<img src="https://ws.zoominfo.com/pixel/JHVDdRXH2uangmUMQBZd" width="1" height="1" style="display: none;">

Magalix Introduces the Cloud-Native Application Policy Pack

Exit icon Learn More

Product In-Depth: Securing Applications in Kubernetes with Policies

Policy as Code Security as Code
Product In-Depth: Securing Applications in Kubernetes with Policies
Policy as Code Security as Code

Securing the Rest of the Stack

Teams with high throughput share the common trait of having a “getting things done” attitude. Ironically, the team usually gets things done only so they can do more things. The internal Site Reliability team here @magalix is in that same camp. Since we are already governing our Kubernetes clusters using the Magalix Policy Engine, we decided to extend our internal Policy library to cover additional open source applications running on Kubernetes. These new Policies provide a new level of governance and security to applications that many of us already use in production. From this internal initiative, we have decided to make those Policies available to all users.

The Magalix Policy Library now includes Policies that support common backend applications that typically fall under the management of a Systems team. These are the caches, datastores, and queues that microservices use to complete their request lifecycle. In many cases, these applications use environment variables to configure authentication credentials. Not assigning these variables is an open invitation for unauthorized access since a default configuration typically means no credentials are set. Internally, this wasn’t something we could overlook so it made sense to enforce the declaration of environment variables with a Policy.

How it Works

 
apiVersion: apps/v1
kind: Deployment
metadata: 
  name: mysql
spec: 
  selector:
     matchlabels:
     app: mysql
  strategy:
     type: Recreate
  template: 
     metadata: 
       Labels:
         App: mysql
     spec: 
       containers:
       - image: mysql:8.0.24
         name: mysql
         env: 
         - name: MYSQL_ALLOW_EMPTY_PASWORD
           value: “true”
         ports: 
         - containerPort: 3306
           name: mysql	

Example MYSQL deployment.yaml

In the following example, we are going to deploy MYSQL to a Kubernetes cluster using the official Docker Image. Our deployment should have the environment variable MYSQL_PASSWORD set. We also don’t want MYSQL_ALLOW_EMPTY_PASSWORD used because this allows a blank password for the root user.

We are only highlighting these 2 Policies to showcase how our Policies take effect. In a production environment, it would be recommended to enable all of the Policies related to usernames and passwords.

Securing Applications in Kubernetes using Magalix Policies

A listing of our Magalix MYSQL Policies

Enabling a MYSQL Policy is as simple as clicking a switch. We have enabled the Policies:

  • MYSQL Prevent Environment Variable - MYSQL_ALLOW_EMPTY_PASSWORD
    • This policy ensures MYSQL_ALLOW_EMPTY_PASSWORD is not declared.
  • MYSQL Enforce Environment Variable - MYSQL_PASSWORD
    • This policy ensures MYSQL_PASSWORD is declared.

After enabling them, MYSQL entities are scanned for violations against those Policies. As shown earlier in our deployment.yaml  image, this MYSQL instance has only MYSQL_ALLOW_EMPTY_PASSWORD set, resulting in a violation of both Policies.  When opening our Dashboard, you can see that both Policies have 1 violation.

Securing Applications in Kubernetes using Magalix Policies

By drilling down into each Entity and viewing the Evidence you’ll find the same content as the deployment.yaml shown above.

Product In-Depth: Securing Applications in Kubernetes with Policies

The Policy is in violation since MYSQL_PASSWORD is not set. 

Creating your Policy

If an in-house developed microservice or new application requires environment variables to be set, enforce those by creating your own Policies. Policies are based on Templates so creating your own can be done within minutes with no prior knowledge of OPA (Rego) or how the Policy Engine works. Following our previous example, all you would need is the image name, and which environment variable you need set.

Securing Applications in Kubernetes using Magalix Policies

The customization of Policies can be applied to any template, not just this one. Simply create your Policy from the Template page in our console,  enter the values, and you are set. We enforce no cap on the number of Policies you can apply so create as many Policies as necessary.

Conclusion

Whether you are leveraging Policies from our ever growing list, or extending out on your own with custom Policies, governing your Kubernetes cluster and the applications that run on top shouldn’t be a difficult task. Enforce and understand your governance posture by enabling Policies with a single click. Allowing your running environment to inform you of your current position provides  you an accurate representation of what’s going on right now, and brings you one step closer to becoming compliant.

When all is said and done, knowing there is a solution in place to continuously monitor for violations allows more time for the next thing on your list. For us here at Magalix, governing our applications has opened the door for new enhancements so stay tuned, we have a lot to show you in the next few months.

At Magalix, we help enterprises define, manage, and deploy custom governance policies as policy-as-code using a robust OPA policy execution engine. We also help DevOps teams implement proper workflows and playbooks to ensure security and compliance.

Request A Commitment-Free Consultation

Comments and Responses

Related Articles

What Is Zero Trust Architecture and How Does It Work?

In an enterprise environment with containers and micro-segmentation, zero-trust architecture helps enhance security protocols. Learn more.

Read more
Cloud Asset Management and Protection: Storage Assets

Learn useful strategies to manage cloud storage assets and get the most value for your investment.

Read more
4 Reasons Why Companies should Codify their Security

The move to the cloud has significantly increased the operational and security complexity. Codifying security policies can help mitigate the potential risk

Read more