SE Radio 634: Jim Bugwadia on Kubernetes Policy as Code

Understanding

Jim Bugwadia explains that policies in Kubernetes are akin to digital artifacts that guide configuration and compliance across complex systems. These policies, managed by tools like Kiverno, are crucial for regulatory compliance and internal best practices. Bugwadia highlights that Kiverno manages various policy categories, such as security contexts and resource allocations, ensuring workloads adhere to specified configurations 1.

A policy is quite an abstract and vague term, right. But if you kind of think about it, in our real lives, in our day to day work, we have policies for things like expenses and vacations and things like that which are just written somewhere.

--- Jim Bugwadia

He emphasizes the importance of administrators in installing Kiverno, as it requires permissions to modify cluster behaviors and resources 2. Policies can be modified to set default resource requests, preventing workloads from being descheduled due to lack of resource constraints 3.

   

Implementation

Implementing policies in Kiverno involves using YAML, a declarative language that mirrors Kubernetes resource structures. Jim Bugwadia notes that while simple policies follow resource structures, complex policies may require looping constructs and external API calls 4. Kiverno supports integration with external services, allowing policies to call APIs for dynamic decision-making 5.

The beauty of Kverno is because the approach is that policies are just Kubernetes resources. You use the tooling you would normally use for other Kubernetes resources to manage policy as code and that lifecycle as well.

--- Jim Bugwadia

He shares an example of a security exploit involving Istio, illustrating the need for adaptable policies to address evolving threats 6.

   

Enforcement

Kiverno's policy enforcement is proactive, preventing misconfigurations before they reach production. Jim Bugwadia explains that Kiverno offers both real-time blocking and compliance reporting, crucial for maintaining security standards 7. Developers receive immediate feedback if a policy violation occurs, with customizable error messages and remediation guidance 8.

The real value proposition of a tool like Kverno is preventing misconfigurations as early as possible in your software development lifecycle.

--- Jim Bugwadia

Dynamic admission controllers in Kiverno ensure efficient policy enforcement, with high performance and security measures like token review and webhook configurations 9.