search

controlplaneio / kubesec

Security risk analysis for Kubernetes resources
https://kubesec.io
Apache License 2.0
1.21k stars 101 forks source link

Utilize OPA/rego for rules #82

Open nstogner opened 4 years ago

nstogner commented 4 years ago

Seems like OPA/rego is becoming the de-facto policy language for Kubernetes. Gatekeeper seems to be gaining traction and there is talk of Pod Security Policies being deprecated in favor of something like Gatekeeper.

Redefining the kubesec rules in rego may better position the tool for the future.

sublimino commented 4 years ago

Hi @nstogner! You are correct, and this is the direction of travel for Kubesec. We'll update progress in this ticket.

alexppg commented 4 years ago

If rego is used, in what ways would be different kubesec to OPA?

sublimino commented 4 years ago

@alexppg KubeSec is risk-based, and so opinionated and scored. Rules can fail without denying the request, and many small rules can fail which may tip the risk score below the threshold and fail the request for some configuration. OPA could be used in this way with additional rego but more generally is used in PSP-esque manner.

alexppg commented 4 years ago

I see, thanks. It seems pretty cool, the risk based way is easier to adopt. And if both of them use the same language it would be easier to choose this with the option to migrate to OPA if you want to. Thanks for your answer!

yannh commented 4 years ago

:wave: is there any work going on on this? OPA would be awesome, I was thinking of starting a repo, but wouldn't want to duplicate work :)

sublimino commented 4 years ago

Nothing yet, we'd welcome a PR!

I believe the migration can happen incrementally, a single rule can be migrated to OPA and the test suite used to support a refactor.

The OPA rules should probably be externalised from the source in a dedicated directory for easy reuse.

Any thoughts on this @stefanprodan @06kellyjac @ipedrazas ?

jpreese commented 4 years ago

@sublimino @yannh I saw your conversation, and just wanted to chime in that there has been some effort in this space: https://github.com/instrumenta/policies/blob/master/kubernetes/security.rego

There hasn't been a whole lot of activity on that repository, so I don't think it's firmly decided that's where they should live. Wanted to start the discussion regardless :)

yannh commented 4 years ago

Thanks @jpreese this is exactly what I was looking for :)