Kubernetes cluster governance

Governance refers to an organization's ability to enforce and validate rules to help guarantee compliance with corporate standards. Governance helps organizations mitigate risks, comply with corporate standards and external regulations, and minimize interruption to adoption or innovation.

Governance includes planning initiatives, setting strategic priorities, and using mechanisms and processes to control applications and resources. For Kubernetes clusters in a cloud environment, governance means implementing policies across Kubernetes clusters and the applications that run in those clusters.

Kubernetes governance includes the cloud environment, the cluster deployment infrastructure, the clusters themselves, and the clusters' applications. This guide focuses on governance within Kubernetes clusters. The article compares Amazon Elastic Kubernetes Service (EKS) and Azure Kubernetes Service (AKS) Kubernetes cluster governance.

Kubernetes governance dimensions

Three aspects define a consistent Kubernetes governance strategy:

• Targets define the security and compliance policy goals for your governance strategy. For example, targets can specify which users can access a Kubernetes cluster, namespace, or application. Or they can specify which container registries and images to use in which clusters. Your security operations team usually sets these targets as the first step to define your company's governance strategy.

• Scopes detail the elements that the target policies apply to. Scopes must address all Kubernetes-visible components. Scopes include organizational units like departments, teams, and groups or environments like clouds, regions, or namespaces.

• Policy directives use Kubernetes capabilities to enforce the target rules across the specified scopes, which helps enforce governance policies.

For more information, see Kubernetes governance.

Governance in EKS and AKS

• Amazon Web Services (AWS) customers usually use Kyverno, Gatekeeper, or other partner solutions to define and implement a governance strategy for their Amazon EKS clusters. The aws-eks-best-practices/policies GitHub repository contains a collection of example policies for Kyverno and Gatekeeper.

• Azure customers can also use Kyverno or Gatekeeper. To extend Gatekeeper for an AKS governance strategy, you can use the Azure Policy for Kubernetes add-on.

Gatekeeper

The Cloud Native Computing Foundation (CNCF) sponsors the open-source Gatekeeper tool, which helps enforce policies in Kubernetes clusters. Gatekeeper is a Kubernetes admission controller that helps enforce policies that you create with Open Policy Agent (OPA), a general-purpose policy engine.

OPA uses a high-level declarative language called Rego to create policies that can run pods from tenants on separate instances or at different priorities. For a collection of common OPA policies, see the OPA Gatekeeper library.

Kyverno

CNCF also sponsors the Kyverno open-source project, which helps enforce policies in Kubernetes clusters. Kyverno is a Kubernetes-native policy engine that can use policies to validate, mutate, and generate Kubernetes resource configurations.

Use Kyverno to define and manage policies as Kubernetes resources without using a new language. You can manage policies by using familiar tools, such as kubectl, git, and kustomize.

Kyverno has the following features:

• Uses kustomize-style overlays for validation
• Supports JSON patch and strategic merge patch for mutation
• Clones resources across namespaces based on flexible triggers

To deploy policies individually, use the policy YAML manifests. To package and deploy policies, use Helm charts.

Unlike Gatekeeper or Azure Policy for AKS, Kyverno can use policies to generate new Kubernetes objects, instead of only validating or mutating existing resources. For example, you can define a Kyverno policy to automate the creation of a default network policy for new namespaces.

• For more information, see Kyverno installation guide.
• For a list of ready-to-use or customizable policies, see Kyverno policies library.
• For troubleshooting guidance, such as APIServer failing webhook calls, see Kyverno troubleshooting.

Optionally, you can deploy Kyverno's implementation of the Kubernetes Pod Security Standards as Kyverno policies. Pod Security Standards controls provide a starting point for general Kubernetes cluster operational security.

Azure Policy add-on for AKS

The Azure Policy add-on for AKS extends Gatekeeper, which is an admission controller webhook for OPA. This add-on applies at-scale enforcements and safeguards on your cluster components in a centralized, consistent manner. Cluster components include pods, containers, and namespaces. Azure Policy provides centralized compliance management and reporting for multiple Kubernetes clusters. This capability simplifies the management and governance of multicluster environments compared to deploying and managing Kyverno or Gatekeeper for each cluster.

The Azure Policy add-on for AKS performs the following functions:

• It uses Azure Policy to check for policy assignments to the cluster.

• It deploys policy definitions into the cluster as constraint-template and constraint-custom resources.

• It reports auditing and compliance details back to Azure Policy.

The Azure Policy add-on is compatible with both AKS and Azure Arc-enabled Kubernetes cluster environments. For more information, see Understand Azure Policy for Kubernetes clusters.

To install the add-on on new and existing clusters, follow the installation instructions.

After you install the Azure Policy add-on for AKS, you can apply individual policy definitions or groups of policy definitions, called initiatives, to your AKS cluster. You can enforce Azure Policy built-in policy and initiative definitions from the start. Or you can create and assign your own custom policy definitions by doing the necessary steps. The Azure Policy built-in security policies enhance the security posture of your AKS cluster, enforce organizational standards, and assess compliance at scale.

Contributors

Microsoft maintains this article. The following contributors wrote this article.

Principal authors:

• Paolo Salvatori | Principal Service Engineer
• Martin Gjoshevski | Senior Service Engineer

Other contributors:

• Chad Kittel | Principal Software Engineer
• Ed Price | Senior Content Program Manager
• Theano Petersen | Technical Writer

To see nonpublic LinkedIn profiles, sign in to LinkedIn.

Next steps

• Policy for Kubernetes
• Secure your AKS cluster by using Azure Policy
• Governance disciplines for AKS
• OPA Gatekeeper: Policy and governance for Kubernetes

Related resources

• AKS for Amazon EKS professionals
• Kubernetes identity and access management
• Kubernetes monitoring and logging
• Secure network access to Kubernetes
• Storage options for a Kubernetes cluster
• Cost management for Kubernetes
• Kubernetes node and node pool management