Guest post originally published on Fairwinds blog by Joe Pelletier
As teams move beyond their first Kubernetes pilot and into a broader deployment across the organization, DevOps teams have an increasingly difficult job. They don’t have time to manually write or review every Dockerfile and Kubernetes manifest entering their clusters, and that can lead to security vulnerabilities, overconsumption of compute resources, and noisy workloads. The simplest solution to these challenges is to enforce policy patterns. Establishing Kubernetes policies to enforce security, efficiency, and reliability will save your DevOps team a lot of late night pages and upgrading issues
Kubernetes Policy Enforcement
A policy can help you enforce consistent standards and help your organization save money by avoiding misconfigurations and unplanned interruptions. While it’s important to put your standard and customized policies in place, that won’t help you if your policies aren’t enforced. And while best practices documents for your engineering team are nice to have, they’re far too easy to forget or ignore. So how do you enforce your Kubernetes policies? There are three approaches you can take to make your policies stick:
- Develop internal tools
- Deploy open source
- Select a policy-driven configuration validation platform
Develop Internal Tools
For many engineering teams, this is an ongoing debate —build your own tools internally, or buy something to solve the problem? Engineers like to develop their own tools, but it’s seldom worth it. Building your own software usually leads to loss of productivity on other projects, loss of support if the developers who built it leave the organization, and it often results in less functionality than an established solution. Developing and maintaining home-grown tooling requires time, money, and resources that your organization may prefer to direct towards growing their business.
Deploy Open Source Tools
There are several open source tools that can help you with security, reliability, and efficiency configuration. The team at Fairwinds contributed Polaris, which identifies Kubernetes deployment configuration errors, and Goldilocks, which helps you identify a starting point for resource requests and limits. Trivy, from Aqua Security, is a simple vulnerability scanner for containers and other artifacts. In addition, the Kubernetes community has a powerful open standard for creating configuration policies: the Open Policy Agent (OPA). This open source, general-purpose policy engine unifies policy enforcement across the stack. OPA allows users to set policies across infrastructure and applications, and it’s also content-aware, so administrators can make policy decisions based on what’s actually happening. These open source tools are powerful, although you should also expect that your team will need to spend time deploying and managing each tool on each cluster.
Select a Policy-Driven Configuration Validation Platform
Using a platform, your team can take action immediately by fixing inconsistencies and enforcing the policy throughout your continuous integration/continuous development (CI/CD) pipeline. While there is a software expense for this option, it’s offset by the time spent developing, deploying, and managing different tooling when building your own solution or independently running open source tools.
Avoid security incidents, downtime, and inconsistencies across multiple clusters and users
Environments with multiple Kubernetes clusters and multiple users introduce inconsistencies, and managing cluster inconsistencies is time consuming, inefficient, and prone to human error. To improve your Kubernetes security and reliability, you need Kubernetes Policy Enforcement that starts in your CI/CD pipeline and runs through production.
Read this white paper to earn what policies are essential and how to create and enforce Kubernetes policies.