Configuring Kubernetes Open Policy Agent (OPA) on Amazon EKS

Jul 14, 2024

Configuring Kubernetes Open Policy Agent (OPA) on Amazon EKS

Overview

In this video, we learn how to configure and use Open Policy Agent (OPA), also known as the Gatekeeper, on an Amazon EKS (Elastic Kubernetes Service) cluster. The demo is divided into two parts:

  1. Architectural diagram and explanation of OPA's functionality with Amazon EKS.
  2. Steps to enable and use OPA on an EKS cluster for governance and policy management.

Part 1: Architectural Overview

Amazon EKS Cluster

  • An AWS-managed Kubernetes cluster.
  • EKS cluster must be up and running before deploying OPA.

Open Policy Agent (OPA)

  • Developed by Gatekeeper, OPA regulates tasks on the Kubernetes cluster.
  • Tasks include creating, deleting, and updating pods and configurations.

Governance and Compliance

  • OPA provides governance and policy management solutions at the Kubernetes and EKS hosting levels.
  • Can integrate with CI/CD pipelines for policy management.

How OPA Works

  • Each request to the Kubernetes services is evaluated by OPA.
  • OPA compares the request against policies configured in it (Rego policies) and application data.
  • Decisions based on this evaluation are returned, which could be deny, allow, or warning.
  • Works by comparing three elements:
    • Query or request data.
    • Configured policies.
    • Application data.

Part 2: Enabling and Using OPA on EKS

Setting up the EKS Cluster

  • Use AWS CLI and other command-line utilities to create and manage the cluster.
  • Example command: eksctl create cluster --name myeks --region eu-west-1
  • Ensure the cluster is up and running: kubectl get nodes

Configuring Gatekeeper

  • Deploy Gatekeeper using either YAML files or Helm charts.
  • Example failed attempt with YAML: kubectl apply -f gatekeeper.yaml
    • Switch to Helm for successful installation.

Helm Installation of Gatekeeper

  1. Add Gatekeeper Helm chart repository: helm repo add gatekeeper https://open-policy-agent.github.io/gatekeeper/charts
  2. Install Gatekeeper: helm install gatekeeper/gatekeeper --namespace gatekeeper-system --create-namespace
  3. Verify namespace and pods: kubectl get ns gatekeeper-system and kubectl get pods -n gatekeeper-system

Checking Logs

  • Check logs to ensure the Gatekeeper pods are functioning properly.
  • Use kubectl logs commands for the audit and control manager pods.

Creating Constraints and Constraint Templates

  • Define constraint templates for policy enforcement.
  • Example template: constraint-template.yaml
apiVersion: templates.gatekeeper.sh/v1beta1
kind: ConstraintTemplate
metadata:
  name: k8spsprivileged
spec:
  crd:
    spec:
      names:
        kind: K8sPSPrivileged
  targets:
    - target: admission.k8s.gatekeeper.sh
      rego: |
        package k8spsprivileged
        deny[msg] {
          # logic here
        }
  • Deploy constraint templates and constraints.

Testing Constraints

  • Example test to deny privileged containers.
  • YAML file: test-pod.yaml
apiVersion: v1
kind: Pod
metadata:
  name: privileged-pod
spec:
  containers:
  - name: nginx
    image: nginx
    securityContext:
      privileged: true
  • Expected denial message upon deployment: kubectl apply -f test-pod.yaml

Conclusion

  • Summarized the steps to enable governance and compliance using OPA on an EKS cluster.
  • Encouraged viewers to subscribe for more content.

End of notes.