TestDrive

Policies Overview

Updated

In this section, we will cover the various types of policies that can be applied to manage and secure your kubernetes cluster using Tanzu Mission Control

71. Implement Policies

There are multiple ways to implement policies that make sure container images that get deployed are safe:

  • Implement Vulnerability Scanning in the container Registry that stores the container images, and prevents images with critical vulnerabilities from being deployed (Harbor) 
  • Implement Policies to not allow images from certain Image Registries (TMC)
  • Policy that prevents container images with no digest from deploying (TMC)
  • Stop container images with latest tag from deploying (TMC)
  • Blacklist certain images/repos (TMC)

72. Grouping Namespaces in Workspaces

Tanzu Mission Control, part of the Tanzu for Kubernetes Operations solution provides out of the box policies that can be applied to a fleet of clusters spread across multiple clouds.

Tanzu Mission control has Image based policies that can be applied to namespaces within a cluster. These policies can be applied fleet-wide across clusters and clouds by grouping namespaces together in a logical group called Workspaces.

73. Create Namespace

Let's add a namespace to the Cluster we created

  • Go to the browser with Tanzu Mission Control, Click on Workspaces from the left hand menu
  • Click the button Create Namespace

74. Select Cluster and Workspace

  • Enter tanzu in the name field 
  • Select your cluster from the Cluster dropdown 
  • Select the workspace starting with your username from the Workspace dropdown 
  • Click the Create button

75. Image Registry

Click on Policies --> Assignments from the left hand menu, click on the Image Registry tab and then Workspaces

76. Select Workspace

Select the workspace with your username in it

You will notice no Image Registry Policies have been applied yet

77. Create Image Registry Policy

Click on Create Image Registry Policy

78. Create Policy

  • Once the Image Registry Policy wizard opens, click on Image registry template dropdown and select Custom 
  • Give it a Policy Name called busybox 
  • Under Rule, add busybox under the image name
  • Click on Add Another Rule Button 
  • Click on Create Policy Button

79. Create Deployment

Go to the Windows Powershell where the Kubeconfig for your cluster is already downloaded from earlier steps

  • Create a deployment with the image 'busybox' from Docker Hub
kubectl create deployment busybox --image=busybox -n tanzu
  • Copy using the copy button next to the command
  • Paste it on the Horizon username field by clicking on it, followed by pressing CTRL+v (Windows) or Command (⌘) + v (macOS) on your keyboard

80. Image Policy

Notice the deployment is stuck and wont progress because of the image rules:

kubectl describe deployment busybox -n tanzu

This is because of the Image Policy we just applied

  • Copy using the copy button next to the command
  • Paste it on the Horizon username field by clicking on it, followed by pressing CTRL+v (Windows) or Command (⌘) + v (macOS) on your keyboard

81. Network Policies

By default, Kubernetes provides an open, flat network which is often not desirable. Many applications, especially when we are running microservices, only need to communicate to a few other services. Network policies allow us to define some default network rules on Workspaces to control the flow of network traffic for the services communicating in and out of a cluster.

82. View Policies

To view these policies:

Click on Network tab within the policy assignments section.

83. Apply Network Policies to Workspaces

Click on Workspaces as network policies can only be applied to workspaces.

84. Create Network Policy

Click Create Network Policy to view the wizard, reviewing the options in the Network policy dropdown.

Note: In order for network policies to be effective, the CNI deployed to your Kubernetes cluster must support network policies.

85. Admission Controllers

Containers are the base unit of deployment that runs any application on Kubernetes. Containers are processes that run on a given Kubernetes Host, they can have access to the host file systems, networks, host namespaces, password files, listen to traffic on the host etc. An application running in a container can see host/system level objects. To prevent containers from doing so, Kubernetes has created Admission Controllers that check the provisioning of a pod based on a set of Pod Security Policies (PSPs). It is important to not let containers access host based resources unless necessary as doing so opens unnecessary potential attack vectors. By default, Kubernetes does not implement any pod security policies.

86. TMC Security Policies

By default, Tanzu Mission Control implements security policies around running pods with root access, privileged mode, access to host networks, volumes etc.

87. View Security Policies

To view these policies:Click on the Security tab within the policy assignments section and click on the Clusters view if you are still seeing Workspaces.

88. Add a Direct Security Policy

Let's add a Direct Security policy for your cluster group

  • Select the cluster group with your username in it
  • Click on Create Security Policy Button

89. Create a Strict Security Policy

  • Select Strict from the dropdown for security template 
  • Give the Policy a name, e.g: strict 
  • Click the button Create Policy

This will create a strict security policy that will disable any container from running that requires privileged mode.

90. Tanzu Mission Control's Quota based policy

Application development teams love Kubernetes cause they can request infrastructure resources like compute, network and storage for running their apps without having to deal with Operations team or raise a ticket to provision things. On the flip side, this means the teams managing the platform need to be aware of the capacity they have and implement any quota/restrictions on consumption. Tanzu Mission Control's Quota based policy allows you to do just that from an operations perspective.

91. Quota Tab

Go to the tab with Tanzu Mission Control, click on Policies then Assignments

Click on the tab Quota, select Clusters then click on Cluster Group with your username in it

92. Create Quota Policy

Notice there is no Direct Quota Policy appliedClick on the button Create Quota Policy

93. Name the Quota Policy

  • Select policy type 'Small' from the Quota Policy dropdown
  • Give it a name called tanzu-quota
  • Notice it has been assigned a quota to limit of 1 vCPU and 2 GB of memory per workload.
  • Click the 'Create Policy' button

94. Exit out of the Wizard

You can opt to create a custom policy if you don't want to use any of the pre-defined ones or you wish to implement more detailed policies on objects such as: CPU, memory, storage, or even limits on most Kubernetes objects within a namespace.

Once complete, exit out of the wizard.

95. Conclusion

This concludes the walkthrough. For more information on TKO, please visit https://tanzu.vmware.com/kubernetes-operations

Previous Article Backup and Upgrades Overview