Policy-Based Governance for End-to-End Integrity Control of Policies

The presentation discusses the importance of policy-based governance in protecting the integrity of Ansible playbooks and ensuring a consistent approach to managing clusters. The approach involves representing best practices as policies, managing them like source code, and deploying them using GitHub's methodology. The benefits include reduced operational costs, continuous security and audit readiness, and efficient day-to-day collaboration among various personas. The presentation also highlights the Kubernetes Policy Workgroup's white paper on policy management and the Open Cluster Management CNCF Sandbox project that enables the policy-based governance approach.

• Policy-based governance is crucial in protecting the integrity of Ansible playbooks and ensuring a consistent approach to managing clusters
• Best practices can be represented as policies, managed like source code, and deployed using GitHub's methodology
• Benefits include reduced operational costs, continuous security and audit readiness, and efficient day-to-day collaboration among various personas
• The Kubernetes Policy Workgroup's white paper on policy management and the Open Cluster Management CNCF Sandbox project enable the policy-based governance approach

The presentation emphasizes the importance of continuous collaboration among various personas in achieving the goal of continuous security and audit readiness. By collaborating through GitHub's methodology on a day-to-day basis, the process becomes more efficient and effective. This approach also allows for a continuous view of the security posture and compliance posture, rather than scrambling during audits and other compliance checks.

Open Cluster Management (OCM) is a CNCF sandbox project aimed at simplifying and streamlining multi-cluster and multi-cloud management of Kubernetes environments. OCM policy framework simplifies complex and time consuming processes to meet enterprise standards for security and regulatory compliance requirements. The integrity of policies is critical because any modification, maliciously or accidentally, can negatively impact your cluster. This talk describes how you can manage the integrity of the policy resources using the OCM policy framework. We will use manifest signing to protect the integrity of policies. To enable signing, secret values such as the signing key or some sort of access credentials managed on Vault are securely delivered to the signing pipeline by using the policy with a new function called templated secret. The secret values are embedded into the policy and delivered from the hub to the cluster in an encrypted form, and decrypted at the clusters. Admission control to enforce signature verification of policy resources at the cluster is also enabled by using the policy.