Skip to content

Security ToolsπŸ’£

KeycloakπŸ’£

  • What is a keycloak ?
    • single sign-on solution
    • open source
    • Compliant with standard protocols like OIDC and SAML so it can integrate with many
      • Identity providers
  • P1’s implementation allows SSO with CAC cards (a plugin is baked in that can federate against the x509 certs associated with CAC cards)

AuthService (Authentication Proxy)πŸ’£

Envoy, Istio’s Proxy engine, has a feature to protect workloads with an Authentication Proxy, where you can force users to Authenticate with an SSO provider before they see the service behind the authentication proxy.

AuthService is a Big Bang supported Addon

AuthService, KeyCloak, and Big BangπŸ’£

  • AuthService is a Big Bang addon, when enabled it’s default configuration will point to P1’s SSO Solution https://login.dso.mil, which is P1’s hosted Keycloak.
  • Big Bang’s Authentication Proxy can interface with any OIDC/SAML id provider, it doesn’t have to be KeyCloak.
  • AuthService can also point to your own deployed instance of Keycloak instead of P1’s hosted keycloak, along with other OIDC compatible endpoints.

What makes Keycloak a non-standard addon is that usually running all the addons you like in 1 big cluster would be considered supported. In the case of Keycloak it’s recommended to deploy it into its own dedicated cluster.

AnchoreπŸ’£

  • Anchore Engine is an open-sourced container security platform.
  • Anchore is service that analyzes docker images and scans for vulnerabilities
  • It is an optional add-on to Big Bang
  • Features include
    • Container Image analysis
    • Policy Management
    • Continuous monitoring
    • CI/CD Integration
    • Integration with Kubernetes

Image AnalysisπŸ’£

  • During image analysis, software library and files are inspecting and stored in the Anchore DB
  • Anchore will also watch the image repository for updates to a given container tag

Anchore Analysis

Policy ManagementπŸ’£

  • Policy management adds another level to container scanning including
    • Package allow/block lists
    • Configuration file contents
    • Image manifest changes
    • Presence of credentials in images
  • Each policy can be a Stop or Warn
  • When scanning, any stop actions will fail a pipeline

Open Policy AgentπŸ’£

  • Policy
    • β€œRules that tell us whether we can create a resource or make change an existing resource”
  • Policy Management
    • β€œThe practice of developing, deploying and using policy objects”
  • Open Policy Agent
    • Open Policy Agent (OPA) is a general-purpose policy engine with uses ranging from authorization and admission control to data filtering.
  • Goals
    • β€œStop using a different policy language, policy model, and policy API for every product and service you use. Use OPA for a unified toolset and framework for policy across the cloud native stack.”

Config vs Policy ManagementπŸ’£

Config Management * Lets you define/store/control configuration for a resource * Config mgmt is the process itself and solutions include GitOps * Config management only enforces the end cluster resource state * Helps with defining and implementing configuration as code (CaC)

Policy Management * Lets you govern the resource changes * Allows the enforcement over the process - whether a change can be applied or denied * Policies can admit/deny/audit new or existing cluster resources * Helps with governance, compliance, and auditing of the policies

OPA ArchitectureπŸ’£

OPA Architecture

GatekeeperπŸ’£

Gatekeeper is a wrapper on an OPA implementation that functions as a validating admission controller webhook inside a k8s cluster

  • Validation of Policy Controls
  • Policies / Constraints
  • Audit Functionality
  • Data replication

Gatekeeper is a core package in Big Bang

Gatekeeper Architecture

PrismaπŸ’£

  • Prisma can be used in two primary ways
    • As build time image scan/analysis/reporting tool
    • As a runtime monitoring tool
      • IDS
      • IPS
  • Prisma is a Big Bang package, but licenses are not provided
  • Prisma for Kubernetes
    • Deployed as a Daemonset in the cluster
    • Monitors Node Settings like:
      • IP-tables
      • FirewallD
      • Open Ports
      • Container Syscalls on the host