Security Toolsπ
Keycloakπ
- What is a keycloak ?
- single sign-on solution
- open source
- Compliant with standard protocols like OIDC and SAML so it can integrate with many
- Identity providers
- P1’s implementation allows SSO with CAC cards (a plugin is baked in that can federate against the x509 certs associated with CAC cards)
AuthService (Authentication Proxy)π
Envoy, Istio’s Proxy engine, has a feature to protect workloads with an Authentication Proxy, where you can force users to Authenticate with an SSO provider before they see the service behind the authentication proxy.
AuthService is a Big Bang supported Addon
AuthService, KeyCloak, and Big Bangπ
When the AuthService Big Bang addon is enabled its default configuration will point to Keycloa, P1βs SSO Solution, at https://login.dso.mil. However, Keycloak is not required and Big Bangβs Authentication Proxy can be configured to interface with any OIDC/SAML id provider. This includes your own deployed instance of Keycloak if you choose to us it instead of P1βs hosted Keycloak.
Warning
Please note that if you choose to deploy your own instance of Keycloak, P1 recommends that it be deployed in its own dedicated cluster.
Anchoreπ
Anchore Engine is a service that analyzes docker images and scans for vulnerabilities. It is an optional add-on to Big Bang. Its features include * Container Image analysis * Policy Management * Continuous monitoring * CI/CD Integration * Integration with Kubernetes
Image Analysisπ
- During image analysis, software libraries and files are inspected and stored in the Anchore DB
- Anchore will also monitor the image repository for updates to a given container tag
Policy Managementπ
Policy management adds another level to container scanning including: * Package allow/block lists * Configuration file contents * Image manifest changes * Presence of credentials in images Each policy can be set to Stop or Warn. When scanning, any stop actions will fail a pipeline
Open Policy Agentπ
Policy: βRules that tell us whether we can create a resource or make change an existing resourceβ
Policy Management: βThe practice of developing, deploying and using policy objectsβ
Open Policy Agent: Open Policy Agent (OPA) is a general-purpose policy engine with uses ranging from authorization and admission control to data filtering.
Goals: βStop using a different policy language, policy model, and policy API for every product and service you use. Use OPA for a unified toolset and framework for policy across the cloud native stack.β
Config vs Policy Managementπ
Config Management * Lets you define/store/control configuration for a resource * Config mgmt is the process itself and solutions include GitOps * Config management only enforces the end cluster resource state * Helps with defining and implementing configuration as code (CaC)
Policy Management * Lets you govern the resource changes * Allows the enforcement over the process - whether a change can be applied or denied * Policies can admit/deny/audit new or existing cluster resources * Helps with governance, compliance, and auditing of the policies
OPA Architectureπ
Gatekeeperπ
Gatekeeper is a wrapper on an OPA implementation that functions as a validating admission controller webhook inside a k8s cluster. It provides:
- Validation of Policy Controls
- Policies / Constraints
- Audit Functionality
- Data replication
Gatekeeper is a core package in Big Bang.
Prismaπ
Prisma can be used in two primary ways: * As build time image scan/analysis/reporting tool * As a runtime monitoring tool * IDS * IPS
Prisma is a Big Bang package, but licenses are not provided Prisma for Kubernetes is deployed as a Daemonset in the cluster. It monitors node settings such as IP-tables, FirewallD, open ports, and container syscalls on the host.
Quiz Questionsπ
What is Keycloak?
Keycloak is a single sign-on (SSO) solution that is open source and compliant with OIDC and SAML standard protocols
Should your own instance of Keycloak be deployed on its own dedicated cluster?
Yes, if you choose to deploy your own instance of Keycloak, P1 recommends that it be deployed in its own dedicated cluster
What is the package from Big Bang that functions as a validating admission controller webhook inside a k8s cluster?
Gatekeeper
is a wrapper on an OPA implementation that functions as a validating admission controller webhook inside a k8s cluster