An example secure SLP deployment on Kubernetes
Goals:
- Deploy SLP with a secure configuration as a scalable
StatefulSet
- Deploy an App with an OPA sidecar that utilizes the SLP as a scalable
Deployment
Environment:
- Minikube
- Styra DAS - Custom System type
Download the opa-conf.yaml
from Settings > Install
Create Secret from the opa-conf.yaml
k create secret generic slp-config --from-file=slp.yaml=opa-conf.yaml
We rename the file to slp.yaml as this will be used by the SLP only (not OPA)
Create CA and Cert with certstrap
. Alternatively you could use cert-manager to auto-generate the certs.
certstrap init --common-name "MyRootCA"
certstrap request-cert --domain "slp"
certstrap sign slp --CA MyRootCA
cat out/slp.crt out/MyRootCA.crt > out/slp-fullchain.crt
Create the Secret
k create secret tls slp-tls --cert=out/slp-fullchain.crt --key=out/slp.key
Create a Token as a Secret for use in the SLP Authz policy
k create secret generic slp-authz-token --from-literal=token=12345-same-as-my-luggage
Deploy the SLP
k apply -f slp.yaml
Create Configmap for MyRootCA
k create configmap my-root-ca.crt --from-file=ca.crt=out/MyRootCA.crt
# **Replace the system-id value on line 11 of app-with-opa-sidecar.yaml with the id from your DAS system**
k apply -f app-with-opa-sidecar.yaml
Add a Policy in DAS for httpapi.authz
with the following contents:
package httpapi.authz
# bob is alice's manager, and betty is charlie's.
subordinates := {"alice": [], "charlie": [], "bob": ["alice"], "betty": ["charlie"]}
main["allow"] := allow
default allow := false
# Allow users to get their own salaries.
allow {
input.method == "GET"
input.path == ["finance", "salary", input.user]
}
# Allow managers to get their subordinates' salaries.
allow {
some username
input.method == "GET"
input.path = ["finance", "salary", username]
subordinates[input.user][_] == username
}
Test
# alice is allowed to view alice
curl --user alice:password $(minikube ip):30050/finance/salary/alice
# bob is allowed to view alice
curl --user bob:password $(minikube ip):30050/finance/salary/alice
# bos is NOT allowed to view charlie
curl --user bob:password $(minikube ip):30050/finance/salary/charlie