Guest post originally published on the Fairwinds blog by Kendall Miller
From Infrastructure as Code to Policy as Code
It wasn’t that long ago people started talking about Infrastructure as Code. Part of the reason why is how fast the technology in the cloud native space has matured. It also wasn’t that long ago that infrastructure was just tangible infrastructure and you had to walk around your datacenter and push buttons on physical machines, move racks around, and adjust wires to make infrastructure changes—so IaC was an exciting leap only made possible relatively recently by the emergence of the cloud. Infrastructure as Code with Kubernetes reduces human error, enforces repeatability and consistency, improves tracking and auditability and helps with DR.
People have seen the benefits of infrastructure living as code and as a result it’s becoming a more widely adopted cloud best practice.
In this increasingly-cloud world, the next logical step is Policy as Code (PaC) for Kubernetes. In a similar journey to IaC, it wasn’t all that long ago (and in some cases still is the case) that policy for many companies was enforced by:
- Security guards at the doors to building checking people’s bags to enforce what could be taken in or out
- Managers walking around the office looking over people’s shoulders to make sure they were working on the right things
- Long “policy documents” that companies really just crossed their fingers and hoped people would follow
What is Policy as Code
Definition: Policy as Code is the process of managing and provisioning policy enforcement tooling through machine-readable definition files, rather than best practice documentation or interactive configuration tools (a GUI with buttons to click).
Automation for policy can be done with several different tools, but many of those tools have involved a big complicated graphical user interface (GUI) where a single person goes in and clicks a bunch of buttons until they’ve enforced controls to meet a company standard (for desktop compliance, infrastructure etc.). But the automation isn’t enough because it can create single points of failure—such as the one person who remembers all the buttons to press in that GUI—what happens when they leave the company?.
Hence policy being documented and stored as code is becoming industry standard. The beauty of policy as code in Kubernetes is that it allows you to:
- Track changes in the policy over time
- Include information for the “why” of policy enforcement
- Write code that itself becomes a form of the documentation to remove single points of failure
The Future of Kubernetes Policy as Code
Just as Infrastructure as Code has become a widely adopted standard, Policy as Code with Kubernetes is heading in the same direction, so that both code to define the infrastructure as well as the code to define how it’s used can be stored in single track-able repository. Mature cloud organizations will find that maintaining “best practice documentation” while crossing their fingers and just really hoping their employees follow the rules will be insufficient at scale. And while tooling for the automation of this process at scale is essential, that alone isn’t sufficient.
Teams will be looking for a way to store instructions for the enforcement of policy automation at scale.
In the cloud native world in 2021, expect to see Policy as Code become as big of a buzz word as Kubernetes has been the last few years.
Interested in policy as code? Check out Fairwinds Insights which includes a tremendous amount of Kubernetes policy-as-code out of the box. It leverages best-in-class open source tooling across Kubernetes best practices in security, efficiency, and reliability as well as support for Open Policy Agent for writing your own custom policy and enforcing what gets deployed in your clusters.