<img src="https://ws.zoominfo.com/pixel/JHVDdRXH2uangmUMQBZd" width="1" height="1" style="display: none;">

Product In-Depth: Centralized Policy Management

Policy as Code Security as Code
Product In-Depth: Centralized Policy Management
Policy as Code Security as Code

Central Policy Builder and Manager

Centralized Policy Management

In today’s landscape, we are free to architect our stack in whatever way we want. With competitive public cloud offerings and managed services, we design our solutions based on quite a number of factors. Choosing different solutions doesn’t become a real issue as long as your solution is agnostic to (or integrates with) what you are already running under the hood.

Kubernetes itself is a great example of that because it practically runs anywhere, but even that is becoming a bit challenging. Public clouds are starting to offer their own solutions on top of their Kubernetes solutions, limiting the seamless forklifting ability Kubernetes provides when trying to leverage different platforms.

Policy-as-code solutions offered by cloud providers can put you in a secure position, but when one set of rules requires duplicating policies across different implementations, adding an additional task of keeping them in sync is a pain. What I’m saying here is if Cloud Provider X has their opinionated way of implementing policy-as-code, it probably won’t extend outside of their platform.

Magalix is cloud and vendor agnostic taking full of advantage of running wherever Kubernetes lives. No matter where your clusters live, or who manages them, our policies can be written once and enforced everywhere. Our policies are built using Rego and not another proprietary domain-specific language so the same policies you use for your open-source solution are the same ones we use.

Policy Creation, Simplified

If you’ve dabbled in any policy-as-code solution, you’ll find the policy development lifecycle a bit cumbersome. A challenge that I’ve encountered when developing Rego (Open Policy Agent) to be used with Kubernetes and Admission Controllers is that my Kubernetes deployable artifacts are described in a YAML file, but Rego supports JSON.

In my policy development lifecycle, I want to test my existing YAML files against my Rego directly. This alleviates me from having to create mock data. I’ve also realized the structure of my YAML artifact and the structure of the Admission Control request is different so my applying my Rego Policy to my YAML-turned-JSON still doesn’t work correctly.

 
controller_spec = input.review.object.spec.template.spec{
contains_kind(input.review.object.kind, {“statefulSet” , “DaemonSet” , “Deployment” , “Job”})
} else = input.review.object.spec{
input.review.object.spec == “Pod”
} else = input.review.object.spec.jobTemplate.spec.template.spec{
input.review.object.kind == “CronJob”

Taken from one of our out-of-the-box Policies,  controller_spec is looking for the  input.review.object.spec.template.spec path but my deployment.yaml below has input.spec.template.spec. There is no review.object (input is a required prefix).

 
apiVersion: apps/v1
kind: Deployment 
metadata:
  name: demoservice
  labels:
	app: demoservice
	owner: Magalix
spec:
  replicas: 1
  selector: 
	matchLabels: 
	  app: demoservice
	template:
	  metadata:
		labels:
		  app: demoservice
	  spec: 

Our Policy Management solves these problems by allowing you to test the actual artifacts against a Policy directly. Through our API or with our Rego Playground, test your IaC or Kubernetes artifact in its YAML format against the Policy to know its state before applying it to a cluster. We also provide policy testing against artifacts already deployed to your cluster. If you wanted to know if a previously deployed pod would be in violation, test it in our Rego Playground.

Rego Playground has been designed with the policy developer in mind. Debug a Policy using the actual YAML artifacts deployed to a Kubernetes cluster, and check its compliance status with an immediate result.

For those that don’t have the time to learn another domain-specific language, our Policy Management library makes it easy to adapt any one of our out-of-the-box Policies to your infrastructure by simply filling the blank.

Centralized Policy Management

In the above example, one of our Policies prevents the use of the latest tag for my containers. All I had to do was fill in the parameter image_tag with latest.

The Power of Policy Management

Magalix Policy Management just doesn’t cover Kubernetes objects. It also supports Infrastructure-as-Code because a stack is more than just Kubernetes, containers, and microservices. Your infrastructure still needs to be managed, secured, and remain compliant.

In what I would call my hardcore DevOps days, you might say I was somewhat of a perfectionist. Being the first DevOps engineer in a growing startup, I required standards when anything new was spun up. Whatever was shipped had to conform to all the tools and infrastructure I already had put in place. As my team grew and without a solution in place, maintaining standards was not possible.

Policy Management brings that uniformity across your IaC by enforcing those standards using code. Misconfigured codified infrastructure has a long feedback loop and costs you time and money. For those needing to maintain compliance to meet regulatory and industry standards, not being compliant could cause some additional complications and risks. Since we’re already working with code, create a new CI/CD job that initiates a policy check and gets results instantly. Fail the build on a violation and add it to the test results. There’s no reason that policy development has to deviate from your existing software development flow.

With Magalix, achieving DevSecOps isn’t as difficult as you may have been led to believe. Interested in learning more about how to start resolving violations in minutes?

Explore Magalix Policy Library with a 30-day free trial

Conclusion

When trying something new, there is always a learning curve. In our world, many of us want to learn everything, but the reality of our responsibilities can deprioritize those efforts. Sometimes, you just want it done and working so it can add immediate value.

Write policies once, apply them everywhere, and at any time in the supply chain. Magalix offers 100s out-of-the-box fill-in-the-blank policies, developed for your convenience so you can be compliant today, prevent violations tomorrow, and learn about policies when time permits.

Comments and Responses

Related Articles

Product In-Depth: Enforce Policies and Standards from a Single Console

Magalix provides a single management interface to control, enforce and visualize the state of compliance for all of your clusters.

Read more
Product In-Depth: Centralized Policy Management

achieving DevSecOps isn’t as difficult as you may have been led to believe. Interested in learning more about how to start resolving violations in minutes

Read more
Product In Depth: Detailed Violation Analysis

Security, compliance, and governance are not just one-time events that happen every so often. Managing a compliant environment is a 24x7 operation.

Read more