USA: 510-262-2801

INDIA: 040-42021524

[email protected]

Zelarsoft
Zelarsoft
Contact Us

Integrating Kubernetes with Styra DAS – Enforcing users to create pods in the default namespace.

In this article, you will learn how to enforce users to create pods by default Kubernetes namespace using OPA and Styra DAS.

Pre-requisites:

  1. Styra-DAS Account (You can sign-up and create a free Styra DAS account here)
  2. Kubernetes cluster (You can create a Kubernetes cluster using K3D)

Steps for creating cluster:

  1. For creating a Kubernetes cluster in k3d, the required configuration at minimum is 2CPU and 4GiB of memory.
  2. Docker should be installed in the system.
  3. Install the latest release of K3D and kubectl.
wget -q -O - https://raw.githubusercontent.com/rancher/k3d/main/install.sh | bashsnap install kubectl --classic

4. Finally, creating a Kubernetes cluster with command.

k3d cluster create (name of the cluster)

Adding a Kubernetes System to Styra DAS:

To achieve this, we need to go through the below process.

  1. Create a Kubernetes system and install Styra CLI and the OPA config file in the machine.
  2. To install, we will find the steps in the DAS itself.
  3. Click on the Kubernetes system >> settings >> install.
  4. Use these commands to install Styra Agent on the system.
Installation commands for Kubernetes system

Define a policy:

For Kubernetes systems, you can start defining policies by selecting from built-in rules that you can configure and deploy.

The built-in rules enable you to implement common security recommendations with little or no configuration. If any configuration is required, the built-in rules provide simple parameters that you can customize to suit your organization and operational goals.

Configure the built-in rule:

  1. Under Systems in the left navigation panel, expand the system you added in Add a System.
  2. Expand Validating or Mutating, then select Rules.
  3. Click Add rule in the top section of the right pane.
  4. Select the Containers: Require Non-default Namespace
Policy for Validating

Policy:

package policy["com.styra.kubernetes.validating"].rules.rulesenforce[decision] {
  data.library.v1.kubernetes.admission.workload.v1.deny_default_namespace[message]
  decision := {
    "allowed": false,
    "message": message
  }
}

Validating the Policy:

Before you enforce the selected built-in rule, make sure to run some validation checks.

  1. Click Validate button in the top section of the right pane.
  2. Verify that the Tests column displays no tests. This column is empty because you are working with a built-in rule and have not written any custom unit tests for the rule.
  3. If you write a custom rule, you also write unit tests for that rule and check the results for running those tests before deploying your rule.
  4. Verify the results in the Compliance column to see if any resources in your current cluster violate the policy.
  5. Verify the results in the Decisions column to see a list of previous admission control decisions that may have changed if the current policy were enforced.

Create a namespace in Kubernetes cluster by running the below command:

kubectl create namespace sample

Create a new file named namespace.yaml in a text editor.

Copy and paste the following configuration settings into the namespace.yaml file:

apiVersion: v1
kind: Pod
metadata:  
   name: mypod  
   namespace: default
   labels:    
     name: mypod
spec:  
   containers:  
   - name: mypod    
     image: nginx

Save the file and close the text editor.

Apply the configuration from the namespace.yaml file by running the following command:

kubectl apply -f namespace.yaml

Now you can observe the error message as:

Error from server: error when creating "sample.yaml": admission webhook "validating-webhook.openpolicyagent.org" denied the request: Enforced: Resource Pod/default/mypod uses the default namespace.

And also you can observe the “Denied” message in the decision dashboard.

Decisions

Now, change the namespace.yaml file to:

apiVersion: v1
kind: Pod
metadata:  
   name: mypod  
   namespace: sample
   labels:    
     name: mypod
spec:  
   containers:  
   - name: mypod    
     image: nginx

Now, apply the changes and run the below command:

kubectl apply -f namespace.yaml
Decisions

Congratulations! Now you successfully created pod in sample namespace and enforced the user to creating pod in default namespace.

Summary:

We have added a Kubernetes system in Styra DAS and installed the Styra agent in Kubernetes. And added the built-in rules and published the rules. We have created a namespace in the Kubernetes cluster and added a file named namespace.yaml and tried to create a pod in default namespace. But, it was denied and the Styra DAS agent enforced the users creating a pod in default namespace. So, that modified the namespace.yaml file and applied the changes. Now, the pod is created in the sample namespace defined in the namespace.yaml file. Also, we have observed the decisions in the decision dashboard whether it is Allowed or Denied.

References:

  1. Styra Docs
  2. K3D
  3. Docker

Let's Talk and Meet

If you have questions, suggestions, ideas, or just need further information about Zelar and our services, please do not hesitate to contact us in the way most convenient for you.

Enquire Now

Services

Quick Links

Get in touch

Twitter Linkedin Facebook Meetup Youtube

Copyright © 2023 - Zelar Soft, All Rights Reserved.

Privacy Policy / Terms and Conditions