Project post by the Cloud Custodian maintainers

This week the Cloud Custodian project, part of the CNCF incubator, added a Kubernetes admission controller for easy event-driven policy management within your cluster.  The project also added support for running policies against HashiCorp’s Terraform. With these additions, Cloud Custodian represents a single tool that enables comprehensive, frictionless governance for cloud-native infrastructure, including infrastructure as code (IaC), cluster, and cloud environments. The project reduces the operational complexity of learning and implementing multiple tools and workflows.

Cloud Custodian: The De Facto Standard for Public Cloud Governance

Cloud Custodian is a leading governance as a code tool. With the tool, organizations can use code to manage and automate the enforcement of policies for cloud cost optimization, security, compliance, and operations—without hindering developer velocity. Over the past few years, Cloud Custodian has become the de facto standard for public cloud governance. Thousands of organizations now rely upon the tool, including Capital One, Code 42, Grupo, HBO Max, Intuit Inc, JP Morgan Chase & Co, Siemens, Premise Data, and Zapier. 

Cloud Custodian is a lightweight tool that leverages a simple, domain-specific language for policy authoring. Consequently, policies can easily be created, used, and modified by a range of teams, including development, operations, and security. Notifications and remediation actions can be incorporated into policies. Cloud Custodian integrates tightly with serverless runtimes to provide real-time remediation and response while minimizing operational overhead. 

Cloud Custodian’s Simple Declarative Language and Experience Extend to Kubernetes Clusters

Cloud Custodian now brings the same experience, vocabulary, and ergonomics to enforcing policies in Kubernetes environments. Using the same language and tool, teams can establish automated detection and remediation in their Kubernetes clusters.  

“Kubernetes adoption has rapidly grown within organizations and is moving beyond pilot projects,” said Sonny Shi, a Cloud Custodian maintainer and Staff Engineer at Stacklet. “We have had various requests from users within the community for Kubernetes support. Teams want to use Cloud Custodian for similar things in Kubernetes, such as enforcing labeling rules and regulatory compliance standards on their clusters. To meet these needs, we have added support for Kubernetes. These capabilities feature a familiar policy language and documentation, so it’s ready to use from day one.”

“Cloud Custodian has helped us enforce security guardrails while enabling our developers to innovate more quickly in the public cloud,” said Mrunal Shah, cloud native security leader at HBO Max. “I am excited to try Cloud Custodian for Kubernetes. Cloud Custodian’s YAML-based language is straightforward. These capabilities can simplify policy enforcement in Kubernetes, and reduce the number of tools we use to secure our cloud native Infrastructure.” 

Cloud Custodian Enables Proactive Policy Enforcement Against Terraform Code

More and more organizations are using Infrastructure as code (IaC tools, such as Hashicorp Terraform, to automate the deployment and provisioning of their cloud infrastructure. Given IaC source code and templates essentially define your cloud infrastructure, it is critical to ensure they comply with your organizational policies. 

Cloud Custodian users can now validate that their IaC code complies with policies. This effectively enables teams to shift policy validation left. Teams can verify that IaC code adheres to corporate cloud policy before that code is employed to provision cloud infrastructure. Developers can also use this capability to “test” their IaC implementation. In the latest release, Cloud Custodian adds support for HashiCorp’s Terraform language, and there are plans to add support for other languages in the future. 

“Cloud Custodian enables you to check cloud deployments against policy and remedy policy violations,” said Kapil Thangavelu, Cloud Custodian creator and maintainer and CTO at Stacklet. “With the tool’s new shift-left capabilities, teams can run policy validation earlier and fix issues at the source. All these additional capabilities enable you to use the same language, tools, and workflows to enforce governance of your entire cloud native infrastructure.” 

Resources 

Cloud Custodian Website 

Cloud Custodian Github

Cloud Custodian Slack

Getting Started with Kubernetes