CNCF publishes the Kubernetes Policy Management Whitepaper


The CNCF recently published a new white paper on Kubernetes Policy Management. The whitepaper highlights the importance of Kubernetes policy management when it comes to securing and automating clusters and workloads. It also goes into detail about the problems that Kubernetes policies solve and how to properly implement such policies.

The white paper provides a reference architecture for Kubernetes policy management, guidance for policy-based operations, and emphasizes how policies are mapped to other aspects of security, such as threat modeling, securing, and incident response, besides ongoing compliance, while focusing on policy management concepts rather than tool.

The paper introduces XACML, a standard language of OASIS that defines a policy language, architecture, and processing model.

Courtesy of the Cloud Native Computing Foundation

It also shows the various XACML entities, their interactions, and how they relate to Kubernetes policy management. These include the Policy Enforcement Point (PEP), Policy Decision Point (PDP), Policy Information Point (PIP) and Policy Administration Point (PAP).


Courtesy of the Cloud Native Computing Foundation

In such an architecture, the PAP creates a policy or policy set and makes it available for the PDP to use. All user or system requests are intercepted by the PEP, which interacts with the PDP to decide how to handle requests. The PEP helps enforce policies to ensure that the current state of Kubernetes workloads and clusters matches the desired state defined by the policy. The PDP then instructs the PEP how to proceed. In other words, allow or deny the request.

The paper also emphasized that Kubernetes policy management applies to all four lifecycle stages of the container: development, distribution, deployment, and runtime, as outlined in the CNCF Special Interest Group for Security (SIG) cloud-native security whitepaper, particularly when it comes to it to container images and Kubernetes configurations.

In this model, Kubernetes policies are part of the software delivery pipeline, also known as Policy as Code (PaC).

According to the paper, policies help connect operations and other security domains within a cloud-native organization by mapping Kubernetes policies to other security functions such as security assurance and compliance.

The white paper highlighted the importance of a holistic approach to security assurance to meet the unique security requirements in a dynamic cloud-native environment.

This includes developing a threat model for both the platform and workloads, integrating security into the software delivery pipeline, and detecting policy violations, particularly at runtime.

Additionally, the paper highlighted the role of policies managed in Kubernetes to automate compliance controls and adhere to regulatory standards such as PCI, NIST 800-30, HIPAA, etc. In this way, policies can be used to tie documented compliance goals to technical controls at the cluster, workload, or runtime level.

The authors of the white paper hope that by adopting policy-based operations, organizations can achieve their goal of being more secure and compliant.

While the white paper focuses on policy management, you can find a list of related projects and tools in the cloud-native CNCF interactive landscape.

End users can join the Kubernetes Policy Working Group to propose and discuss ideas, or email [email protected] or the Slack channel.


Comments are closed.