Kubernetes Policy — Turning CNCF projects into products, responsibly
During Build, we announced a new service integration “Azure Policy for AKS”. With this integration, you can apply at-scale enforcements and safeguards for AKS clusters in a centralized, consistent manner through Azure Policy. In this blog, we will cover the background of the development process leading up to the announcement of this integration and share how we are embracing open source to build better software for the community and our customers.
Microsoft has over a 30-year heritage of working with enterprises. Of all the enterprise customers that we serve, we pay special attention to provide the appropriate level of products and feature for those that operate under regulated industries like financial services, healthcare and government. This is evident by the number of regions, compliance certifications and enterprise features in Azure.
Enterprises want Kubernetes policy
Given these operational environments, it comes as no surprise that enterprises are asking us for better policy and compliance for their Kubernetes clusters. Specifically, they want the ability to limit what end-users can do on clusters and ensure they are always in compliance with defined policy. For example:
- Which applications can be exposed to the Internet
- What container images can be run
In addition, they would like to be able to write custom rules that map to their organizational policy so whatever the solution is, it needs to be flexible enough to enable these workflows.
Building consensus upstream
Last December, we announced “Azure Policy Controller” which was built to solve these customer needs. This project was built from the ground-up as an open source project. Whilst this approach went well, it left us asking, “Why is this the Azure Policy Controller?”, and “Is it really in our best interest to keep this tied to Azure?”. We came to the realization that we were building a generic policy component that could be utilized on any Kubernetes cluster so, why not broaden the scope of the project? We subsequently renamed the project to “Kubernetes Policy Controller” and wrote documentation on how to use this on any Kubernetes cluster, created process around project governance and onboarded external contributors.
As it turned out, we weren’t the only ones in the community trying to solve the policy on Kubernetes. The Open Policy Agent (part of CNCF) community is excellent and was also exploring similar integrations. Utilizing projects from the OPA community allowed us to leverage an established, open source, policy engine and alleviate the need for us to build our own. We therefore thought it fitting that we would work in collaboration with the OPA community to bring “Kubernetes Policy Controller” under the OPA umbrella of projects.
Once donated to OPA in early 2019, the community decided to rename the project to Gatekeeper. Gatekeeper is now the standard admission controller for enforcing policy on any Kubernetes cluster. The community is growing and consists of many companies and end-users from the Kubernetes community such as Google, Red Hat, and Styra.
Azure Policy for AKS
When it comes to the needs of enterprise customers, it isn’t just enough to deliver an OSS project. They need products that are supported, integrated and built upon industry-standard open source. We took Gatekeeper and integrated it into our Azure Governance suite. Azure Policy for AKS allows policy to be applied to your clusters which will deny non-compliant resources upon create and update operations. In addition, the service also provides audit capability which will display cluster resources that do not comply with your defined policy. This feature is powered by two open source CNCF projects, Gatekeeper and Open Policy Agent. As part of the preview, the service provides predefined policy that can be applied to any AKS cluster. Here are some of the predefined policies.
- Ensure LoadBalancers don’t have public IPs
- Only allow containers from whitelisted container registries
- Ensure ingress hostnames don’t overlap
- Ensure that all ingresses only use HTTPS
In additional to predefined policy, we are investigating providing the integration of user-defined policy. Given that the policies are defined as OPA Rego, we hope to see an ecosystem of policy libraries become available that users may wish to into their set of policies. This is the power of utilizing OPA and allows for portable policies, no matter how they are implemented on cluster.
The future of cloud computing is open
At Microsoft, we believe that the future of cloud computing is open source. As with projects such as Gatekeeper, we are committed to building upstream-first wherever possible and this has been demonstrated with contributions to Kubernetes, Helm, Virtual-Kubelet, Brigade and more. Come visit the Microsoft booth whilst at KubeCon Barcelona for a demo and to learn more about Kubernetes, Gatekeeper and our other projects.
