hey hi in this video I'm gonna show you how to configure and use kubernetes open policy agent that is generally called as a Oppa gatekeeper at Amazon eks cluster as you've seen this screen this screen will depict My Demo here I'm gonna walk you through the um the complete demo into two parts in the first part I'm gonna show you at you know at architectural diagram level explanation like saying you know how does this oppa works at Amazon eks cluster which is an AWS managed kubernetes cluster right and then in the second part I'm gonna show you like you know the steps that you need to perform to enable this oppa at your eks cluster and use the capability of oppa for your you know governance or you know uh the policy management at Amazon eks right all right so uh before I start with the first part of a demo I can't request please do subscribe my channel that would really encourage me a lot with that note let's get started here okay so for example say you have an Amazon eks cluster right and once the cluster is up and running fine what you do is you know you're gonna use your admin that is a state developer kubernetes developer will be configuring or hosting open policy agent on this eks cluster okay say you know this is the Oppa configurations which is generally you know generally the gatekeeper maintains so basically this Opa is kind of a you know um a kind of an image or the application which has been developed by gatekeeper okay all right so as the name says gatekeeper you know this the responsibility of this agent or the gatekeeper is you know it actually regulates the you know the task that you can do on the kubernetes uh you know the kubernetes cluster right so basically it could be creating the parts deleting the pods or updating the you know the application configuration or updating the parts and all right so basically all these tasks will be regulated by the you know open policy agent okay so this agent is very intelligent way of you know maintaining the governance of your Enterprise or you know policies of your Enterprise at Amazon eks hosting level right or our kubernetes hosting level so that's what the you know the the capability will be given by the you know open um policy agent here right so here so as this admin has configured the you know uh oppa on this Amazon eks basically the structure of the Oppa something looks like this okay I have explained you this is something like you know compliance management solution at kubernetes level okay or our governance management solution at your eks level which is very flexible very easy to use and it also it also follows the um right this is a this is a very volatile you know this is very flexible volatile solution of managing the governance on your eks and with you know with this approach you can follow the you know the policy development like you know you can use the even you can use the cicd approach to manage your policies on your kubernetes cluster okay that is that is the flexibility that you know this Opa provides here so basically the the working okay so basically the functionality of working will be explained in a just you know after this one but at the correct diagram level so whenever the requests or event happens on the services of your you know say on the services of your kubernetes basically this each request or each task that that is getting invoked on the Amazon eks gets evaluated by the Oppa right so I know when the Oppa you know basically what happens is here you know the actually there will be a computation will be happening here so what is that you know uh so oppa will be getting the input which is a query Json value for example say R it could be a data right so it's a data a request is a data basically so with using this data what this Opa does is you know it will compare that data that request against the you know already configured policy Rego so there is a there is a configuration or there is a constraint will be you know configured uh on this Opa agent so basically this agent will compare the request against the policies and based and and also it will also check the data basically right so it does compares the three things here one is uh the query or the request right and the it also checks the policies or the constraints of the you know oppa and it also Compares with the data that is a that is actually the your application data right and finally by comparing all the three constraints you know it comes to a conclusion or a decision okay and based on that decision so the decisions will be given back to the you know as a response of that request because that is what it happens every request will be you know evaluated through the Oppa where Opa will be consuming the policy and the data out I know by using these three constraint it actually gives a decision right any kind of Json values okay basically you know the response will be given like uh in terms of uh you know it could be deny or allowed or it could be warning something like that so all these you know all these kind of uh response will be given by the Oppa right so this is how basically uh the architecture of this Opa is uh which is given from the gatekeeper right so I know this is how this is how this uh open policy agent works now let me go to the real time okay how does it it actually you know gives the response or how does the the response workflow look like at this Amazon eks right for example say you know at now a developer who is actually a eks application developer so he's you know he's actually he's actually you know requesting something on the Amazon eks say he's trying to deploy a part on the Amazon eks that is a request right so basically when it requests you know the request penetrates across the you know across the same flow which I explained like you know it just first hits the service it could be anything right and then once it hits the service oppa will identify then there is some request and that request will be evaluated against the policy or the constraint of the Oppa and then it will also gets compared with the data and then finally it comes with the collective decision