In this post we will quickly review the Azure Policy offering. We will then look at how Kubernetes has approached the same issues, specifically looking at the Open Policy Agent (OPA) project managed by the Cloud Native Computing Foundation (CNCF). Finally, we will introduce Azure Policy for Kubernetes clusters which combines the two tools to make enforcement of business standards within your Azure Kubernetes Service (AKS) deployments.
Validating that all Azure resources deployed within your organization adhere to the business standards that have been defined is difficult. Azure Policy exists to help you with this important task.
Azure Policy provides a centralized location where you can define, enable, and monitor policies. There are many policies that Microsoft has provided, and you can enable these policies at different management levels within your environment. Policies can be assigned to management groups, subscriptions, resource groups, or even for individual resources. Many policies have parameters that constrain the policy. For example, there is a built-in policy named “Allowed virtual machine size SKUs”. When assigning this policy, a list of allowed VM sizes is provided. An example of assigning this policy might be limit the costs of VMs created within a development or test subscription.
It is also possible to define the action that Azure Policy should take when it finds a resource that does not comply with the policy. Policies are evaluated at specific times or by specific events.
- When a policy is assigned to a scope all resources in that scope are evaluated, this includes updating a policy assignment
- When a new resource is created within the scope of the assignment
- Every 24 hours all resources in the scope are evaluated for all assigned policies
- Allow creation of the resource, but report the lack of compliance in the dashboard
- Reject the creation of the resource
- Remediate the lack of compliance either before or after the resource is created
Kubernetes Admission Controller
Various objects are created during the lifecycle of a Kubernetes cluster. Admission controllers intercept the API calls that create or alter resources allowing a review of the object against the standards defined for the organization – sounds a little like the Azure Policies we just described above, right?
There are two phases in the admission controller workflow. The first phase is called the mutating phase and the second is called the validating phase.
During the mutating phase an admission controller can alter the request. This may allow the object to be created, but with a modified definition based on the restriction’s setup by the organization.
During the validating phase, an admission controller checks the rules defined for the object and determines if it is compliant. If it is the object can be created and become part of the Kubernetes cluster.
Installing an admissions controller into a Kubernetes cluster is done through the creation of one or more custom resource definitions (CRD). These are activated as WebHooks to intercept the API requests.
The Cloud Native Computing Foundation (CNCF) sponsors an initiative called the Open Policy Agent (OPA). The OPA defines a custom framework for implementing policies across the cloud native stack, which includes Kubernetes. OPA Gatekeeper is a project that provides the integration of OPA into a Kubernetes cluster. OPA has a declarative policy language that can be used to define complex policies.
Azure Policy for Kubernetes
In the prior sections we have seen how both Azure and Kubernetes manage policies. Each is similar, but distinct in the way policies are defined and exposed. The Azure Policy dashboard exposes the compliance of all Azure resources except for AKS. This is because AKS is a common tool that Microsoft has incorporated into a managed cloud service.
Microsoft has created Azure Policy for Kubernetes to bridge this gap. The offering is currently in preview. Because it is in preview you are currently not able to create new OPA policies to use, but there are multiple policies that can be assigned to an AKS cluster.
When you assign a built-in Kubernetes policy to one of your AKS clusters, Azure Policy for Kubernetes will install the needed admission controllers and policy definitions into the cluster. AKS will then intercept object creation requests and validate that they comply with the installed policies. Azure Policy for Kubernetes will also monitor the compliance of resources within the AKS cluster and will include reporting on those policies through the Azure Policy dashboard.
InCycle has compiled a set of resources for you to begin to experiment with Azure Policy for Kubernetes. You can download it here and use it to explore how you can use OPA policies in your AKS clusters.