- What is a keycloak ?
- single sign-on solution
- open source
- Compliant with standard protocols like OIDC and SAML so it can integrate with many
- Identity providers
- P1’s implementation allows SSO with CAC cards (a plugin is baked in that can federate against the x509 certs associated with CAC cards)
AuthService (Authentication Proxy)📜
Envoy, Istio’s Proxy engine, has a feature to protect workloads with an Authentication Proxy, where you can force users to Authenticate with an SSO provider before they see the service behind the authentication proxy.
AuthService is a Big Bang supported Addon
AuthService, KeyCloak, and Big Bang📜
When the AuthService Big Bang addon is enabled its default configuration will point to Keycloak, P1’s SSO Solution, at https://login.dso.mil. However, Keycloak is not required and Big Bang’s Authentication Proxy can be configured to interface with any OIDC/SAML id provider. This includes your own deployed instance of Keycloak if you choose to us it instead of P1’s hosted Keycloak.
Please note that if you choose to deploy your own instance of Keycloak, P1 recommends that it be deployed in its own dedicated cluster.
Anchore Engine is a service that analyzes docker images and scans for vulnerabilities. It is an optional add-on to Big Bang. Its features include
- Container Image analysis
- Policy Management
- Continuous monitoring
- CI/CD Integration
- Integration with Kubernetes
- During image analysis, software libraries and files are inspected and stored in the Anchore DB
- Anchore will also monitor the image repository for updates to a given container tag
Policy management adds another level to container scanning including:
Package allow/block lists
Configuration file contents
Image manifest changes
Presence of credentials in images
Each policy can be set to Stop or Warn. When scanning, any stop actions will fail a pipeline
Open Policy Agent📜
Policy: “Rules that tell us whether we can create a resource or make change an existing resource”
Policy Management: “The practice of developing, deploying and using policy objects”
Open Policy Agent: Open Policy Agent (OPA) is a general-purpose policy engine with uses ranging from authorization and admission control to data filtering.
Goals: “Stop using a different policy language, policy model, and policy API for every product and service you use. Use OPA for a unified toolset and framework for policy across the cloud native stack.”
Config vs Policy Management📜
Lets you define/store/control configuration for a resource
Config mgmt is the process itself and solutions include GitOps
Config management only enforces the end cluster resource state
Helps with defining and implementing configuration as code (CaC)
Lets you govern the resource changes
Allows the enforcement over the process - whether a change can be applied or denied
Policies can admit/deny/audit new or existing cluster resources
Helps with governance, compliance, and auditing of the policies
Gatekeeper is a wrapper on an OPA implementation that functions as a validating admission controller webhook inside a k8s cluster. It provides:
- Validation of Policy Controls
- Policies / Constraints
- Audit Functionality
- Data replication
Gatekeeper is a core package in Big Bang.
Prisma can be used in two primary ways:
As build time image scan/analysis/reporting tool
As a runtime monitoring tool
Prisma is a Big Bang package, but licenses are not provided Prisma for Kubernetes is deployed as a Daemonset in the cluster. It monitors node settings such as IP-tables, FirewallD, open ports, and container syscalls on the host.
What is Keycloak?
Keycloak is a single sign-on (SSO) solution that is open source and compliant with OIDC and SAML standard protocols
Should your own instance of Keycloak be deployed on its own dedicated cluster?
Yes, if you choose to deploy your own instance of Keycloak, P1 recommends that it be deployed in its own dedicated cluster
What is the package from Big Bang that functions as a validating admission controller webhook inside a k8s cluster?
Gatekeeper is a wrapper on an OPA implementation that functions as a validating admission controller webhook inside a k8s cluster