Skip to main content

Policy Authoring

There are two main policy types for Kubernetes as follows:

  1. Mutating Policy Rules.

  2. Validating Policy Rules.

In v1 Kubernetes systems, Mutating does not exist and Validating is called Admission Control. These Rules files are where you author the policies you want OPA to use.

  • The Mutating policy dictates what changes to Kubernetes resources must be made when the user tries to create, update, or delete those resources. The mutation policy does not change the resources that are already on the cluster; it is applied only at the time of admission control.

  • The Validating policy decides whether a user request to create, update, or delete a resource is permitted. If a modification is rejected, the policy dictates what error message to return to the user.

  • Kubernetes applies the Mutation policies before the Validation policies. A resource that gets mutated must still pass all of the validation checks before it is admitted onto the cluster.

Finally, there are Test files that you can use to write unit tests. Styra recommends you to write unit tests when authoring custom rules; unit tests are far less valuable when you are using pre-built rules. You can run the unit tests using the impact analysis feature by clicking the Validate button in the policy editor.

Pre-built Policies

The Validating policy includes a collection of pre-built rules that you can use to get started putting guardrails on the resources running on your cluster. Included are rules that span the traditional silos of computing, networking, and storage and that are motivated by a mix of operations, security, and compliance.

Many of the pre-built rules have parameters that the policy author provides to customize the rule to the cluster it is applied to. For example, the rule that requires all images to come from a trusted registry has a parameter that controls which repositories are trusted.

Additionally, there are pre-built packs of rules that naturally belong together as follows:

  • Kubernetes Best Practices: A list of the most common and impactful rules that most clusters should implement first.

  • PCI DSS v3.2: OPA rules that are mapped to the PCI DSS v3.2 clauses.

  • Pod Security Policies: Kubernetes has a feature called Pod Security Policies that helps limit the permissions under which pods are running. The DAS PSP policy pack codifies those same rules so that OPA can enforce them.

  • Rules: A Rule is a specific individual constraint. It consists of specific instructions that you write in the form of a Rego statement for custom rules, or specific parameters that you configure for existing Rego statements used in built-in rules.

  • CIS (Center for Internet Security): A list of rules made from the prescriptive guidance for establishing a secure configuration posture for Kubernetes from CIS.

  • MITRE ATT&CK: A list of rules formulated from the knowledge base of adversary tactics and techniques from the MITRE ATT&CK matrix for containers.