In this tutorial, we'll learn how to deploy inspektor to enforce access polices.
- docker
- docker-compose
- psql
- linux machine
Before we deploy inspektor, let's run postgres instance which we wanted to enforce access polices on.
Create a docker-compose.yml file with following data.
version: '3.8'
services:
postgres:
container_name: postgres_systest_container
image: postgres:13.5
environment:
POSTGRES_USER: "postgres"
POSTGRES_PASSWORD: "postgrespass"
ports:
- 5432:5432
restart: unless-stopped
run the below command to run the postgres instance
docker-compose up
Let's insert some sample data into our running postgres instance.
We have to download the sample database.
wget https://raw.githubusercontent.com/devrimgunduz/pagila/master/pagila-schema.sql
wget https://raw.githubusercontent.com/devrimgunduz/pagila/master/pagila-data.sql
Let's insert the downloaded sample database into our postgres instance.
psql "sslmode=disable host=localhost port=5432 dbname=postgres user=postgres password=postgrespass" < pagila-schema.sql
psql "sslmode=disable host=localhost port=5432 dbname=postgres user=postgres password=postgrespass" < pagila-data.sql
Let's deploy inspektor controlplane. controlplane act a central coordination service for inspektor cluster.
To run the controlplane we have to create the below config.yaml file.
Note: read the comments in the config file to learn about configs
# postgres credentials to store metadata
postgres_host: "localhost"
postgres_port: "5432"
database_name: "postgres"
postgres_username: "postgres"
postgres_password: "postgrespass"
jwt_key: "demokey"
# github repository of access policy. Since inspektor use OPA
# to enforce access policies
policy_repo: "https://github.com/poonai/inspektor-policy.git"
github_access_token: ""
The below command will use the give config file to run the inspektor controlplane
docker run -v $(pwd)/config.yaml:/config.yaml --network=host schoolboy/inspektor-controlplane:latest ./inspektor
Hit the following url on the browser to open inspektor dashboard http://localhost:3123
Use the following credentials to login to dashboard.
username: admin
password: admin
Click on Add Datasource button to open the datasource creation modal.
Fill the following in the datasource modal.
Datasource name -> postgres-prod
Datasource type -> postgres
sidecar hostname -> localhost:8081
Click Create Datasource button after filling the modal will create a secret token. the token will be used to deploy controlplane.
So far we have deployed controlplane, now we'll deploy dataplane. dataplane is the proxy layer which enfore access policy between client and databases by taking configuration from controlplane.
To run the controlplane we have to create the below dataplane_config.yaml file.
# type of datasource
driver_type: "postgres"
# control plane address
controlplane_addr: "http://localhost:5003"
# secret token that is used to connect dataplane with controlplane. This
# can be retrived from the dashboard.
secret_token: "b5571a086fb62180cf5493a4a6555a641dede6a45048fda0d79b24fc9a8e"
# postgres_config contains the credentials of datasource that we want to connect
# for the simplicity we are using the same database that we are using to store
# all inspektor metadata.
postgres_config:
target_addr: "localhost"
target_port: "5432"
target_username: "postgres"
target_password: "postgrespass"
proxy_listen_port: "8081"
Replace the secret token in the configuration file with the secret token on the dashboard. So that dataplane create a secure connection with the controlplane.
Use the below command to run the dataplane
docker run -v $(pwd)/dataplane_config.yaml:/dataplane_config.yaml --network=host -e RUST_LOG=inspektor=debug schoolboy/inspektor-dataplane:latest1 ./inspektor --config_file ./dataplane_config.yaml
Now we have have running inspektor which act as access proxy to the postgres instance which we want to protect.
We have defined the policy not to explore first_name in the actor table in the repo https://github.com/poonai/inspektor-policy.git
Let's see whether inspektor actually remove the first name from the query result.
Get the unique credentials created by the inspektor for you by creating Create Credentials button in the inspektor dashboard.
Then click to Show Credentials button to obtain the credentials.
Note: For this tutorial we are usign psql but you can use any tools as you wish.
Replace the user name in the below command with the username you got from inspketor dashboard to connect to inspektor dataplane.
psql "sslmode=disable host=localhost port=8081 dbname=postgres user=<username>"
Now that, you logged in. execute a simple select query on the actor table.
select * from actor;
You'll get output similar to this.
actor_id | first_name | last_name | last_update
----------+------------+--------------+------------------------
1 | | GUINESS | 2020-02-15 09:34:33+00
2 | | WAHLBERG | 2020-02-15 09:34:33+00
3 | | CHASE | 2020-02-15 09:34:33+00
4 | | DAVIS | 2020-02-15 09:34:33+00
5 | | LOLLOBRIGIDA | 2020-02-15 09:34:33+00
6 | | NICHOLSON | 2020-02-15 09:34:33+00
7 | | MOSTEL | 2020-02-15 09:34:33+00
8 | | JOHANSSON | 2020-02-15 09:34:33+00
9 | | SWANK | 2020-02-15 09:34:33+00
10 | | GABLE | 2020-02-15 09:34:33+00
11 | | CAGE | 2020-02-15 09:34:33+00
12 | | BERRY | 2020-02-15 09:34:33+00
13 | | WOOD | 2020-02-15 09:34:33+00
14 | | BERGEN | 2020-02-15 09:34:33+00
15 | | OLIVIER | 2020-02-15 09:34:33+00
16 | | COSTNER | 2020-02-15 09:34:33+00
17 | | VOIGHT | 2020-02-15 09:34:33+00
18 | | TORN | 2020-02-15 09:34:33+00
19 | | FAWCETT | 2020-02-15 09:34:33+00
20 | | TRACY | 2020-02-15 09:34:33+00
21 | | PALTROW | 2020-02-15 09:34:33+00
You can clearly see that first_name has been hidden from the user by inspektor. Now, get your hands dirty by forking inspektor demo policy repo and play with inspektor. Probably, you can run an insert statement.