and that key is generally called as a response so the response will be you know sent back to the particular developer saying like whether it is allowed uh or deny option or any kind of warning or are you say you are are you doing something something else apart from this one okay so all these you know this is how and so these are the flow actually you know this is how they actually oppa I know sits on your Amazon eks cluster and gives you a governance capability a policy management capability on the Amazon eks okay so this is how you know it works now I will take you back to the um I will take you back to the my eks cluster which is I have just now created so I created an eks cluster so this is the second part so let me tell you so this is the second part that I'm going to show you now so basically what I'm going to show you is you know how you can set up this infrastructure on your Amazon eks cluster and immediately you know evaluate how does the Oppa works okay I have already done that in my Powershell uh you know this is in my this Powershell terminal I'm going to walk you through those steps what did I do how did is that response everything okay from the scratched end right so first one I created an eks cluster with a version like 1.23 and the and the eks version is you know my ETA so this is my eks cluster version is 1.23 this is a e case provider okay this is my cluster which is up and running fine okay so how did I create this eks clusters I'm going to walk you through this so basically I have already you know I already done the required steps in this Powershell terminal with using you know AWS CLI EK CTL right and also the cube CTL and Helm as well right so I use these many terminals to achieve the scenario are these many you know command line utilities to reach this scenario okay so how did I do that that's the something that I know I'm gonna walk you through now so first one I open the you know publisher with using administrative privilege that you see here then we configured you know I I set the context of my AWS account with using AWS CLI command that is AWS configure where where they know I have used the previously given access key and the secret and then I changed my default reason to EU West one because my eks cluster is in EU best one right um yeah so then then you know I have evaluated whether the AWS STS get color identity is the one that we want so this is my user ID and then I use the EK CTL command to create my eks cluster that is EK CTL create cluster hyphen hyphen name of my cluster that is my eks and the reason that is eustone right so this this as this has taken nearby 15 minutes if I can drag down and it has created me an eks cluster I will just go a box so this is the message you know once you see that you know my eks cluster with the name my AKs in EU West reason is ready so once you see this one basically you know your cluster is up and running fine and you can start using the you know your kubernetes API server with using Cube CTL commands are cubesatel utility and that's what I did so I queried the API server to check what is the status of my nodes of my AKs cluster okay and that's what this is the reason I know it showed me right so I did run it twice just to confirm it don't get confused okay then what I did is I will tell you so here is a very good experience that I got here so basically I was trying to you know I was trying to uh configure the gatekeeper software on my eks with using you know open open source gatekeeper.yaml file but it was not working so if I see here command so basically I try to apply so basically you know as as I explained here you have the eks cluster now you want to deploy a gatekeeper software on that one or or gatekeeper application on that you know on your Amazon eks cluster right that's the first step okay so once you have that parts or parts of the gatekeeper are running then only you can use you can use that as an open policy agent okay so you can use it for open Easy open um open Agent policies okay so open uh policy agent Yeah so basically if you see here so we we try to run the command that is Cube CTL apply and this is the path I have used here that is uh you know the gatekeeper installation path which actually you know denied why why did not because this is the you know this is the actually the um and the path which AWS given me but it actually not working for some reason if I can copy this one here 9 and it is going nowhere okay so that's the reason you know I I tried multiple times but it was failing okay this is a good learning basically this is this path is is not working as ammo that's the reason I'm getting these responses then what did I do is you know I also got a confusion whether my cubesatel connection got lost but then again what I did is I run a command cubes it will get nodes I still got a response from the API server right which means that the connection is intact I did try for you know couple of times with you I did run the same command couple of times uh I did modify some of the files but actually I didn't get any response still here right so basically till here you know it's just a trial and error okay so these are the trial and error you can just ignore it off now we'll take you down basically and let's see okay so then what I did is I'm gonna uh make this up to this level then this is where the actual configuration starts now so till now we have done with the kubernetes cluster up and running fine then I will now get started with the uh I will now get started with the uh the helm command that I used here okay so I'll just uh just uh style it about so this is what actually the configuration is so I have searched the internet I found that you know the gatekeeper software can be installed with using the helm commands as well on your eks cluster that's the reason what I did is I added a Helm chart to my local repository of hell that is Helen dropper add gatekeeper then https open policy agent.github.io so this is the you know repository I have added that is a I have added a gatekeeper charts in my local repository and then I got a response