Kubernetes Compliance and Governance

by Bala

Ensure compliance and governance in your Kubernetes clusters

Kubernetes Compliance and Governance

Maintaining compliance and governance in Kubernetes environments is crucial for security and regulatory requirements. This guide covers essential practices.

Video Tutorial

Learn more about Kubernetes compliance and governance in this comprehensive video tutorial:

View Source Code

Prerequisites

  • Basic understanding of Kubernetes
  • Access to a Kubernetes cluster
  • kubectl CLI tool installed
  • Familiarity with compliance frameworks

Project Structure

.
├── compliance/
│   ├── policies/         # Policy configurations
│   ├── audit/           # Audit configurations
│   ├── rbac/            # RBAC definitions
│   └── security/        # Security policies
└── monitoring/
    ├── compliance/      # Compliance monitoring
    └── alerts/          # Compliance alerts

Policy Management

1. OPA Gatekeeper Policy

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRequiredLabels
metadata:
  name: require-labels
spec:
  match:
    kinds:
    - apiGroups: [""]
      kinds: ["Pod"]
  parameters:
    labels: ["owner", "environment", "compliance-level"]

2. Pod Security Policy

apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
  name: restricted
spec:
  privileged: false
  seLinux:
    rule: RunAsAny
  runAsUser:
    rule: MustRunAsNonRoot
  fsGroup:
    rule: RunAsAny
  volumes:
  - 'configMap'
  - 'emptyDir'
  - 'persistentVolumeClaim'

Audit Configuration

1. Audit Policy

apiVersion: audit.k8s.io/v1
kind: Policy
rules:
- level: RequestResponse
  resources:
  - group: ""
    resources: ["pods", "services"]
- level: Metadata
  resources:
  - group: "rbac.authorization.k8s.io"
    resources: ["roles", "rolebindings"]

2. Audit Logging

apiVersion: v1
kind: Pod
metadata:
  name: audit-pod
spec:
  containers:
  - name: audit-container
    image: audit-image:latest
    volumeMounts:
    - name: audit-logs
      mountPath: /var/log/audit
  volumes:
  - name: audit-logs
    hostPath:
      path: /var/log/audit
      type: DirectoryOrCreate

Compliance Monitoring

1. Compliance Checks

apiVersion: compliance.openshift.io/v1alpha1
kind: ComplianceScan
metadata:
  name: compliance-scan
spec:
  profile: xccdf_org.ssgproject.content_profile_moderate
  content: ssg-rhcos4-ds.xml
  schedule: "0 1 * * *"

2. Compliance Alerts

apiVersion: monitoring.coreos.com/v1
kind: PrometheusRule
metadata:
  name: compliance-alerts
spec:
  groups:
  - name: compliance
    rules:
    - alert: ComplianceViolation
      expr: compliance_check_status{status="failed"} > 0
      for: 1h
      labels:
        severity: critical

RBAC Configuration

1. Role Definition

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: compliance-viewer
rules:
- apiGroups: [""]
  resources: ["pods", "services"]
  verbs: ["get", "list", "watch"]
- apiGroups: ["audit.k8s.io"]
  resources: ["policies"]
  verbs: ["get"]

2. Role Binding

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: compliance-viewer-binding
subjects:
- kind: User
  name: compliance-auditor
  apiGroup: rbac.authorization.k8s.io
roleRef:
  kind: Role
  name: compliance-viewer
  apiGroup: rbac.authorization.k8s.io

Network Policies

1. Default Deny

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: default-deny
spec:
  podSelector: {}
  policyTypes:
  - Ingress
  - Egress

2. Compliance Network Policy

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: compliance-policy
spec:
  podSelector:
    matchLabels:
      compliance: required
  policyTypes:
  - Ingress
  ingress:
  - from:
    - podSelector:
        matchLabels:
          compliance: approved

Best Practices Checklist

  1. ✅ Implement policies
  2. ✅ Configure auditing
  3. ✅ Set up monitoring
  4. ✅ Define RBAC
  5. ✅ Network policies
  6. ✅ Regular compliance checks
  7. ✅ Alert configuration
  8. ✅ Documentation
  9. ✅ Training
  10. ✅ Regular reviews

Compliance Frameworks

PCI DSS

  • Network segmentation
  • Access control
  • Audit logging
  • Encryption

HIPAA

  • Data encryption
  • Access controls
  • Audit trails
  • Backup procedures

SOC 2

  • Security monitoring
  • Change management
  • Access control
  • Incident response

Common Compliance Pitfalls

  1. ❌ Insufficient logging
  2. ❌ Poor access control
  3. ❌ Missing policies
  4. ❌ Inadequate monitoring
  5. ❌ Lack of documentation

Documentation Requirements

1. Policy Documentation

apiVersion: v1
kind: ConfigMap
metadata:
  name: compliance-docs
data:
  policies.md: |
    # Compliance Policies
    1. Access Control
    2. Data Protection
    3. Network Security
    4. Audit Requirements

2. Procedure Documentation

apiVersion: v1
kind: ConfigMap
metadata:
  name: compliance-procedures
data:
  procedures.md: |
    # Compliance Procedures
    1. Incident Response
    2. Change Management
    3. Access Review
    4. Audit Review

Compliance Reporting

1. Report Generation

apiVersion: batch/v1
kind: CronJob
metadata:
  name: compliance-report
spec:
  schedule: "0 0 * * 0"
  jobTemplate:
    spec:
      template:
        spec:
          containers:
          - name: report-generator
            image: report-tool:latest
            args:
            - --output=/reports

2. Report Storage

apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  name: compliance-reports
spec:
  accessModes:
    - ReadWriteOnce
  resources:
    requests:
      storage: 10Gi

Conclusion

Implementing these compliance and governance practices ensures regulatory compliance and security in your Kubernetes clusters. Regular audits and updates are essential for maintaining compliance.

Additional Resources