The CNCF recently published a new whitepaper about Kubernetes Policy Management. The whitepaper highlights the importance of Kubernetes policy management when it comes to the security and automation of clusters as well as workloads. Also, it goes in-depth into the problems Kubernetes policies solve and the proper implementation of such policies.
The paper provides a reference architecture for Kubernetes Policy Management, guidance for policy-based operations, and emphasizes how policies map to other security aspects such as threat modeling, assurance, and incident response in addition to continuous compliance while focusing on Policy Management concepts and not tools.
The paper introduces XACML, a standard language from OASIS, that defines a policy language, architecture, and processing model.
Courtesy of the Cloud Native Computing Foundation
Also, It shows the different XACML entities, their interactions, and how they’re related to Kubernetes Policy Management. This includes the Policy Enforcement Point (PEP), Policy Decision Point (PDP), Policy Information Point (PIP), and the Policy Administration Point(PAP).
Courtesy of the Cloud Native Computing Foundation
In such architecture, the PAP creates a Policy or PolicySet and makes it available to the PDP to consume. Any User or system requests are intercepted by the PEP which interacts with the PDP to decide how requests are handled. The PEP helps to enforce policies to ensure current states of Kubernetes workloads and clusters match the desired state defined by the policy. The PDP then directs the PEP on how to proceed. In other words, allow or deny the request.
Also, the paper underscored that Kubernetes Policy Management applies to all of the container’s four lifecycle phases: Develop, Distribute, Deploy, and Runtime as described in the cloud native security whitepaper by the CNCF Special Interest Group for Security (SIG) particularly when it comes to container images and Kubernetes configurations.
In this model, Kubernetes policies are part of the software delivery pipeline, also known as Policy as Code (PaC).
According to the paper, policies help to connect operations and other security domains within a cloud native organization by mapping Kubernetes policies to other security functions such as security assurance and compliance.
The whitepaper indicated the importance of having a holistic approach to security assurance to address the unique security requirements in a dynamic cloud-native environment.
This includes developing a threat model for both the platform and the workloads, incorporating security into the software delivery pipeline, and detecting violations of policies, especially at runtime.
Additionally, the paper highlighted the role of policies managed in Kubernetes to automate compliance controls and comply with regulatory standards such as PCI, NIST 800-30, HIPAA,…etc. That way, policies can be used to link documented compliance objectives to the technical controls at the cluster, workload, or runtime level.
The authors of the whitepaper wish by adopting policy-based operations, organizations can realize their goal of being more secure and compliant.
While the focus of the whitepaper is on Policy Management, a listing of related projects and tools can be found in the CNCF cloud native interactive landscape.
End users can join the Kubernetes policy working group to propose and discuss ideas or reach out via email at wg-policy@googlegroups.com or the slack channel.