0:00 Introduction: ChatGPT, Kubescape, and the Rego Challenge

0:00 ChatGPT is going to take your job. Not really. But we are seeing some very interesting things because of ChatGPT. It's changing the way a lot of people work. It's It's able to augment and enrich your own capabilities with that with the collective experience of the Internet. The model can be trained with smaller subsections of data to help make using existing applications easier. And we're going to see an example of that today. Let's talk about Kubescape. Fantastic product that helps improve your security posture for all of your Kubernetes clusters. That is if you stick to the frameworks

0:39 provided by Kubescape and which to be fair is pretty comprehensive. However, some organizations may wish to write their own controls for their own frameworks. And writing your own controls has been a little bit tedious today. Not because of Kubescape, but because of the language they're written in. Controls are written in Regal. Watch Regal. Regal is a language that is part of open policy agent. And it's not like other programming languages that you may be familiar with. A lot of people struggle with its syntax mostly around comprehension. It can sometimes be hard to read a Regal program and actually know

1:21 what's going on because at times it feels like there's bits of magic especially around iterators on lists. So this is prime real estate for chat to come in and make your life easier. And fortunately for us, the team at Armo have done all the heavy lifting. Thank you. So we're gonna use Armo platform today where they have a UI for building custom controls. Now as you'll see in our website, if you want to go and find out more, please feel free. But I am already logged in to ARMOR where if you click on your face and

1:42 Introducing Armo Platform and AI Custom Controls

1:59 settings followed by controls, you can click create custom control where you provide a name, severity, a wish or what you want the control to do with the ability to provide a description, an example object and a remediation path if you wish. However, you don't need to. You can let ChatGPD work it out for you. So in this short video, we're gonna take a look at some prompts and some custom controls generating Regal policies for us and making our lives easier. Let's check it out. So let's start with a nice easy one just to warm ChatGPT

2:33 Creating a Simple Control: No Latest Tag

2:39 up. I'm going to call this control no latest tag. I'm going to paste in a prompt that says ensure deployments never use the latest tag. Not going to provide any examples, descriptions, or remediation. I'm just going to let ARMOR platform and chat GPD work it out. Now we have a response. The description is to prevent the use of the latest tag in Kubernetes workloads, which makes perfect sense to me. The remediation path as generated by a ChatGPD is to update the image tag to a specific version. Again, pretty spot on. Over on the right hand side,

3:16 Examining the AI-Generated Rego Policy

3:18 we have the Ragel rule or the Ragel policy. Because you hear that it looks at all resources. It does this by expanding the input as a list. The underscore means get them all. From here, it has a list of the different workload types available in Kubernetes. Deployment, replica set, daemon set, stateful set, and jobs. From there, it checks the workload as of one of these kinds, pulls out the image of the first container, runs a comparison check to see if it contains a string colon latest. And if so, we get an error message. From here, you can click download your control.

3:56 Once that's downloaded, you can pop it open and take a look if you wish. You'll see your control name and ID, the built in Regal, and the resources to apply the policy. On the command line, you can run Kubescape scan control no latest tag, where this is the name or ID that you put into the control name form or you can find in the JSON as we've seen a moment ago. Next, we provide use from and provide the file name to where you downloaded your policy. The last parameter is the resource or directory of resources that you

4:12 Running the Custom Control with Kubescape CLI

4:34 wish to scan. And now we have a failed resource on our no latest tag control, one failed resource against two scanned. So let's pop open our deployment dot YAML. And as we can see here, the first container in our deployment is NGINX with a latest tag that we do not want. So let's run our scan one more time. Past. Perfect. Better security posture already with a little help from the AI. But we made that a little bit easy for ChatGPT and ARMOR platform. So let's kick it up a notch. Let's make this a little bit more challenging for

5:11 Creating a More Complex Control: Deny CAP_SYS_ADMIN

5:15 ChatGPT. Let's say that we want a secure container. And actually what we mean by secure is that we don't want to allow any workload in our cluster to add the capability cap sysadmin. So let's just type that up exactly as I said it. Do not allow any workloads to add the cap admin capability and click generate. Okay. We have our secure control. Deny CAPSYS admin capability to workloads with the remediation path that basically says, hey, don't add this capability. And on the right hand side, we have some Rego. So let's download this. But before we run it locally on a

6:00 Debugging with the Rego Playground

6:00 CLI, I want to show you a cool little trick. First, open a new tab in your browser and search for the Rego playground and click go. This is an interactive playground that allows you to test your Ragel policies. And I'm going to paste in the Ragel that we copied from the ARMOR platform and you can click format. From here, you can copy your example workload. As we can see here, I have a deployment but a stored as YAML. Convert it to JSON, create a list and paste it in. Again, click format to tidy it up. Now we

6:41 have an interactive test bed that allows us to evaluate our Regal policies. So let's add the capability that we don't want to our workload, like so. And if we click evaluate, we don't get a deny in our output, something is not quite right. So the best way to debug this in a Regal playground is to turn on the options for coverage. Now when we click evaluate, we will see a line by line breakthrough of any evaluation that was true or false. And as we can see here, it never reaches line eight where it checks with the

7:17 Correcting the Generated Rego Policy Path

7:21 capability capsid admin being added. And the reason is the path for the container spec or properties on our deployment is incorrect. Now I've noticed this a few times with the chat GPT integration is that it's not always good at getting spec templates, spec containers versus resource spec containers. So you may have to tweak this depending on the policy you get back from the integration. To fix this, I can do spec template spec like so. Now when we click evaluate, we get our error message that we can know that we shouldn't be adding Capsys admin to our pod.

7:58 So let's remove it and add cap net raw and evaluate. Now our policy is successful. Now if you're wondering how to tweak this within the JSON that you've downloaded from the ARMOR platform, you can come here, copy your secure policy like so. Pop it open in Versus code and save it to force it to format. Your rule is where the Rago lives here. We can scroll along and modify Like so. So it can be a little bit finicky, but it's not that hard to fix. Plus, we just described a policy to block capsid admin being added as a

8:09 Modifying the Downloaded Control File

8:50 capability to any pod without having to understand too much about the RADO language. That is pretty cool. So go check out ARMOR platform. Use the custom controls and AI to help you generate all the Regal that you need for your cluster. Is it perfect? No. But software rarely is. But I can tell you that the team at Armo are improving this integration every single day. But what doesn't work today when you're watching this video may very well work tomorrow. I'm gonna be keeping a close eye on this integration because it personally solves a lot of the challenges

8:56 Conclusion and Summary

9:24 that I have right in Regal. And sometimes all you need is a little kick start to get you going. So go check it out. Have some fun and let me know how you get on in the comments. Have a great day.