Over the last couple of years, Kubernetes has seen rapid adoption, firmly establishing itself as a pioneer over container orchestrating space. Dan Kohn, CNCF’s executive director, predicts that most of the world’s legacy software, worth about $100 trillion in net GDP, will eventually be brought to Kubernetes for better operation.
The fact that Kubernetes is super-easy to get up and running is one of the reasons behind this accelerating adoption. Any developer can spin a cluster in a matter of minutes, with a few nodes running containerized applications.
However, running mission-critical applications in production, with the required framework for Security, Governance, Compliance, Operational, and Disaster Recovery in place, is a totally different ballgame.
Usually, organizations have robust Governance, Compliance, and Operational framework supporting applications, infrastructure, and technology. These frameworks evolve over time and integrate a great deal of internal tribal expertise, making them unique to each company.
For Kubernetes to see Enterprise adoption at the level Dan Kohn envisages, Kubernetes requires an equally robust collection of resources to enable enterprises to build comprehensive Governance, Compliance, and Operational framework around it.
We will look at a governance and compliance system for Kubernetes in this post. We will identify the individual characteristics of such a framework, as well as open-source and native Kubernetes tooling that can support some of these features.
Before we do that, let’s quickly review the Governance and Compliance principles, and why the implementation of the cloud and now Kubernetes requires this new framework.
Governance & Compliance Principles
Governance refers to a set of rules at its most basic level that allow companies to minimize risk, control costs and drive efficiency, transparency, and accountability. Governance rules are codified as policies that are then implemented for a consistent governance framework across the enterprise.
Once governance rules and policies are defined and codified, businesses need to make sure that they are enforced. This process of monitoring and ensuring that Governance policies are followed is known as compliance.
Now that we’ve examined Governance and Compliance principles and defined key drivers of a governance framework, let’s look at the individual elements of such a framework through Kubernetes’ lens. We will also review both native and open source tools that allow us to manage these Governance Framework elements.
Authentication, Authorization & Access Control
Together, authentication, authorization, and access control tooling allow organizations to identify users, implement a security paradigm, and govern resource utilization.
Authentication is the process of identifying users before they are given access to resources. Users can be authenticated in Kubernetes, either as user accounts or service accounts. User accounts generally refer to accounts generated and managed by Kubernetes administrators and allotted to team members. While service accounts are created automatically for individual processes by Kubernetes API and these are bound to specific namespaces. Kubernetes admins can also create these service accounts manually by calling the API.
Kubernetes supports various authentication methods ranging from X509 client certificates and static token files to service account tokens and OpenID Connect tokens. Other authentication protocols, like LDAP, SAML, and Kerberos, can also be integrated.
Together, these authentication strategies provide enterprises with a wide range of options for implementing a secure authentication regime for their Kubernetes environments.
Once users are authenticated, they must be authorized next time. Authorization is the process of giving access to Kubernetes resources to subjects (groups, user accounts, service accounts).
There are several ways of authorization modules that are supported by Kubernetes. It includes Webhook, Node, and RBAC. Node authorization is Kubelet specific and can authorize any API request that it makes.
Kubernetes RBAC permits the creation of a set of rules (permissions) packaged as Roles. Roles can then be assigned using Role Bindings to users or to service accounts. With Kubernetes Roles, cluster administrators can monitor both the resources that users can access (pods, clusters, etc.) as well as the actions (verbs: get, list, update, etc.) that users are allowed to perform on those resources.
By default, roles are restricted to a specific namespace and can also be used to grant permission to resources only within that specific namespace.
Kubernetes RBAC provides fine-grained access control to cluster administrators and helps them to manage the use of Kubernetes resources in compliance with the overall governance structure.
Besides authentication and authorization, Kubernetes also includes an additional layer that allows filtering through of API requests. This set of filters is called Admission Controllers and comes into play after authentication and authorization of requests.
Policy and Compliance
Policies represent governing rules that how management would like a system to act. Every organization has a set of policies that reflect its unique requirements in cost management, security, tribal knowledge, legislative landscape, and internal conventions. This is also true in the sense of Kubernetes, where IT Managers and Kubernetes administrators need more control over how Kubernetes is being used and how it operates within the business.
Once policies have been defined, they need to be monitored and enforced as part of internal compliance.
Kubernetes Admission Webhooks allow organizations to integrate custom administration and compliance policies into their Kubernetes environments. Admission Webhooks is a type of admission controller that serves as an additional filter that requires Kubernetes resources to be created, updated, or deleted. Requests are only permitted after they are reviewed against the currently operating Admission Controllers.
Admission Webhooks come in two flavors: Mutating and Validating. Validating Admission Webhooks can only accept requests based on whether they comply with custom policies while Mutating Admission Webhooks can also modify requests and enforce default policies.
Kubernetes also offers a set of hard-coded standard admission controllers that reflect commonly enforced policies.
As part of the CNCF project, the Open Policy Agent is a great tool that allows organizations to create and enforce custom policies for their Kubernetes environments easily.
As Kubernetes sees increased company adoption, the focus is on topics such as security, governance, compliance, and operations. Although vastly feature-rich, a bare-boned Kubernetes environment falls short when it comes to these business requirements.