Skip to content
CTP is part of HPE Pointnext Services.   Explore our new services here →
  • The Doppler Report
Cloud TP Logo
  • Thought Leadership
  • Clients
  • Services
  • Careers
  • Contact Us

Cloud Technology Partners

CLOUD SERVICES

  • The Cloud Adoption Program
  • Application Migration
  • Software Development
  • Infrastructure Modernization
  • DevOps & Continuous Delivery
  • Cloud Security & Governance
  • Cloud Strategy Consulting

TECH DOMAIN

  • Amazon Web Services
  • Google Cloud Platform

ABOUT US

  • Company Overview
  • Leadership Team
  • Partners
  • News & Recognition
  • Announcements
  • Weekly Cloud Report
  • Client Case Studies
  • Events

CAREERS

  • Join Us
  • Job Opportunities
 Cloud Technology Partners
  • Doppler Home
  • Client Case Studies
  • Podcasts
  • Videos
  • White Papers
  • Quarterly
  • Events
  • Subscribe

Taming Kubernetes with Policies

Open policy agent, network policies and pod security policies help solve orchestration challenges at scale.
Karthik Ramamoorthy Principal Cloud Architect
June 18, 2019June 19, 2019 THE DOPPLER
Share this 
doppler_mail1

For more content like this, Get THE DOPPLER
email every Friday.
 
Subscribe here  chevron_right

Security is one of the key areas of focus when adopting Kubernetes across the enterprise, and it has evolved over the past year or so. With many large enterprises evolving from the waterfall model to agile based frameworks like SAFe, IT teams are forced to release infrastructure and applications more rapidly, and “shift left” aspects of security and testing are moving up in the development and infrastructure build lifecycle. Identifying and enforcing baseline security policies early in the Kubernetes CI/CD lifecycle are critical to mitigating risks early in the process, rather than having security catch up later in the release cycle.

While third-party Kubernetes security tools such as Twistlock, AquaSec, etc., offer registry scanning and runtime protection of container images, tools like HashiCorp Sentinel and Open Policy Agent (OPA) facilitate “policy as code” and enable tight security controls to be part of deployment artifacts.

This article outlines possible control policies at different layers of Kubernetes.

Read now
Keep Learning
Check out the Doppler Quarterly for 80+ pages of our best cloud content.

 

Open Policy Agent

OPA is a lightweight, general-purpose policy engine that can be co-located with your Kubernetes service. OPA is deployable as a sidecar, host-level daemon or library on a Kubernetes cluster.

Services offload policy decisions to OPA by executing queries. OPA evaluates policies and data to produce query results (which are sent back to the client). Policies are written in a high-level declarative language, and can be loaded into OPA via either the filesystem or well-defined APIs.

In the context of Kubernetes, OPA implements admission control rules that validate Kubernetes resources during create, update and delete operations, and enforce policies on the fly without recompiling any of the services that offload policy decisions to it.

Utilities such as conftest help you write tests against structured configuration data such as Kubernetes deployment files, Terraform code, etc., and provide code analysis against OPA rules as part of the CI process.

Written in Rego, OPA empowers security professionals to focus on query results rather than on execution. OPA teams have released the online OPA playground and plugins to build intuitive policies that support rapid prototyping and development.

Consider a scenario to block the deployment if a specific label is missing. For example, the deployment below does not have the “environment” label in the pod definition.

An OPA policy can be defined to validate all the pod deployments, and to halt the deployment if the metadata.label.environment parameter is missing in the incoming requests.

At the deployment time of the pod definition, OPA flags the deployment with a custom message configured in the policy.

Deployments will succeed once the “environment” label is added to the input file.

OPA integration with CI/CD pipelines delivers granular security and compliance controls to the Kubernetes deployments. Standard OPA policies might include:

  1. Mandate SSL to all Kubernetes services
  2. Deny launching containers with root access
  3. Allow signed images only on production namespaces
  4. Allow images from private registry only
  5. Allow only X and Y images to a specific namespace
  6. Limit CPU and memory requests
  7. Allow only user X to deploy a particular namespace

Network Policies

By default, all pods in a Kubernetes cluster can communicate with each other without any restrictions. Network policies help you to isolate the services running in pods from each other, to limit the blast radius and improve the overall security posture. Kubernetes supports a plethora of Layer 2 and Layer 3 network plugins from ISVs and cloud service providers today, and each has its own pros and cons. Service meshes such as Istio or Envoy present application or Layer 7 protection, such as user authorization, TLS, etc.

