Executable Tutorial Proposal

[Trighap52]

Assignment Proposal

Title

Setting Up OPA for Kubernetes Policy Enforcement

Names and KTH ID

• David Streuli (streuli@kth.se)
• Zyad Haddad (zyad@kth.se)

Deadline

• Task 3

Category

• Executable tutorial

Description

This tutorial walks you through setting up OPA Gatekeeper to enforce Kubernetes policies, focusing on the creation of custom rules to govern cluster resources. You will learn to install Gatekeeper, define policies, and test them in a Kubernetes environment using tools like Constraint Templates and Constraints.

Relevance OPA Gatekeeper is essential in modern DevOps for automating security and compliance across Kubernetes clusters. It enables teams to enforce consistent policies at scale, ensuring resources meet security standards, improving governance, and integrating seamlessly into CI/CD pipelines. This reduces manual intervention and risk, aligning with DevOps principles of automation and continuous security.

Killercoda: https://killercoda.com/trighap52/course/scenarios/opa-tutorial Github: https://github.com/Trighap52/killercoda-tutorials

[algomaster99]

Thanks a lot! I will merge.

[dvavd]

@algomaster99 Should we make another PR to complete the task? We already included the repo and link to the tutorial in this PR.

[algomaster99]

Hi @dvavd ! Yes, the other PR would edit the proposal here. In the edit you could include the link to the executable tutorial.

[dvavd]

@algomaster99 I understand, but I meant that we already have included the link in the original PR.

PS: I think you linked the wrong person :)

[algomaster99]

Sorry was on phone then. Missed a lot of context.

we already have included the link in the original PR.

Yes, that is sufficient.

PS: I think you linked the wrong person :)

Oops. Fixed it now :sweat_smile:

We are yet to look at the deliverable you have. Once we look at it, we will put your grade.

[chrissap543]

Feedback

We certify that generative AI, incl. ChatGPT, has not been used to write this feedback. Using generative AI without permission is considered academic misconduct.

High Level Strengths

First, this tutorial is highly relevant. It combines aspects of DevSecOps and infrastructure as code. The introduction and motivation was quite clear and underlines the necessity of the tutorial. We also really liked the learning outcomes; it outlines what we will be doing in the tutorial and what we should know by the end of it. In executing the tutorial, we found the commands easy to follow. They are readily available to copy and following the tutorial is as simple as reading the commands/configs and pasting them in. Each command is explained when we run it. Killercoda was also a great choice for this tutorial because if we do something wrong, the platform will notify us.

High Level Weaknesses

However, we would’ve liked to see more than just copy pasting, but actually presenting a problem with which we solve using information given to us. It’s a lot harder to learn when we’re just copying. We understand that this could be difficult if people get stuck, but you could provide hints/solutions in case they cannot figure it out. Furthermore, attacking a problem would allow you to explain each component in more detail. Each component is explained right after the config we’re copying, but the understanding isn’t necessarily there. Writing code or configuration files for yourself is the best way of getting that understanding. The tutorial only describes one use case, allowing only one registry to pull images from. The introduction mentions other use cases, but it would’ve been better to see them in the tutorial proper.

Details

Intro

• The introduction explains OPA Gatekeeper and its relevance, but it does not explain what Kubernetes is and why it is important. Specifically, the word ‘pods’ is used a lot in the tutorial and it could be difficult for someone to understand if they do not know what pods are. Before doing this tutorial, it seems like the reader should first understand https://kubernetes.io/docs/concepts/overview/.
• The motivation and learning outcomes were good and enticed us to continue with the tutorial.

  Install OPA Gatekeeper

• We install Gatekeeper by following a command, but there’s no documentation or a link to documentation about how the command works. There’s also some prerequisites which we feel are worth mentioning.
• Verifying that the instance is working is nice, because we wouldn't have Killercoda doing it for us if we were doing it natively.

Create a Policy Template

• The template that we copy has a space at the beginning of every line and it doesn’t work without that space. We originally did not copy the template with that space at the beginning of the first line. I understand that we failed at simply pressing Ctrl-C and Ctrl-V but some troubleshooting help would’ve been appreciated. The next section has another file which does not have those leading spaces. So were they required?
• The template has a lot of different parameters that are set to specific values. We get a brief explanation on those configs but we would like to see what happens with different values. If we want to set up something different, how do we do that? What’s available? A link to documentation of the possibilities would’ve been helpful. There is an OPA Gatekeeper library for instance that has some options.

