Kubernetes Policy Enforcement for Developers
Policy Exists for a Reason
You know that feeling where it’s near midnight and you’re outside of town and you pull up to a red light in your car and stop and start to wait. Initially you don’t think much about it, but after a few seconds you realize there are no cars out here. None. Nobody is coming from the left. Nobody is coming from the right. In fact, you’ve been out for 15 minutes without seeing another soul. Then the light doesn’t change. It just stays red, and it seems to stay that way indefinitely.
I’ve heard it only takes about 2.5 minutes for a significant percentage of the population to give up and assume the light is broken and then attempt to run it. And whether you run that light, or wait patiently for it to change no matter how long it takes is probably largely related to your personality and upbringing.
Choosing to run that red light is a bit like seeing if anyone is looking, and SSHing into a container in the Kubernetes cluster to make a change because…. NOBODY IS GONNA NOTICE AND NO ONE IS GONNA GET HURT I SWEAR.
Honestly, you might be right. But the policies of the road exist for a reason—to maximize safety for all involved.
Policy Enforcement is a Necessary
Most of us (who drive) can relate to having done something stupid, or thinking no one was watching, or even just making an honest mistake and breaking a rule of the road—immediately to be followed by a police officer who stops us to write a ticket. I’ve been annoyed by these, but I’ve also received a ticket where I sit there nodding my head because—I get it and I know I shouldn’t have done that. Even though the rules annoy me sometimes when they’re applied to me personally, I’m usually pretty happy that others are following the rules.
I want people to stay on their side of the road. I want people to wait at red lights so I can continue driving when I have a green. I want people to park where they should, and not in the middle of the road.
Heck, even when I’m not driving and just walking or riding a bike, I want cars to do what’s expected of them—at the very least so I can tell what’s happening and be safe for myself. Knowing there is enforcement of the policy makes us feel safe. And…. here’s where I make my “the same thing is true for infrastructure and policy around it” turn.
Kubernetes Policy Enforcement for Developers
When your company is three people and you have five users, your CTO can SSH into a machine and “hot fix” a problem and move on. It’s like living in a town with no stop signs at the single intersection. There is little enough going on, we can all probably stay safe. But scale is the problem.
When you have a hundred developers, or thousands, and when you have Kubernetes clusters, and service ownership—now you need real policy and a way to enforce it. And there will be times where it’s annoying as h*ck for the developer who needs to just make this one last change so they can go home for the night. But just like the red light situation above, while it may be fine on paper most of the time, the policy exists for a reason. Having good guardrails and policy in place will keep that developer from just pushing that one version of Log4j into production real quick because it “probably won’t be a problem”.
Good Kubernetes guardrails and policy can cause frustration sometimes. But most of the time it’s giving the rest of your team comfort that they can sleep tonight without something breaking in production that requires a page. It gives leadership comfort that they won’t be called into court for a huge data breach. Policy gives your operations team confidence that what needs to be configured will be—so it can scale up and down appropriately.
Policy is for developers, even though it’s enforced in their direction. Just like red lights are for humans. Sometimes we’ll shake our fist at the red light. But most of the time we can be thankful for the calm and sanity it brings.
Don’t wait. Enforce sane Kubernetes policy out of the gate with Fairwinds Insights. And even if you live in a city running horses, roller bladers, and small airplanes as fast as cars and need custom policy to cover it—we can help with that.
*** This is a Security Bloggers Network syndicated blog from Fairwinds | Blog authored by Kendall Miller. Read the original post at: https://www.fairwinds.com/blog/kubernetes-policy-enforcement-for-developers