(conftest) to catch issues at CI-level, keeping a short feedback loop • Leverage admission webhooks (OPA Gatekeeper) to ☐ protect the resources ☐ check what cannot be checked at linter-level (inventory) Please to keep Istio healthy and find mechanisms to handle this automatically • Guardrails such as Gatekeeper OPA are crucial to ensure the long-term stability of Istio ## A ## Adopting Istio ## Adopting Istio

iOiAzfV0=" ## 其他方案 • OPA/Gatekeeper • Kyverno • Kubernetes v1.26 ValidatingAdmissionPolicy 新特性 ## OPA/Gatekeeper ## apiVersion: templates.gatekeeper.sh/v1beta1 kind: ConstraintTemplate max_replicas: type: integer - target: admission.k8s.gatekeeper.sh rego: | ## … 2 kind: k8sreplicalimits 3 metadata: apiVersion: constraints.gatekeeper.sh/v1beta1 4 name: replica-limits 5 spec: package validations: - expression: "object.spec.replicas ≤ 2" ## 对比 - 自研：更灵活，与一些内部系统集成。但需要开发和维护成本； • OPA/Gatekeeper：简单，需要学习 Rego； • Kyverno：简单，通过 YAML 即可使用； • Kubernetes v1.26 ValidatingAdmissionPolicy 新特性：

changing policies. PSPs can be created and edited through the UI. SUSE Rancher also ships with OPA Gatekeeper as the industry standard open source solution for policy based management for Kubernetes clusters and deploys any kind of policy at scale including network policies. It offers basic integration with OPA, Kubernetes Vault and Kyverno. ##### 3.2.2.3 Tanzu Tanzu Kubernetes Grid Integrated Edition (TKGI) PSPs and security policies enforced by the Open Policy Agent (OPA) Gatekeeper. Despite being open source, VMware only includes OPA Gatekeeper with the Advanced and higher editions of TMC. ##### 3.2.2.4

applied for Pod security policy management, but OC command lines required for editPSP and OPA GateKeeper supported as the consistent management tools for global security policies on the platform

Policy exceptions  Gatekeeper 3. use k8s network policies to limit traffic bypassing sidecars Service 1 Service 2 1. Ensure f/20df5f26e209d40f1157e74670bf84de/p13_2.jpg) Gatekeeper  Gatekeeper  2. Automatically rejects invalid configurations. Gatekeeper ## 3 ## Lifecycle of service mesh security and demo Secure Enforce Verify Monitor ## Lifecycle

to deploy a cluster with Callico CNI along with OPA or another dynamic admission controller that can show how Istio can integrate with something like OPA. ## Finding Weak Hash Used for Integrity Risk Medium additional secret management controls and a Dynamic Admission Controller-based approaches such as OPA $ ^{19} $ provide a means to help re-enforce this boundary. Istio would be tasked with providing guidance guidance on how best to integrate these hardening measures and ideally provide a reference such as an OPA gateway policy. The following sections describe the risk rating and category assigned to issues NCC

io/istio/mixer/adapter/memquota" noop: "istio.io/istio/mixer/adapter/noop" opa: "istio.io/istio/mixer/adapter/opa" prometheus: "istio.io/istio/mixer/adapter/prometheus" rbac: "istio

nce Operator| |File Integrity Operator|包括|包括|File Integrity Operator| |Gatekeeper Operator|未包括 - 需要单独的订阅|未包括 - 需要单独的订阅|Gatekeeper Operator| |Kubernetes|未包括 - 需要单独的订阅|未包括 - 需要单独的订阅|Kube Descheduler Operator|

aaeea50f41642980a8a6f87b7061e88d90fac23 - name: registry.redhat.io/rhosdt/tempo-gateway-opa-rhel8@sha256:8cd134deca47d6817b26566e272e6c3f75367653d589f5c90855c59b2fab01e9 - name: registry b638f14ca6aaeea50f41642980a8a6f87b7061e88d90fac23 - name: registry.redhat.io/rhosdt/tempo-gateway-opa- rhel8@sha256:8cd134deca47d6817b26566e272e6c3f75367653d589f5c90855c59b2fab01e9 - name: registry 07b638f14ca6aaeea50f41642980a8a6f87b7061e88d90fac23-name: registry.redhat.io/rhosdt/tempo-gateway-opa- rhel8@sha256:8cd134deca47d6817b26566e272e6c3f75367653d589f5c90855c59b2fab01e9 - name: registry

丰富插件 • 70+ 生态丰富 • 开箱即用 google-cloud-logging request-validation skywalking dubbo-proxy jwt-auth opa server-info ext-plugin-golang log-rotate real-ip wolf-rbac clickhouse-logger ext-plugin-java prometheus