Securing the Rest of the Stack
Teams with high throughput share the common trait of having a “getting things done” attitude. Ironically, the team usually gets things done only so they can do more things. The internal Site Reliability team here @magalix is in that same camp. Since we are already governing our Kubernetes clusters using the Magalix Policy Engine, we decided to extend our internal Policy library to cover additional open source applications running on Kubernetes. These new Policies provide a new level of governance and security to applications that many of us already use in production. From this internal initiative, we have decided to make those Policies available to all users.
The Magalix Policy Library now includes Policies that support common backend applications that typically fall under the management of a Systems team. These are the caches, datastores, and queues that microservices use to complete their request lifecycle. In many cases, these applications use environment variables to configure authentication credentials. Not assigning these variables is an open invitation for unauthorized access since a default configuration typically means no credentials are set. Internally, this wasn’t something we could overlook so it made sense to enforce the declaration of environment variables with a Policy.
How it Works
apiVersion: apps/v1 kind: Deployment metadata: name: mysql spec: selector: matchlabels: app: mysql strategy: type: Recreate template: metadata: Labels: App: mysql spec: containers: - image: mysql:8.0.24 name: mysql env: - name: MYSQL_ALLOW_EMPTY_PASWORD value: “true” ports: - containerPort: 3306 name: mysql
Example MYSQL deployment.yaml
In the following example, we are going to deploy MYSQL to a Kubernetes cluster using the official Docker Image. Our deployment should have the environment variable MYSQL_PASSWORD set. We also don’t want MYSQL_ALLOW_EMPTY_PASSWORD used because this allows a blank password for the root user.
We are only highlighting these 2 Policies to showcase how our Policies take effect. In a production environment, it would be recommended to enable all of the Policies related to usernames and passwords.
A listing of our Magalix MYSQL Policies
Enabling a MYSQL Policy is as simple as clicking a switch. We have enabled the Policies:
- MYSQL Prevent Environment Variable - MYSQL_ALLOW_EMPTY_PASSWORD
- This policy ensures MYSQL_ALLOW_EMPTY_PASSWORD is not declared.
- MYSQL Enforce Environment Variable - MYSQL_PASSWORD
- This policy ensures MYSQL_PASSWORD is declared.
After enabling them, MYSQL entities are scanned for violations against those Policies. As shown earlier in our deployment.yaml image, this MYSQL instance has only MYSQL_ALLOW_EMPTY_PASSWORD set, resulting in a violation of both Policies. When opening our Dashboard, you can see that both Policies have 1 violation.
By drilling down into each Entity and viewing the Evidence you’ll find the same content as the deployment.yaml shown above.
The Policy is in violation since MYSQL_PASSWORD is not set.
Creating your Policy
If an in-house developed microservice or new application requires environment variables to be set, enforce those by creating your own Policies. Policies are based on Templates so creating your own can be done within minutes with no prior knowledge of OPA (Rego) or how the Policy Engine works. Following our previous example, all you would need is the image name, and which environment variable you need set.
The customization of Policies can be applied to any template, not just this one. Simply create your Policy from the Template page in our console, enter the values, and you are set. We enforce no cap on the number of Policies you can apply so create as many Policies as necessary.
Whether you are leveraging Policies from our ever growing list, or extending out on your own with custom Policies, governing your Kubernetes cluster and the applications that run on top shouldn’t be a difficult task. Enforce and understand your governance posture by enabling Policies with a single click. Allowing your running environment to inform you of your current position provides you an accurate representation of what’s going on right now, and brings you one step closer to becoming compliant.
When all is said and done, knowing there is a solution in place to continuously monitor for violations allows more time for the next thing on your list. For us here at Magalix, governing our applications has opened the door for new enhancements so stay tuned, we have a lot to show you in the next few months.
At Magalix, we help enterprises define, manage, and deploy custom governance policies as policy-as-code using a robust OPA policy execution engine. We also help DevOps teams implement proper workflows and playbooks to ensure security and compliance.