Watch an Introduction to Sentinel with Armon Dadgar
Sentinel
Policy as code framework for HashiCorp Enterprise Products.
What is Sentinel
Sentinel is an embeddable policy as code framework to enable fine-grained, logic-based policy decisions that can be extended to source external information to make decisions.
Policy as code
Treat policy like an application — version control, pull review, and automate tests. Use real programming constructs to determine policy decisions beyond the limited constraints of typical ACL systems.
Fine-grained, condition-based policy
Reject actions on any available input rather than coarse-grained read, write, and admin policies. Make policy decisions based on the condition of other values.
Embedded
Sentinel is embedded to enable policy enforcement in the data path to actively reject violating behavior instead of passively detecting.
Multiple enforcement levels
Advisory, soft-mandatory, and hard-mandatory levels allow policy writers to warn on or reject offending behavior
External information
Source external information to make holistic policy decisions. For example, Terraform cannot execute while Consul health checks are failing.
Multi-cloud compatible
Ensure infrastructure changes are within business and regulatory policy on every infrastructure provider.
Sentinel across our Product Suite
How Sentinel integrates into HashiCorp Enterprise Products
Policy as Code in Terraform Enterprise
- Policies are enforced in Terraform Enterprise between the plan and apply.
- Policies validate information in the Terraform plan, state, and configuration.
- Do not allow resources to be provisioned without tags
- Only provision staging resources in us-west and production resources in us-east
- Do not allow AWS security groups to have egress set to 0.0.0.0
import "tfplan/v2" as tfplan
aws_instances = filter tfplan.resource_changes as _, rc {
rc.mode is "managed" and
rc.type is "aws_instance" and
rc.change.actions is not "delete"
}
main = rule {
all aws_instances as _, instance {
(instance.change.after.tags else {}) is not empty
}
}
Policy as Code in Vault Enterprise
- Policies are enforced in front of all Vault APIs.
- Policies extend Vault's ACL system with fine-grained logic.
- Ensure that modification of critical data can only be performed by authorized sysops with valid MFA
- Require LDAP logins to come from internal IP space and successfully pass a Ping MFA check
- Applied to all endpoints in response to a breach, ensure that any token generated more than four hours ago cannot be used
import "strings"
// Scope this policy only to operations that change data within our dangerous
// area
pathcheck = rule {
strings.has_prefix(request.path, "secret/dangerous/") and
request.operation in ["create", "update", "delete"]
}
// Ensure that for this dangerous operation we've passed an Okta MFA check
oktacheck = rule {
mfa.okta.is_valid
}
// Make sure the caller is a member of the sysops group
idcheck = rule {
"sysops" in identity.groups
}
main = rule when pathcheck {
oktacheck and idcheck
}
Policy as Code in Nomad Enterprise
- Policies are enforced before accepting new jobs or updating existing jobs.
- Policies extend Nomad's ACL system with fine-grained logic.
- Policies can enforce only trusted artifacts or applications are allowed to run.
- Only allow Docker workloads
- Limit jobs to only 5 GB of memory resources
allowed_drivers = ["docker"]
main = rule {
all job.task_groups as tg {
all tg.tasks as t { t.driver in allowed_drivers }
}
}
Policy as Code in Consul Enterprise
- Policies are enforced in front Consul's K/V and services APIs.
- Policies extend Consul's ACL system with fine-grained logic.
- Key/value must be in proper format (such as integer, text, etc.).
- Consul keys can only be updated during business hours
required = [
["port", "\\d+"], // port must be int
["name", "\\w+"], // name must be one or more words
]
valid_key = func() {
for required as v {
if request.kv.key is v[0] {
return request.kv.value matches v[1]
}
}
// Unknown key
return false
}
is_kv_request = rule {
request.path matches "^/kv" and
request.method is "PUT"
}
main = rule when is_kv_request { valid_key() }
Policy as code is the next phase of infrastructure automation
Infrastructure as Code was the first phase, which enables codification and automation for the four main components of infrastructure — provision, secure, connect, and run. Infrastructure as Code empowers more users to create and manage infrastructure; however, that comes with risks as less experienced users could make significant mistakes that impact business operations.
Policy as code limits exposure by codifying business and regulatory policies to ensure infrastructure changes are safe. Together Infrastructure as Code and Policy as code empower users to safely and quickly provision, secure, connect, and run any infrastructure for any application.