The State of Policy Management In Kubernetes

Kubernetes is enabling powerful container orchestration capabilities for many organizations. But with this power comes great responsibility. Securing Kubernetes access is crucial to meet compliance requirements and avoid data leaks. And a significant aspect of governing modern cloud-native infrastructure is enforcing policies around its use.

Nirmata recently released its first annual The State of Cloud-Native Policy Management report, which surveyed 600 DevOps and security and operations professionals on their use of policy management tools in Kubernetes. The report found growing use of policy-based controls in Kubernetes environments and explored differences in tooling adoption to manage policy enforcement. Below, I’ll highlight the major takeaways from the study.

Step 1 of 7

14%

Which of the following best describes how you currently monitor and manage systems across your hybrid cloud environment?(Required)

Multiple separate tools for different environments

Multiple separate tools for different monitoring and management functions

Single consolidated dashboard

Custom built monitoring and management solution

No full monitoring and management solution

Don’t know

How valuable would it be for your monitoring and management solution to incorporate predictive analytics to help you identify and address system issues that are critical and not waste time or effort working through all the data and “noise” that is not critical?(Required)

Extremely valuable

Moderately valuable

Somewhat valuable

Slightly valuable

Not valuable

How do you most typically address potential system issues BEFORE they impact your operations?(Required)

Automated workflows and playbooks to remediate potential issues as soon as they are detected

An orchestrated response process that leverages automation, AI, and human expertise to rapidly respond to potential issues

Advanced monitoring tools such as predictive analytics and anomaly detection to proactively identify and address potential issues

Respond to issues as they arise, using manual processes and troubleshooting techniques

A combination of automated remediation, orchestrated response, and/or proactive monitoring to address potential system issues

Don’t know

Other

What methods does your organization use to control and monitor cloud/IT spending?(Required)

Centralized procurement processes

Pre-approved budget thresholds

Automated cost monitoring tools

Department-level spending controls

Regular cost audits and reviews

Cloud cost optimization platform

Approval workflows for resource provisioning

Native financial operations tools provided by the cloud provider

No formal controls in place

Don’t know

Other

Please specify:

Which methods do you rely on most to detect security vulnerabilities in your systems?(Required)

Automated scanning tools

Manual assessments

Vendor notifications

Threat modeling (for early detection)

None of these

Don’t know

Other

Please specify:

What are the TWO most common ways you prioritize vulnerabilities to address within your environment?(Required)

Based on potential impact

Based on exploitability

Regulatory compliance requirements

Based on CVSS scores

Risk-based analysis of multiple factors

First-in-first-out approach

No formal prioritization process

Don’t know

How do you typically handle system updates and security patches?(Required)

Automated updates and patches

Manually review and apply updates and patches on a regular schedule

A combination of automation and manual review

Apply updates and patches on an as-needed basis.

Outsourced update and patch management

No defined process

Don’t know

Other

Δ

Policy Management in Kubernetes Becomes More Commonplace

In recent years, it’s become more common to adopt policy management in Kubernetes deployments. Nearly 50% of respondents report having policy enforcement active in production. The rest say they either have policy management in non-production environments or are experimenting with it. Only 6% say they are not adopting some form of K8s policy enforcement.

Teams are most commonly using policy management for Kubernetes admission control—31% of respondents cite this as a use case. Admissions controllers are necessary to support many advanced K8s features, providing another layer of validation for mutation of objects. Thus, it’s important to define policies around who or what can use admission controllers. Almost a quarter (24%) of respondents also use policy management for application authorization.

Tools Used for K8s Policy Enforcement and Management

Open Policy Agent (OPA) is by far the most widely adopted tool for implementing Kubernetes policies. A full 31.6% of those surveyed say they use OPA for Kubernetes policy enforcement and management. Similarly, a separate Red Hat study found 32% of developers use OPA to help secure Kubernetes.

As I’ve covered before, OPA is an agnostic open source layer meant to provide a decoupled approach to applying universal authorization policies across the whole cloud-native stack. You write policies in Rego and define privileges in JSON. This could be used to enforce admin-only access, validate container images, apply attribute-based control (ABAC) and create other authorization models.

But OPA is no longer the only CNCF-hosted policy solution being used in production. When asked what other tools are used to enforce cloud-native policies, we find that 7.9% of survey respondents use Kyverno. Kyverno is a new open source Kubernetes-native policy management tool maintained by Nirmata that can be used to “validate, mutate, and generate configurations using admission controls and background scans.” One benefit of Kyverno, compared to OPA, is it doesn’t require learning a new language to use.

Slightly more than a quarter (25.7%) of respondents use a different tool for Kubernetes policy enforcement. The report doesn’t name names, but other Kubernetes security tools commonly used include utilities like KubeLinter, Kube-bench, kube-hunter, Terrascan, Falco and Clair. CNCF projects related to cloud-native security and compliance include OPA, Notary, Kyverno, Curiefense and others.

Still, 37.5% are not using any Kubernetes policy tools. This nascent adoption shows there is room for cloud-native policy enforcement layers to expand. The report also demonstrates a modest rise in the need to adopt policy management in larger organizations—whereas 45% of companies are not using policy enforcement in groups with less than 25 people, this figure shrinks to 31% within companies with more than 10,001 people.

Challenges Implementing Cloud-Native Policies

Teams will inherently face some challenges introducing new policy management layers to pre-existing stacks. Of these challenges, 40% of respondents say a lack of budget holds back security policy enforcement rollout. This is followed by other roadblocks such as solution complexity, a lack of skillsets and siloed divisions. Interestingly, developer buy-in was the least-cited challenge, indicating developers understand the necessity for such tools to implement proper DevSecOps.

The report also briefly compared adoption challenges between policy enforcement tools. Complexity was found to be a high hurdle for both OPA and Kyverno. But a lack of executive support was highest for Kyverno—which makes sense given its newness in the market.

The study also found an equal split between self-managed (on-premises and cloud Kubernetes) versus cloud-managed Kubernetes environments. Whereas self-managed Kubernetes makes sense for the teams with the required skills and know-how, half of the companies using Kubernetes opt for cloud provider support, likely due to the platform’s complexity.

Regardless, when applying policies across organizational boundaries, security engineers must overcome some hybrid and multi-cloud nuances. This underlines the fact that policies must be agnostic and portable to any environment, demonstrating the benefits of a decoupled layer.

Takeaways

Kubernetes has proven useful for not only container orchestration but service discovery, load balancing and more application life cycle abilities. And, as Kubernetes use increases, the need to secure authorization into the environment will only become more of a requirement.

The State of Cloud-Native Policy Management report demonstrates that most organizations are either already using policies in production Kubernetes or at least experimenting. Room for adoption also shows this to be an evolving space, with more innovation to come.

But as high cost is a top burden inhibiting use, policy toolsets must seek to refine the policy creation process to reduce the time and resources required to implement them. Teams must also make efforts to ensure the policy chain is optimized so as to not exacerbate an application’s latency budget.

The 2022 State of Cloud-Native Policy Management report surveyed 600 DevOps, security and operations professionals from the November 2021 KubeCon event. For more insights, you can pick up a copy here in exchange for your personal information.