Policy Authoring
There are two main policy types for Kubernetes as follows:
-
Mutating Policy Rules.
-
Validating Policy Rules.
In v1 Kubernetes systems, Mutating does not exist and Validating is called Admission Control. These Rules files are where you author the policies you want OPA to use.
-
The Mutating policy dictates what changes to Kubernetes resources must be made when the user tries to create, update, or delete those resources. The mutation policy does not change the resources that are already on the cluster; it is applied only at the time of admission control.
-
The Validating policy decides whether a user request to create, update, or delete a resource is permitted. If a modification is rejected, the policy dictates what error message to return to the user.
-
Kubernetes applies the Mutation policies before the Validation policies. A resource that gets mutated must still pass all of the validation checks before it is admitted onto the cluster.
Finally, there are Test
files that you can use to write unit tests. Styra recommends you to write unit tests when authoring custom rules; unit tests are far less valuable when you are using pre-built rules. You can run the unit tests using the impact analysis feature by clicking the Validate button in the policy editor.
Pre-built Policies
A Rule in Styra DAS is a specific individual constraint. It consists of specific instructions that you write in the form of a Rego statement for custom rules, or specific parameters that you configure for existing Rego statements used in built-in rules.
The Validating policy includes a collection of pre-built rules that you can use to get started putting guardrails on the resources running on your cluster. Included are rules that span the traditional silos of computing, networking, and storage and that are motivated by a mix of operations, security, and compliance.
Many of the pre-built rules have parameters that the policy author provides to customize the rule to the cluster it is applied to. For example, the rule that requires all images to come from a trusted registry has a parameter that controls which repositories are trusted.
Additionally, Styra DAS includes several pre-built compliance packs:
-
Kubernetes Best Practices: A list of the most common and impactful rules that most clusters should implement first.
-
CIS (Center for Internet Security): A list of rules made from the prescriptive guidance for establishing a secure configuration posture for Kubernetes from CIS.
-
MITRE ATT&CK: A list of rules formulated from the knowledge base of adversary tactics and techniques from the MITRE ATT&CK matrix for containers.
-
NIST Container Security: The Kubernetes NIST Container Security compliance pack includes rules which address the recommendations outlined in the NIST Special Publication (SP) 800-190 Application Container Security Guide.
-
PCI DSS v3.2: OPA rules that are mapped to the PCI DSS v3.2 clauses.
-
Pod Security Policies: Kubernetes has a feature called Pod Security Policies (PSP) that helps limit the permissions under which pods are running. The Styra DAS PSP policy pack codifies those same rules so that OPA can enforce them.
-
Pod Security v2: The Styra DAS Pod Security v2 compliance pack codifies the rules outlined in Kubernetes Pod Security Standards so that OPA can enforce them.