Comments (4)
wavell
commented on July 29, 2024
OPA vs K-rails
OPA is more rigorous and all inclusive than K-Rails. OPA and Gatekeeper seem to be more configurable and should be able to handle more edge cases than K-Rails. OPA seems to be becoming the standard within the K8s community. OPA has more forks/stars/contributes OPA requires more configuration out of the box.
K-rails has a monitor mode that allows default 'violations' to be monitored and reported on. K-rails has default violations/policies that need very little configuration. The violations are stored in a log and can be scraped. This can be useful for testing a cluster for containers that have privileged mode turned on, among other things.
from testsuite.
wavell
commented on July 29, 2024
Open Policy Agent is an open source, general-purpose policy engine that unifies policy enforcement across the stack. OPA Gatekeeper provides first-class integration between OPA and Kubernetes.
We can use OPA for at least one CNF Conformance test, and possibly more. The steps for using OPA and OPA Gatekeeper would be as follows:
- Deploy Gatekeeper using Helm in the potential CNF's cluster
helm install mesosphere-staging/gatekeeper --name gatekeeper
- Create a privileged pod policy constraint template
kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper/master/library/pod-security-policy/privileged-containers/template.yaml
- Create the privileged pod policy constraint
kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper/master/library/pod-security-policy/privileged-containers/constraint.yaml
- Test that the constraint is enforced
kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper/master/library/pod-security-policy/privileged-containers/example.yaml
- Check the output for errors
Error from server ([denied by psp-privileged-container] Privileged container is not allowed: nginx, securityContext: {"privileged": true}): error when creating "https://raw.githubusercontent.com/open-policy-agent/gatekeeper/master/library/pod-security-policy/privileged-containers/example.yaml": admission webhook "validation.gatekeeper.sh" denied the request: [denied by psp-privileged-container] Privileged container is not allowed: nginx, securityContext: {"privileged": true}
from testsuite.
taylor
commented on July 29, 2024
@nickolaev peer review?
from testsuite.
wavell
commented on July 29, 2024
https://hackmd.io/SssiDL4kTNiKfWlkhgqaCg
from testsuite.
Related Issues (20)
- [BUG] cni_compatible installs obsolete cluster (v1.21 and no cgroup v2 support). Part of cert ? HOT 4
- [IMPROVEMENT] Health check method that ensures K8s cluster is up and running
- [Platform] SECURITY test: Ensure_Secrets_Encrypted
- [BUG] pod_memory_hog spec test failing in github actions when PR merged to `main` HOT 3
- [BUG] pod_delete test outputs API text during `cert` run HOT 3
- [BUG] cnf_setup passes even when cluster_tools pods are not started successfully HOT 3
- [BUG] pod_dns_error is always SKIPPED when "containerd" runtime is used HOT 2
- [Feature] cluster_api_setup enhancement
- [Feature] clusterapi_enabled enhancement
- [BUG] cluster_api_cleanup leaves some resources hanging
- [Enhancement] Support dynamically setting memory used in the pod_memory_hog test based on the applications pod memory constraints
- Recommendation: Update pod_memory_hog documentation to communicate it is a general kubernetes application best practice (eg. kubenative)
- [BUG] non_root_containers test giving wrong results HOT 1
- [Feature] Check kubescape & kubescape framework version and re-download if version not latest according to constants.cr HOT 1
- [Platform] Check if configmaps are encrypted
- Option to run Cert command for only Essential Tests HOT 5
- [BUG] "resource_policies" (and 4 additional) test crashes HOT 12
- [Feature] Separate console output from logs
- [BUG] Registry spec tests not passing due to insecure registry
- [BUG] `service_account_mapping` test does not fail if the CNF includes an auto-mounted service account. HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from testsuite.