Skip to content

Security ToolsπŸ“œ

KeycloakπŸ“œ

  • What is a keycloak ?
    • single sign-on solution
    • open source
    • Compliant with standard protocols like OIDC and SAML so it can integrate with many
      • Identity providers
  • P1’s implementation allows SSO with CAC cards (a plugin is baked in that can federate against the x509 certs associated with CAC cards)

AuthService (Authentication Proxy)πŸ“œ

Envoy, Istio’s Proxy engine, has a feature to protect workloads with an Authentication Proxy, where you can force users to Authenticate with an SSO provider before they see the service behind the authentication proxy.

AuthService is a Big Bang supported Addon

AuthService, KeyCloak, and Big BangπŸ“œ

When the AuthService Big Bang addon is enabled its default configuration will point to Keycloa, P1’s SSO Solution, at https://login.dso.mil. However, Keycloak is not required and Big Bang’s Authentication Proxy can be configured to interface with any OIDC/SAML id provider. This includes your own deployed instance of Keycloak if you choose to us it instead of P1’s hosted Keycloak.

Warning

Please note that if you choose to deploy your own instance of Keycloak, P1 recommends that it be deployed in its own dedicated cluster.

AnchoreπŸ“œ

Anchore Engine is a service that analyzes docker images and scans for vulnerabilities. It is an optional add-on to Big Bang. Its features include * Container Image analysis * Policy Management * Continuous monitoring * CI/CD Integration * Integration with Kubernetes

Image AnalysisπŸ“œ

  • During image analysis, software libraries and files are inspected and stored in the Anchore DB
  • Anchore will also monitor the image repository for updates to a given container tag

Anchore Analysis

Policy ManagementπŸ“œ

Policy management adds another level to container scanning including: * Package allow/block lists * Configuration file contents * Image manifest changes * Presence of credentials in images Each policy can be set to Stop or Warn. When scanning, any stop actions will fail a pipeline

Open Policy AgentπŸ“œ

Policy: β€œRules that tell us whether we can create a resource or make change an existing resource”

Policy Management: β€œThe practice of developing, deploying and using policy objects”

Open Policy Agent: Open Policy Agent (OPA) is a general-purpose policy engine with uses ranging from authorization and admission control to data filtering.

Goals: β€œStop using a different policy language, policy model, and policy API for every product and service you use. Use OPA for a unified toolset and framework for policy across the cloud native stack.”

Config vs Policy ManagementπŸ“œ

Config Management * Lets you define/store/control configuration for a resource * Config mgmt is the process itself and solutions include GitOps * Config management only enforces the end cluster resource state * Helps with defining and implementing configuration as code (CaC)

Policy Management * Lets you govern the resource changes * Allows the enforcement over the process - whether a change can be applied or denied * Policies can admit/deny/audit new or existing cluster resources * Helps with governance, compliance, and auditing of the policies

OPA ArchitectureπŸ“œ

OPA Architecture

GatekeeperπŸ“œ

Gatekeeper is a wrapper on an OPA implementation that functions as a validating admission controller webhook inside a k8s cluster. It provides:

  • Validation of Policy Controls
  • Policies / Constraints
  • Audit Functionality
  • Data replication

Gatekeeper is a core package in Big Bang.

Gatekeeper Architecture

PrismaπŸ“œ

Prisma can be used in two primary ways: * As build time image scan/analysis/reporting tool * As a runtime monitoring tool * IDS * IPS

Prisma is a Big Bang package, but licenses are not provided Prisma for Kubernetes is deployed as a Daemonset in the cluster. It monitors node settings such as IP-tables, FirewallD, open ports, and container syscalls on the host.

Quiz QuestionsπŸ“œ

What is Keycloak?

Keycloak is a single sign-on (SSO) solution that is open source and compliant with OIDC and SAML standard protocols

Should your own instance of Keycloak be deployed on its own dedicated cluster?

Yes, if you choose to deploy your own instance of Keycloak, P1 recommends that it be deployed in its own dedicated cluster

What is the package from Big Bang that functions as a validating admission controller webhook inside a k8s cluster?

Gatekeeper is a wrapper on an OPA implementation that functions as a validating admission controller webhook inside a k8s cluster