Open Source Summit + Embedded Linux Conference + OSPOCon 2021

When you adopt Kubernetes for production, how do you, a cluster administrator, enforce requirements from security and compliance teams? Like most systems, you put guardrails on the cluster to limit how teams (ab)use the cluster, but with Kubernetes those guardrails look quite different because Kubernetes differentiates runtime-state (what is actually happening) and desired-state (what is supposed to happen). Treating desired-state as separate from runtime enables you to put guardrails on the instructions developers give to Kubernetes and in so doing avoid runtime problems even before they happen. Kubernetes is simply too flexible to hand over to even relatively small teams without basic guardrails like ensuring images are pulled from trusted repositories. We discuss the mechanism the Kubernetes team developed to make it feasible to add desired-state security policies: Admission Control and we will also show how the Open Policy Agent(OPA) provides a declarative approach to Admission Control to enforce custom policies on Kubernetes objects without modifying any Kubernetes components. Finally, we will end with a list of architectural best practices and we hope that our audience will be able to leverage OPA for implementing desired-state security policies for the Kubernetes API.