Create a Policy Constraint

• We like that there’s a comment in the yaml file that calls back the template and explains the link between the template and the constraint.

Test the Policy

• Showing the failure of creating a pod with an unauthorized image juxtaposed with it working with an authorized image is a nice touch.
• Gollum thinks your tutorial is precious.

  Conclusion

• The benefits are well stated and highly relevant, but are there any drawbacks to using OPA Gatekeeper? We only get the pros and not the cons.

Summary

This tutorial was highly relevant and easy to follow. We wish there was more detailed information given, or at the very least, linked in the tutorial. The scope is clearly defined from the beginning and we walk away from the tutorial feeling like the learning objectives were accomplished.

[laicwew]

Feedback

Given by Laicaiwei Wang (lawang@kth.se) and Florian Jerome Immig (immig@kth.se).

We certify that generative AI, incl. ChatGPT, has not been used to write this feedback. Using generative AI without permission is considered academic misconduct.

High Level Strengths

• Clear introduction: To begin with, this tutorial gives a generally clear and brief introduction of OPA Gatekeeper. It offers enough knowledge before we get into the execution steps.
• Sense of Humor: The tutorial shows a sense of humor by comparing the role Gatekeeper plays to Gandalf when it blocks the pod from being created with an unauthorized image.
• Easy to follow: The offered code example is easy to read, understand and run as expected. All steps could be executed by use without any major problems.

High Level Weaknesses

• Inconvenience of executing commands: All commands need to be copy and paste manually when trying to run them in the terminal.

Suggested improvements: The tutorial would have been much easier to follow if one could simply click on the commands to execute them automatically. Alternatively, it is also easy to make code snippets copyable on Killercoda. Not using one of these options made it kind of cumbersome to follow because one has to mark the commands and copy and insert them into the command line manually.

• Limited use cases: only a single example of image registry rule is provided.

Suggested improvements: More context on Cubernetes such as its use cases and common lingo could have been presented in order to introduce the context. At times it might be hard for people not familiar with Cubernetes to follow what is actually happening. Additionally, we would have liked to see more examples on how OCA could potentially be used to illustrate the usefulness and extreme relevance of the tutorial.

• Lack of originality: Similar tutorial materials can be found on https://medium.com/@onixoni72/securing-kubernetes-with-open-policy-agent-opa-67167157d477 .

Suggested improvements: Some well-designed and more original use cases may show a more thorough understanding of the tool from the developers of the tutorial, meanwhile providing the testers a more unique and engaging learning experience.

Details

Intro

The intro nicely motivates why the tutorial is useful and provides an overview over OPA Gatekeeper. It clearly specifies what the tutorial is about and how the goal is achieved. All the learning outcomes are neatly listed and addressed in the tutorial.

Install OPA Gatekeeper

It was a bit confusing when we ran the command kubectl get pods -n gatekeeper-system in the terminal. Instead of showing that all gatekeeper controller managers are up and running, there was still one of them not ready, in the status of PENDING long after the command ran. However we still passed the validation when we clicked CHECK. The differences between multiple gatekeeper controller managers remains unexplained, leaving the role of the not-ready gatekeeper controller manager as a mystery.

Create a Policy Template

The steps for creating the policy are straightforward, however it is somewhat cumbersome to have to copy the configuration manually. Instead being able to automatically copy it when clicking the textbox would be a huge help. Furthermore, the sometimes inconsistent naming of the different parts for the explanation was confusing: e.g. targets.target and rego (even though rego is also under the targets block). A consistent naming would improve clarity here.

Create a Policy Constraint

This step is clearly presented and no confusions are happening. However, like for creating the policy template it would have been nice to be able to automatically execute/copy the code/configuration.

Test the Policy

Testing the policy is a good way to illustrate that the previous steps actually worked, it nicely illustrates why the tutorial is useful and therefore an essential step in the tutorial.

Conclusion

The conclusion nicely summarizes the utility and looks back at the steps of the tutorial. Additionally, I like that the key benefits of using OPA Gatekeeper and Constraints are listed concisely. This reminds the reader of the importance of the tutorial.