saying like no the gatekeeper has been added into your Repository right and then I run a next command which is actually installed the gatekeeper uh you know the parts or gatekeeper application on my AKs cluster that is Helm install gatekeeper versus gatekeeper and this is the name template is you know a gatekeeper again and the namespace is you know I'm just creating a new namespace called gatekeeper and then you know I just piping a a parameter called create names if it is not exist okay finally you know it has it has gone through a couple of warning but it has successfully you know installed the gatekeeper application on my eks cluster okay so this is the basically story of the first step that is that is you know how you can make your eks cluster or any kind of kubernetes cluster installed with the gatekeeper application okay and then what I did is since it creates a new name space I just checked you know whether do you have a namespace with a name called gatekeeper system that is cubesatel get NS okay which is actually least the name spaces that is gatekeeper hyphen system has been retrieved so instance I have the gatekeeper system I know our name system has been created then I went to the next command that is cubesatel get part of of namespace gatekeeper okay and here you go so these are the applications which are are running for gatekeeper okay if you see this one so there should be four parts should be up and running fine that is gatekeeper audit get cable control manager there are the you know three control managers and one audit part has to be running on your eks cluster which confirms that you know you have successfully set the gatekeeper application on your kubernetes cluster right then we will go next step so in the next step what we are doing is you know we are configuring the um you know we are just checking the logs actually so once you configure the uh you know the the gatekeeper uh software on your eks cluster or kubernetes cluster you want to check the logs of the you know of the name spaces actually right so basically you know you see here I'm getting the I'm just checking the logs of my audit controller that is audit gatekeeper audit part get logs right control pin right audit controller and the name space is from the kubernetes right kubernetes system and this is what the logs I have got as a response of that I will go next one similarly I did it for the control manager so earlier we did for the audit controller now the control manager I see that you know Lux looks to be fine okay so the logs gives you message about your status of your application basically right it was a bit lengthy message even though so we'll just uh show you here and so you see this one so this much message I have retrieved from the controller manager yeah so this is the control manager so just scroll it up so right so this is other responses yeah all right so basically this response you know this this message if you see read this one it will tell you know whether your application is in good state or not or your gatekeeper application is in good shape or not once you have done that then next comes the actual you know so basically what you know what you did is you have set the eks cluster and you have deployed the uh you know the gatekeeper agent which is actually uh Opa agent okay um and after that you know with to that agent you need to configure it so it's just like you know gatekeeper is like a template where you can insert your constraint one after the other as a policies and that policy will act or that policy will try to behave as you define the constraint okay so that is what the you know that is what actually uh two things okay first one uh first one you know you need to define the template first and to that template you know you will be inserting the constraint okay that is what how does it works so for that case you know I have run the next command that is you know creating a constraint template.yaml file I will just show you the response which I got after you know applying that is you know um so I have created a constraint of type you know uh the gatekeeper as such kubernetes privileged privileged container has been cut I will just show you how does this constraint template look like right if I open this one this is my constant template this is just like I know uh kubernetes specification file basically just look that and it is a an extension with DOT yaml file so here we are using the API versions that is a template.gatekeeper.sh V1 beta1 and the kind is you know constant template okay the kind here itself is a constant temperature since it is it is you know it is a part of uh you know the OPI agent so these are the kinds also been introduced by the kubernetes to achieve the required Enterprise grade you know the governance and compliance layer at your AKs cluster right our kubernetes cluster and the metadata we are just giving the same name right in the specification credentials specification name so we are giving this credentials name and in the targets you know the target here is an admission uh it's admission then kubernetes gatekeeper.sh file so these are the regular so here is a regular basically the package is you know kubernetes uh uh a PS privileged one right so in this one you are also defining that you know what kind of message it has to uh you know it has to pop up um you know for this particular constraint template so the this the template the constraint template that you are deploying is pointing to some privileged containers in the sense when you are deploying some privileged containers on your e case cluster it should stop okay that is what it means basically and when such things happen you are telling the Oppa to pop up a message saying like you know privileged containers are not allowed because of this one right so that is what this violation message will be popped up here and the input containers okay so the input container mapping is something being configured here like like you know say you know uh if the constraint is that is C right so here is a input input containers right and then you know