In this blog, we look into an introduction to three important open-source tools that help you implement security best practices in Kubernetes clusters using pre-defined policies.
Disadvantages of Pod Security Standards
Here are some disadvantages for projects looking for more granular customization and security options.
For example:
- PSS only offers three predefined security levels: Privileged, Baseline, and Restricted, allowing no room for further customization.
- It is limited to pod-level security. It cannot enforce policies for other cluster resources.
- As your Kubernetes environments grow, managing security policies across multiple namespaces and clusters becomes increasingly complex.
- In managed services like AWS EKS, applying cluster-wide PSS is a challenge because you cannot customize the API server configuration.
🤔 Why PSS: PSS is ideal for those looking to enforce basic pod-level security without requiring external tools.
For projects requiring more granular control and customization, you have the following three policy engine options that are part of the CNCF:
- Kyverno
- Kubewarden
- OPA Gatekeeper
We will look at an introduction to each of these and understand their key features.
💡A policy engine is a tool or system that helps you define, enforce, and evaluate rules or policies in your infrastructure or applications. It ensures that everything is operating according to the defined rules, whether it's related to security, resource usage, compliance, or configurations.
Need for Policy Engines
Many organizations use policy engines for compliance and governance.
Now, you might wonder, what is the real need for a policy engine?
Here’s why:
- To avoid mistakes like deploying privileged containers or missing important labels.
- Ensure cluster resources are tagged (labeled) properly for tracking and cost management. For example, to identify which team, project, or environment a resource belongs to.
- Automatically create network policies, quotas, or config maps. For example, when a new namespace is created, you can automate the creation of required network policies, resource quotas, etc., as per project standards.
- To verify image signatures. For example, some projects require all container images to be signed before being deployed to production. Developers sign images during the CI/CD pipeline using a private key (e.g., with cosign). Kyverno ensures that only signed images are deployed.
- To validate resources for compliance before deployment, catch issues early in the pipeline, and ensure smoother operations.
The three tools we are going to look at help you implement these in your Kubernetes projects
1. Kyverno
Github: github.com/kyverno/kyverno
Kyverno, which means "govern" in Greek, is a CNCF Project.
A good thing about Kyverno is that you don't have to learn any new Domain Specific Language (DSL) to get started. If you’re comfortable with YAML, you can write and apply Kyverno policies.
Thats why its called a Kubernetes-native tool.
You can get started with Kyverno from here.
Kyverno is best for DevOps engineers who want quick results with minimal learning curve.
2. Kubewarden
Website: www.kubewarden.io
Kubewarden is more developer-centric.
It allows developers to write policies in their preferred programming languages (if they compile to WebAssembly).
Supports languages like Rust, Go, and Swift for policy creation.
💡 WebAssembly (Wasm) is a fast and secure way to run programs on different platforms. It was first created for the web but is now used in many other areas, like cloud and DevOps tools. It works by turning code into a small, efficient format that runs quickly and safely. Watch this for quick introduction.
Since the policies are compiled into WebAssembly modules, they are fast in processing admission requests because WebAssembly modules are designed for high performance and near-native execution speed.
Kubewarden also supports reusing existing OPA (Open Policy Agent) Rego policies with minor adjustments.
An interesting feature is that the policies can be stored and shared as OCI artifacts (image format) in compliant registries.
Best for performance critical environments and teams that need flexibility to write policies in various languages.
Since it requires knowledge of Wasm and programming languages like Rust, it is challenging for DevOps engineers who are not familiar with them.
3. OPA Gatekeeper
Website: open-policy-agent.github.io/gatekeeper/website/docs/
OPA stands for Open Policy Agent.
It is an open-source, general-purpose policy engine, meaning you can use it not just for Kubernetes but also for other use cases like API authorization, infrastructure compliance, and microservices security.
OPA Gatekeeper is an extension of the Open Policy Agent (OPA) designed specifically for Kubernetes environments.
The language used to write policies for OPA Gatekeeper is Rego. It has a steep learning curve.
Best for complex environments where granular policies and compliance are essential, and the team is willing to invest in learning Rego.
Conclusion
While all these tools solve policy enforcement in Kubernetes environments, you need efficient mechanisms to code and manage these policies across multiple clusters in multiple environments.
Here is the guide about Kubernetes-native functionality, Pod Security Standards, and Admission Controllers that help you implement security best practices in the cluster.
If you have any questions about this blog, drop them in the comments!