TL;DR: It’s like the man page system for OPA Gatekeeper policies.
This site is a golden find for anyone wanting to get their head around
what it takes to secure a Kubernetes cluster in their environment (CKS).
There are a ton of ready made OPA Gatekeeper policies that can be
dropped into whatever pre-validation you have before putting resources
into your cluster. We have it plugged into our own deploy-chart tool
that overlays Helm allowing us to make out own modifications to standard
Helm chart releases in a way that can be tracked.
Of particular interest is the verbose explanations of each of the policies that are linked from above the Rego code explaining the policy, so, when you go to install a Helm chart and do some pre-validation and notice something isn’t in compliance you can read about it specifically and make the correct adjustments. I really love this because it provides granular, layered learning about something that is otherwise a huge topic to cover. There are hundreds of policies and they are all searchable.
Then again …
If you are a hacker wanting some fresh meat in the cloud, these policies are some of the best explanations of Kubernetes vulnerabilities ever collected.
Just take resource limit DOS attacks, for example. If you want to really
ruin someone with a Kubernetes cluster’s day, target their application
to spawn too many of something with too great a size, chances are they
don’t have the containers[].resources.limits.* policies in place.
Boom.
I’m certainly not advocating destroying enterprise clusters with DOS attacks against dumb-shit CN applications written by inexperienced cloud developers who don’t know about constraints, but knowing how not to be a victim can certainly come in handy.
#k8s #gatekeeper #opa #policies #sites #learning