For example, the network policy below whitelists inbound DB connections from pods that match specific labels, e.g., Application: Web

Network policies can be standardized to:

  1. By default, deny all traffic between the pods
  2. Allow traffic between specific pods
  3. Allow traffic from specific namespaces

Pod Security Policies

While OPA policies validate Kubernetes deployments, and network policies provide traffic isolation between the services, a Pod Security Policy (PSP) allows you to control access to the host operating systems. A PSP supports a multitude of OS level security controls such as SELinux, AppArmor, SecComp, etc. The policy below enforces containers to run as non-root users to prevent any privilege escalations.

With a Pod Security Policy (PSP), you could enforce:

  1. Run-time permissions for a container
  2. Permitted actions on the kernel space
  3. Allowed AppArmor or SecComp profiles
  4. SELinux modes
  5. Allowed host paths and volumes

Conclusion:

Kubernetes provides many primitives, such as pods, private registries, labels, namespaces, etc., to isolate workloads with required security controls, but connecting these dots at scale is a daunting task. Kubernetes policy plugins such as OPA, network policies and Pod Security Policies are designed to solve these challenges.

Share this


Related articles

 

Kubernetes and Opening Core Technologies at Google

By David Linthicum

 

Demystifying The Docker Container Tools Landscape

By Jonathan Baier

 

Pioneering Cloud in the Financial Services Industry

By Alexey Gerasimov

Related tags

DevOps   Kubernetes   Security

Karthik Ramamoorthy

Karthik is a Principal Cloud Architect at Cloud Technology Partners (CTP), a Hewlett Packard Enterprise company, focusing on Microsoft Azure and Amazon Web Services.

Full bio and recent posts »



Find what you're looking for.

Visit The Doppler topic pages through the links below.

PLATFORMS

AWS
CTP
Docker
Google
IBM
Kubernetes
Microsoft Azure
OpenStack
Oracle
Rackspace

BEST PRACTICES

App Dev
App Migration
Disaster Recovery
Change Management
Cloud Adoption
Cloud Economics
Cloud Strategy
Containers
Data Integration
DevOps
Digital Innovation
Hybrid Cloud
Managed Services
Security & Governance

SUBJECTS

Big Data
Blockchain
Cloud Careers
CloudOps
Drones
HPC
IoT
Machine Learning
Market Trends
Mobile
Predictive Maintenance
Private Cloud
Serverless Computing
Sustainable Computing
TCO / ROI
Technical "How To" Vendor Lock-In

INDUSTRIES

Agriculture
Energy & Utilities
Financial Services
Government
Healthcare
Manufacturing
Media & Publishing
Software & Technology
Telecom

EVENTS

CES
DockerCon
Google NEXT
Jenkins
re:Invent


 

Get The Doppler

Join 5,000+ IT professionals who get The Doppler for cloud computing news and best practices every week.

Subscribe here


Services

Cloud Adoption
Application Migration
Digital Innovation
Compliance
Cost Control
DevOps
IoT

Company

Overview
Leadership
Why CTP?
News
Events
Careers
Contact Us

The Doppler

Top Posts
White Papers
Podcasts
Videos
Case Studies
Quarterly
Subscribe

Connect

LinkedIn
Twitter
Google +
Facebook
Sound Cloud

CTP is hiring.

Cloud Technology Partners, a Hewlett Packard Enterprise company, is the premier cloud services and software company for enterprises moving to AWS, Google, Microsoft and other leading cloud platforms. We are hiring in sales, engineering, delivery and more. Visit our careers page to learn more.

CWC-blue-01

© 2010 - 2019 Cloud Technology Partners, Inc., a Hewlett Packard Enterprise company. All rights reserved. Here is our privacy policy CTP, CloudTP and Cloud with Confidence are registered trademarks of Cloud Technology Partners, Inc., or its subsidiaries in the United States and elsewhere.

Do Not Sell My Personal Information

  • Home
  • Cloud Adoption
  • Digital Innovation
  • Managed Cloud Controls
  • The Doppler Report
  • Clients
  • Partners
  • About CTP
  • Careers
  • Contact Us
  • Most Recent Posts
  • All Topics
  • Podcasts
  • Case Studies
  • Videos
  • Contact
Our privacy statement has been changed to provide you with additional information on how we use personal data and ensure compliance with new privacy and data protection laws.  
Please take time to read our new Privacy Statement.
Continue