps.