Kubernetes Policy Management
/ 3 min read
kubernetes , k8s , policy , opa , kyverno , security , devops , cloud-native , containers , series:kubernetes:22
Understanding Policy Management
Policy management in Kubernetes ensures compliance, security, and operational best practices across your clusters through automated enforcement of rules and constraints.
Policy Engines
1. Open Policy Agent (OPA)
apiVersion: v1kind: ConfigMapmetadata: name: opa-policydata: policy.rego: | package kubernetes.admission
deny[msg] { input.request.kind.kind == "Pod" not input.request.object.spec.securityContext.runAsNonRoot msg := "Pods must run as non-root user" }2. Kyverno
apiVersion: kyverno.io/v1kind: ClusterPolicymetadata: name: require-labelsspec: validationFailureAction: enforce rules: - name: check-required-labels match: resources: kinds: - Pod validate: message: "label 'app' is required" pattern: metadata: labels: app: "?*"Security Policies
1. Pod Security Standards
apiVersion: pod-security.kubernetes.io/v1kind: PodSecurityStandardmetadata: name: restrictedspec: enforce: restricted audit: restricted warn: restricted---apiVersion: v1kind: Podmetadata: name: secure-podspec: securityContext: runAsNonRoot: true seccompProfile: type: RuntimeDefault containers: - name: app image: nginx securityContext: allowPrivilegeEscalation: false capabilities: drop: ["ALL"]2. Network Policies
apiVersion: networking.k8s.io/v1kind: NetworkPolicymetadata: name: default-deny-allspec: podSelector: {} policyTypes: - Ingress - Egress---apiVersion: networking.k8s.io/v1kind: NetworkPolicymetadata: name: allow-specificspec: podSelector: matchLabels: app: web policyTypes: - Ingress ingress: - from: - namespaceSelector: matchLabels: purpose: frontend ports: - protocol: TCP port: 80Resource Management Policies
1. Resource Quotas
apiVersion: v1kind: ResourceQuotametadata: name: compute-resourcesspec: hard: requests.cpu: "4" requests.memory: 8Gi limits.cpu: "8" limits.memory: 16Gi2. Limit Ranges
apiVersion: v1kind: LimitRangemetadata: name: mem-limit-rangespec: limits: - default: memory: "512Mi" cpu: "500m" defaultRequest: memory: "256Mi" cpu: "200m" type: ContainerCompliance Policies
1. Image Security
apiVersion: kyverno.io/v1kind: ClusterPolicymetadata: name: allowed-registriesspec: validationFailureAction: enforce rules: - name: validate-registries match: resources: kinds: - Pod validate: message: "Only approved registries are allowed" pattern: spec: containers: - image: "registry.company.com/*"2. Configuration Standards
apiVersion: constraints.gatekeeper.sh/v1beta1kind: K8sRequiredLabelsmetadata: name: ns-must-have-envspec: match: kinds: - apiGroups: [""] kinds: ["Namespace"] parameters: labels: ["environment"]Custom Policies
1. OPA Custom Rules
apiVersion: v1kind: ConfigMapmetadata: name: custom-policiesdata: policy.rego: | package kubernetes.admission
deny[msg] { input.request.kind.kind == "Deployment" not input.request.object.spec.template.spec.containers[_].resources.limits msg := "Resource limits are required for all containers" }2. Kyverno Custom Rules
apiVersion: kyverno.io/v1kind: ClusterPolicymetadata: name: custom-deployment-rulesspec: validationFailureAction: enforce rules: - name: check-replicas match: resources: kinds: - Deployment validate: message: "Minimum replicas should be 2" pattern: spec: replicas: ">1"Policy Testing
1. OPA Testing
package kubernetes.admission
test_deny_no_resource_limits { deny["Resource limits are required"] with input as { "request": { "kind": {"kind": "Deployment"}, "object": { "spec": { "template": { "spec": { "containers": [ {"name": "app"} ] } } } } } }}2. Kyverno Testing
apiVersion: kyverno.io/v1kind: ClusterPolicymetadata: name: policy-testspec: background: false rules: - name: test-policy match: resources: kinds: - Pod validate: message: "Test validation" pattern: metadata: labels: test: "true"Monitoring and Reporting
1. Policy Violations
apiVersion: monitoring.coreos.com/v1kind: PrometheusRulemetadata: name: policy-alertsspec: groups: - name: policy.rules rules: - alert: PolicyViolation expr: sum(increase(policy_violation_total[1h])) > 0 for: 5m labels: severity: warning annotations: summary: Policy violations detected2. Compliance Reports
apiVersion: wgpolicyk8s.io/v1alpha2kind: PolicyReportmetadata: name: cluster-compliancespec: results: - policy: require-labels rule: check-required-labels status: fail severity: high category: compliance properties: created_at: '2024-12-11T10:00:00Z'Best Practices
- Start with Baseline Policies
- Implement Gradual Enforcement
- Regular Policy Review
- Document Policy Decisions
- Monitor Policy Impact
- Test Before Enforcement
- Maintain Policy Version Control
Troubleshooting
Common Issues
- Policy Conflicts
kubectl describe clusterpolicy <policy-name>kubectl get policyreport- Admission Control Issues
kubectl logs -n kyverno -l app=kyvernokubectl get events --field-selector reason=Failed- Performance Impact
kubectl top pod -n kyvernokubectl describe podsecuritypolicyConclusion
Effective policy management is crucial for maintaining security, compliance, and operational standards in Kubernetes clusters. Using tools like OPA and Kyverno, organizations can implement automated policy enforcement and maintain consistent standards across their infrastructure.
Series Navigation
- Previous: GitOps with Kubernetes
- Next: Kubernetes Cost Optimization