Policies, Workflows, and Analytics
When working with policy-as-code there are 3 distinct areas that create the entire Policy-as-code ecosystem. Those 3 areas are policies, workflows, and analytics. It starts with the codified policy, when and how those policies are enforced, and knowing what is in violation. Let’s walk through a real-world scenario of how these 3 come together to ensure compliance is handled appropriately.
A Real World Scenario
A screen capture of the Top Violating Policies found on your Magalix Console Dashboard.
One of our most essential Policies is preventing Containers from running as the root user. When containerizing a microservice, unless specifically defined, the container will run as the root user. Technologists who are not concerned with security probably don’t realize this, but if you are security conscious, creating a policy to block this behavior across your entire stack makes a lot of sense.
With Magalix, you will get a sense of just where these vulnerabilities exist out-of-the-box. Using this information, the next step is to resolve all cases where applicable and then implement a long-term solution to prevent new instances of this violation from occurring. But, without the right education and tools, you’ll never catch up with the multitude of deployments that happen every day that go unchecked and misconfigured.
apiVersion: apps/v1 kind: Deployment metadata: name: demoservice spec: replicas: 1 spec: containers: - name: demoservice command: [“node”, “app.js”] image: demoservice:latest
An example Kubernetes deployment running as root
Continuing with our example, running as root is actually easier than not running as root because the root user is used by default. Misconfiguration, or a lack of configuration, in this case, is likely to occur. Now imagine having to check (or fix) this every time a service is deployed. Interestingly, this is a typical driver for those looking to adopt a policy-as-code solution. There’s a need to catch these violations before they enter the environment.
Incorporating policy checks into your SDLC, or Workflows, alleviate some of the challenges with continuously having to fix the same entities causing the same violations again and again. Magalix simplifies the “shift left” process with our “write once, apply everywhere” model. The same Policies used to detect violations in your run-time environments are the same Policies used in your CI/CD jobs. Any entity that is prepared to enter the stack will be subject to compliance early in the Workflow so the responsibility of being, and remaining compliant, are also accountable for those who are developing.
To provide the necessary visibility in your compliance posture, a robust and detailed breakdown of the state of each Policy will cover Analytics. The Magalix Dashboard gives you an overall view of compliance across all of your clusters, regardless of where your clusters are hosted, and who is managing them.
The Magalix Dashboard
To complete our scenario, Magalix provides verbose information about each Policy, the number of violations, and when those violations occurred. We can further drill down into the Container Running as Root Policy Violation and find the list of violating entities and historical data. Having the ability to assess one policy across multiple clusters can help your overall risk assessment. Are these violations indicative of a larger issue or are they one off? Does something in the process need to change? It’s not just about Policy Violation remediation, but also understanding violation trends and having the necessary insights (and capabilities) to prevent those same violations from triggering in the future.
Container Running as Root Policy Violation
Security, governance, and compliance are requirements everyone must consider in their day-to-day but we’re human, and as a group, sometimes it takes a few iterations of getting it wrong to finally start getting it right. In my own experiences, this type of effort in an extremely large organization can take up to several years. The steps to being proactive aren’t just implementing new CI/CD steps but also educating the team and shifting the culture a bit.
With Magalix, we turn those years of effort into minutes. Without any additional configuration, immediately learn about your security posture using our built-in Policy library. When you get a handle on your run-time environments, shift those same policies left by incorporating them into your Workflow. With the provided dashboard and reporting features, gain insights with our rich Analytics. When encountering an error, examine in-depth details so you can know what’s happening immediately.