Before you begin to plan and implement the policies, you must first understand the policy lifecycle. In general, a common set of tasks are used to deploy policies in a production ready software system.
Figure 1 shows the key stages of the policy lifecycle and the typical activities that take place in each stage.
Figure 1: Policy Lifecycle
The policy lifecycle involves the following tasks:
- Define Policy Rules: Define the policy using built-in or custom rules.
- Validate and Analyze Policies: Validate the policy before distribution to analyze the impact the policy would have if you were to enforce it.
- Publish Policies: Publish the policy to monitor and enforce compliance.
- Replay Enforcement Decisions: Replay policy decisions in real-time or in the historical context.
Define Policy Rules
When you begin to define policies, you can choose from the predefined set of built-in rules or write your own custom rules. The predefined built-in rules have parameters that you can modify to tailor the rule to your specific needs.
For example, if you select the
Repository Safety rule, you can specify the list of registries from which the images can be downloaded and also know the repositories that are permitted for each registry.
While the built-in rules provide a good starting point and covers many of the most widely-accepted best practices for managing a real-world software system, inevitably, you must put additional guardrails in place that are not covered by any of the pre-built rules. In this case, you can write custom rules using the Cloud Native Computing Foundation (CNCF) Open Policy Agent's policy language.
Validate and Analyze Policies
Once you define a policy, Styra analysis the policy in different ways, so that you can understand about the impact that policy will have on your cluster. You can perform this analysis for both built-in and custom rules using the
Validate command in the policy editor.
The following tasks show how to validate and analyze policies.
Run the unit tests that you write for your custom policies, and report the test results.
Perform an audit that identifies the resources in the cluster that violate a given policy.
Display a historical record of the decisions to help you predict what will happen if you enforce a proposed policy. Replay past decisions during validation enables you to see how a new policy that has not yet been enforced would result in different decisions than those that were made in the past. For example, you can see if a configuration that was allowed in the past would be denied, if the policy you are validating is enforced.
After you have completed the following tasks, then you can enforce and monitor the policy by using the
- Reviewed the policy validation results.
- Adjusted the policy, the resource configuration, or both to meet your requirements.
- Checked if the policy met your requirement.
Once the policy is published, the Open Policy Agent handles enforcement by periodically downloading the latest policy and making decisions on create, update, and delete operations that are sent to the API server.
If a policy is published with monitoring enabled, then Styra periodically searches through all the resources on your cluster and finds a list of resources that violate the current policy.
Replay Enforcement Decisions
You can see all the decisions that OPA is enforcing in real time. You can also drill down into decisions for individual systems and filter the results to see details for systems that meet specific criteria.
Replaying policy decisions is a very useful stage in the policy lifecycle, especially when you want to verify compliance to auditors or industry regulators, or when you want to investigate the security incidents.