The State of Policy Management In Kubernetes

Kubernetes is enabling powerful container orchestration capabilities for many organizations. But with this power comes great responsibility. Securing Kubernetes access is crucial to meet compliance requirements and avoid data leaks. And a significant aspect of governing modern cloud-native infrastructure is enforcing policies around its use.

Nirmata recently released its first annual The State of Cloud-Native Policy Management report, which surveyed 600 DevOps and security and operations professionals on their use of policy management tools in Kubernetes. The report found growing use of policy-based controls in Kubernetes environments and explored differences in tooling adoption to manage policy enforcement. Below, I’ll highlight the major takeaways from the study.

Policy Management in Kubernetes Becomes More Commonplace

In recent years, it’s become more common to adopt policy management in Kubernetes deployments. Nearly 50% of respondents report having policy enforcement active in production. The rest say they either have policy management in non-production environments or are experimenting with it. Only 6% say they are not adopting some form of K8s policy enforcement.

Teams are most commonly using policy management for Kubernetes admission control—31% of respondents cite this as a use case. Admissions controllers are necessary to support many advanced K8s features, providing another layer of validation for mutation of objects. Thus, it’s important to define policies around who or what can use admission controllers. Almost a quarter (24%) of respondents also use policy management for application authorization.

Tools Used for K8s Policy Enforcement and Management

Open Policy Agent (OPA) is by far the most widely adopted tool for implementing Kubernetes policies. A full 31.6% of those surveyed say they use OPA for Kubernetes policy enforcement and management. Similarly, a separate Red Hat study found 32% of developers use OPA to help secure Kubernetes.

As I’ve covered before, OPA is an agnostic open source layer meant to provide a decoupled approach to applying universal authorization policies across the whole cloud-native stack. You write policies in Rego and define privileges in JSON. This could be used to enforce admin-only access, validate container images, apply attribute-based control (ABAC) and create other authorization models.

But OPA is no longer the only CNCF-hosted policy solution being used in production. When asked what other tools are used to enforce cloud-native policies, we find that 7.9% of survey respondents use Kyverno. Kyverno is a new open source Kubernetes-native policy management tool maintained by Nirmata that can be used to “validate, mutate, and generate configurations using admission controls and background scans.” One benefit of Kyverno, compared to OPA, is it doesn’t require learning a new language to use.

Slightly more than a quarter (25.7%) of respondents use a different tool for Kubernetes policy enforcement. The report doesn’t name names, but other Kubernetes security tools commonly used include utilities like KubeLinter, Kube-bench, kube-hunter, Terrascan, Falco and Clair. CNCF projects related to cloud-native security and compliance include OPA, Notary, Kyverno, Curiefense and others.

Still, 37.5% are not using any Kubernetes policy tools. This nascent adoption shows there is room for cloud-native policy enforcement layers to expand. The report also demonstrates a modest rise in the need to adopt policy management in larger organizations—whereas 45% of companies are not using policy enforcement in groups with less than 25 people, this figure shrinks to 31% within companies with more than 10,001 people.

Challenges Implementing Cloud-Native Policies

Teams will inherently face some challenges introducing new policy management layers to pre-existing stacks. Of these challenges, 40% of respondents say a lack of budget holds back security policy enforcement rollout. This is followed by other roadblocks such as solution complexity, a lack of skillsets and siloed divisions. Interestingly, developer buy-in was the least-cited challenge, indicating developers understand the necessity for such tools to implement proper DevSecOps.

The report also briefly compared adoption challenges between policy enforcement tools. Complexity was found to be a high hurdle for both OPA and Kyverno. But a lack of executive support was highest for Kyverno—which makes sense given its newness in the market.

The study also found an equal split between self-managed (on-premises and cloud Kubernetes) versus cloud-managed Kubernetes environments. Whereas self-managed Kubernetes makes sense for the teams with the required skills and know-how, half of the companies using Kubernetes opt for cloud provider support, likely due to the platform’s complexity.

Regardless, when applying policies across organizational boundaries, security engineers must overcome some hybrid and multi-cloud nuances. This underlines the fact that policies must be agnostic and portable to any environment, demonstrating the benefits of a decoupled layer.

Takeaways

Kubernetes has proven useful for not only container orchestration but service discovery, load balancing and more application life cycle abilities. And, as Kubernetes use increases, the need to secure authorization into the environment will only become more of a requirement.

The State of Cloud-Native Policy Management report demonstrates that most organizations are either already using policies in production Kubernetes or at least experimenting. Room for adoption also shows this to be an evolving space, with more innovation to come.

But as high cost is a top burden inhibiting use, policy toolsets must seek to refine the policy creation process to reduce the time and resources required to implement them. Teams must also make efforts to ensure the policy chain is optimized so as to not exacerbate an application’s latency budget.

The 2022 State of Cloud-Native Policy Management report surveyed 600 DevOps, security and operations professionals from the November 2021 KubeCon event. For more insights, you can pick up a copy here in exchange for your personal information.

Bill Doerrfeld

Bill Doerrfeld is a tech journalist and analyst. His beat is cloud technologies, specifically the web API economy. He began researching APIs as an Associate Editor at ProgrammableWeb, and since 2015 has been the Editor at Nordic APIs, a high-impact blog on API strategy for providers. He loves discovering new trends, interviewing key contributors, and researching new technology. He also gets out into the world to speak occasionally.

Bill Doerrfeld has 80 posts and counting. See all posts by Bill Doerrfeld