then then you are checking the security context privileged one okay so basically this is just a I can say no this is just a go kind of call you know this this is a go code basically yeah so here you have the input uh review right so input review object constraint okay you are just evaluating the constraint whether it is or whether it is meeting the constraint or not if it is meeting the constant you know you are popping the uh violation message this is what the constraint template does okay so basically now you have added a constant template so to that template you need to add a constraint okay so basically um you know basically this is what the next template is I'm gonna walk you through this one as well so we have a yaml file dot called constraint.yaml file so it contains the constraint gatekeeper.sh and we have beta1 so here kind is you know the kubernetes uh you know PS privileged container so if I go back to this one this is the constant template and this is the meta kubernetes probabilized container right this is here the kind of stuff is a kubernetes verbalized container okay so there's a difference between the the first deployment and the second deployment yeah so here the I know the name of this uh you know the kubernetes privileged container is you know PSP a privileged container right and then a specification matches kind you know if the API Group is equal to all and current is equal to blah power then you know then you should block it basically what has been the sense you have added a constant saying like you know if somebody is deploying uh you know the privilege if somebody is doing the privileged task on the on the on the kubernetes part or they are deploying a inlay mantum if they are deploying a part with the constraint of privileged permissions then you need to stop that kind of deployment that's what this constraint and template together you know brings the many meaning yeah and then you are actually you know which is this is just like a you know this is a just like a test case for us right I'm gonna show you this one so I will come back to this one later so for now let's go back to the uh Powershell terminal and that's what I'm doing here because the first one we create a constraint template here right and this is the constant template response has been given then I am adding a constraint which I will need so that has been also been added here and then then what I'm doing is you know you are just listing the get constraint in a sense whether you have what are the constraint been added that is a PSP privileged constraint and the constraint template also you can you are checking it here that is a kubernetes privileged content basically you are just checking the name yeah and then finally you are doing a test actually so what is the test that you are doing right so I can show you that again so basically every let's do it again so basically get constraint template first let's get the constraint template so if I run this command so basically what I'm doing is I'm getting the constraint template here this is the my constant template name and if I do a constraint name that is what is the constraint that we have added and it's just printing the name actually right okay so um and then finally it's time for now to test in the sense till now you have configured uh you have configured the cluster you've hosted the gatekeeper agent or you know gatekeeper basically to that gatekeeper you have added the constraint template right to that constant template you have added your your constraint number one that is do not deploy part with the privileged you know privilege privilege access basically right now basically once you are done with that you know you are actually configured the required you know it's just a it's just an example of Enterprise grade you know uh governance are the policy compliance that is required on your e case cluster say this is what it happens okay now I will go back to the uh this is the example file so basically this is the test case that I am doing in the sense what I'm going to what I'm doing is I'm trying to create a part which is the privileged uh you know within the security context equal to privileged okay so for example say ah API version equal to this one it's a part actually and it's a bad engine expand right then this is a bad engine spot okay then the name of the image is engine Sony okay and in this security context I'm using privileged equal to two in the sense whether it is a whether it needs a privileged access or not and here I'm marking it as a true right so if I say run this one that is kubernetes create I just deploying that file right so let me see what is the error it is getting right so if you see here there is an error from the service there is a forbidden error error when creating this in the sense value error when creating this particular part it says that you know the admin web hook validation gatekeeper that has just denied the request PS privileged container that is this is the this is actually uh you know the constraint okay saying that you know the privileged container is not a load that is nginx security published is not a load Yeah so basically this is what this is what the response I got you know when I did a deployment with using the privileged context or security context okay so basically this is how you know this is generally you know I have uh you know walked you through the end to end step of this uh this particular demo right to summarize you know this is this is an example of you know the governance and the compliance application that you can configure on the your kubernetes uh you know the kubernetes cluster which like an example managed Amazon eks cluster right uh where you can take the capability of this oppa and achieve the required governance and the compliance layer at your eks hosting right all right so that's all for now I have successfully shown you the things need to be shown in this video finally I can't request please do subscribe my channel that would really encourage me a lot so with that note thank you thanks a lot and see in the next video