Kubernetes cluster governance
Governance refers to an organization's ability to enforce and validate rules to guarantee compliance with corporate standards. Governance helps organizations mitigate risks, comply with corporate standards and external regulations, and minimize interruption to adoption or innovation.
Governance includes planning initiatives, setting strategic priorities, and using mechanisms and processes to control applications and resources. For Kubernetes clusters in a cloud environment, governance means implementing policies across Kubernetes clusters and the applications that run in those clusters.
Kubernetes governance includes both the cloud environment and cluster deployment infrastructure, and the clusters themselves and their applications. This guide focuses on governance within Kubernetes clusters. The article describes and compares how Amazon Elastic Kubernetes Service (Amazon EKS) and Azure Kubernetes Service (AKS) manage Kubernetes cluster governance.
Note
This article is part of a series of articles that helps professionals who are familiar with Amazon EKS to understand AKS.
Kubernetes governance dimensions
Three dimensions define a consistent Kubernetes governance strategy:
Targets describe the security and compliance policy goals a governance strategy should meet. For example, targets specify which users can access a Kubernetes cluster, namespace, or application, or which container registries and images to use in which clusters. The security operations team usually sets these targets as the first step in defining a company's governance strategy.
Scopes detail the elements that the target policies apply to. Scopes must address all Kubernetes-visible components. Scopes can be organizational units like departments, teams, and groups, or environments like clouds, regions, or namespaces, or both.
Policy directives use Kubernetes capabilities to enforce the target rules across the specified scopes to enforce the governance policies.
For more information, see Kubernetes governance, what you should know.
Governance in EKS and AKS
Amazon Web Services (AWS) customers usually use Kyverno, Gatekeeper, or other third-party solutions to define and implement a governance strategy for their Amazon EKS clusters. The aws-eks-best-practices/policies GitHub repository contains a collection of example policies for Kyverno and Gatekeeper.
Azure customers can also use Kyverno or Gatekeeper, and can use the Azure Policy for Kubernetes Add-on to extend Gatekeeper for an AKS governance strategy.
Gatekeeper
The Cloud Native Computing Foundation (CNCF) sponsors the open-source Gatekeeper Policy Controller for Kubernetes for enforcing policies in Kubernetes clusters. Gatekeeper is a Kubernetes admission controller that enforces policies created with Open Policy Agent (OPA), a general-purpose policy engine.
OPA uses a high-level declarative language called Rego to create policies that can run pods from tenants on separate instances or at different priorities. For a collection of common OPA policies, see the OPA Gatekeeper Library.
Kyverno
CNCF also sponsors the Kyverno open-source project for enforcing policies in Kubernetes clusters. Kyverno is a Kubernetes-native policy engine that can validate, mutate, and generate Kubernetes resource configurations with policies.
With Kyverno, you can define and manage policies as Kubernetes resources without using a new language. This approach allows using familiar tools such as kubectl, git, and kustomize to manage policies.
Kyverno uses kustomize-style overlays for validation, supports JSON patch and strategic merge patch for mutation, and can clone resources across namespaces based on flexible triggers. You can deploy policies individually by using their YAML manifests, or package and deploy them by using Helm charts.
Kyverno, unlike Gatekeeper or Azure Policy for AKS, can generate new Kubernetes objects with policies, not just validate or mutate existing resources. For example, you can define a Kyverno policy to automate the creation of a default network policy for any new namespace.
For more information, see the official Kyverno installation guide. For a list of ready-to-use or customizable policies, see the Kyverno Policies library. For troubleshooting reference (eg. APIServer failing webhook calls), see the Kyverno troubleshooting documentation.
Optionally, you can deploy Kyverno's implementation of the Kubernetes Pod Security Standards (PSS) as Kyverno policies. The PSS controls provide a starting point for general Kubernetes cluster operational security.
Azure Policy Add-on for AKS
The Azure Policy Add-on for AKS extends Gatekeeper to apply at-scale enforcements and safeguards on AKS clusters in a centralized, consistent manner. Azure Policy enables centralized compliance management and reporting for multiple Kubernetes clusters from a single location. This capability makes management and governance of multicluster environments more efficient than deploying and managing Kyverno or Gatekeeper for each cluster.
The Azure Policy Add-on for AKS enacts the following functions:
- Checks with the Azure Policy service for policy assignments to the cluster.
- Deploys policy definitions into the cluster as constraint template and constraint custom resources.
- Reports auditing and compliance details back to the Azure Policy service.
The Azure Policy Add-on supports the AKS and Azure Arc-enabled Kubernetes cluster environments. For more information, see Understand Azure Policy for Kubernetes clusters. To install the add-on on new and existing clusters, see Install the Azure Policy Add-on for AKS.
After you install the Azure Policy Add-on for AKS, you can apply individual policy definitions or groups of policy definitions called initiatives to your AKS cluster. You can apply and enforce Azure Policy built-in policy and initiative definitions from the outset, or create and assign your own custom policy definitions. The Azure Policy built-in security policies help improve the security posture of your AKS cluster, enforce organizational standards, and assess compliance at scale.
Contributors
This article is maintained by Microsoft. It was originally written by the following contributors.
Principal authors:
- Martin Gjoshevski | Senior Service Engineer
- Paolo Salvatori | Principal Service Engineer
Other contributors:
- Chad Kittel | Principal Software Engineer
- Ed Price | Senior Content Program Manager
- Theano Petersen | Technical Writer
To see non-public LinkedIn profiles, sign in to LinkedIn.
Next steps
- AKS for Amazon EKS professionals
- Kubernetes identity and access management
- Kubernetes monitoring and logging
- Secure network access to Kubernetes
- Storage options for a Kubernetes cluster
- Cost management for Kubernetes
- Kubernetes node and node pool management
Related resources
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for