Profile Applicability:
Level 1
Description:
A policy control mechanism in Kubernetes is crucial for managing and enforcing security, resource, and operational policies across the cluster. This check ensures that at least one active policy control mechanism (such as PodSecurityPolicies, OPA/Gatekeeper, Kubernetes Admission Controllers, or Azure Policies) is in place and actively governing the behavior of the cluster.
Rationale:
Without an active policy control mechanism, a Kubernetes cluster is vulnerable to misconfigurations, non-compliant resources, and potential security risks. Policy enforcement helps ensure compliance with internal standards, regulatory requirements, and security best practices by automatically rejecting or modifying resources that do not meet the defined policies.
Impact:
Pros:
Provides centralized control over the security, resource management, and compliance of the cluster.
Enforces best practices and reduces the risk of misconfiguration.
Helps automate security enforcement, reducing manual oversight and potential human error.
Cons:
Requires additional setup and configuration.
May lead to issues if overly restrictive policies are applied, blocking legitimate workloads.
Could introduce complexity in managing policies across large clusters.
Default Value:
By default, Kubernetes does not have an active policy control mechanism in place unless manually configured (e.g., through PodSecurityPolicies, OPA/Gatekeeper, or other mechanisms).
Pre-requisites:
Ensure that at least one policy control mechanism (such as PodSecurityPolicy, OPA/Gatekeeper, or Azure Policy) is installed and configured to enforce security and operational policies in the cluster.
Test Plan:
Using Azure Console:
Navigate to the Azure portal and access your Azure Kubernetes Service (AKS) cluster.
Under Security, check if any policy control mechanisms, such as Azure Policy or PodSecurityPolicies, are enabled.
Verify that Admission Controllers are configured, ensuring the enforcement of policies related to workloads and resource access.
Ensure that at least one active policy control mechanism is in place, such as Azure Policy, OPA/Gatekeeper, or PodSecurityPolicy.
Using Azure CLI:
Use the following command to check if Azure Policy is enabled for your AKS cluster:
az aks show --resource-group <resource-group-name> --name <aks-cluster-name> --query "addonProfiles.azurePolicy.enabled"
Verify that at least one policy mechanism (such as OPA/Gatekeeper or PodSecurityPolicy) is configured to enforce the necessary security and compliance policies.
If using OPA/Gatekeeper, verify that it is installed and active:
kubectl get deployment gatekeeper-controller-manager --namespace gatekeeper-system
Implementation Plan:
Using Azure Console:
In the Azure portal, ensure that Azure Policy is enabled for your AKS cluster:
Navigate to Azure Kubernetes Service and select your AKS cluster.
Under Add-ons, enable Azure Policy.
Alternatively, configure PodSecurityPolicies to enforce security controls and restrict workloads based on security best practices:
Under Security in the Azure portal, navigate to the Policy section to manage PodSecurityPolicies.
Apply policies to restrict resource usage, ensure pod security, and enforce compliance.
You can also install OPA/Gatekeeper to define and enforce custom policies on the cluster.
Using Azure CLI:
To enable Azure Policy for your AKS cluster, run the following command:
az aks enable-addons --resource-group <resource-group-name> --name <aks-cluster-name> --addons azure-policy
To verify the installation of OPA/Gatekeeper and ensure policies are being enforced, run the following command:
kubectl get deployment gatekeeper-controller-manager --namespace gatekeeper-system
If PodSecurityPolicies are required, create a policy file and apply it to the cluster:
apiVersion: policy/v1beta1 kind: PodSecurityPolicy metadata: name: restrict-pod-resources spec: # Define your policy here
Apply the PodSecurityPolicy:
kubectl apply -f pod-security-policy.yaml
Backout Plan:
Using Azure Console:
If the active policy mechanism causes issues with workloads, revert the configuration in the Azure portal by disabling or modifying the active policy mechanism.
Using Azure CLI:
Revert the policy control settings by disabling Azure Policy or PodSecurityPolicy:
az aks disable-addons --resource-group <resource-group-name> --name <aks-cluster-name> --addons azure-policy
Remove any custom policies from OPA/Gatekeeper or PodSecurityPolicies using:
kubectl delete podsecuritypolicy <policy-name>