Custom policies to ensure Stability, Security and Governance

Datree includes a good set of default policies but admins are required to create many custom policies for their org. This repo contains useful custom policies as example, covering most use cases.

Comment

Inspiration

As an infrastructure administrator, l spend lot of time manually reviewing Kubernetes Manifests created by my team members before apply them to live clusters. I have to manually check and inform them about security best practices that they should follow in their manifest files.

To solve this problem, Datree provides a CLI tool that can be plugged into our existing CI/CD systems. Datree comes with number of useful defaults that a team can use. But organizations have a number of different use cases that cannot be all addressed by a fixed number of default policies. Kubernetes Administrators will definitely have to create custom policy checks customized to their organization.

What it does

As mentioned above, there is an important requirement of creating custom policies for any policy enforcement tool. Datree uses JSON schema to create custom policies. But it doesn't show examples that would cover most of the use cases. This project solves that.

In this project, I have included 3 custom policies containing 8 different rules. This sample policy can help the admins to get quickly started with Datree and adopt it for their organization. Easy onboarding to a new tool can be a competitive advantage for the tool company and help in increasing conversion rates.

How we built it

I studied JSON Schema in depth and spoke to 3 kubernetes administrators to come up with list of interesting policy use cases that are missing in the default list.

I then built 3 policies and 8 rules and created sample kubernetes manifest files to test all those rules. I ensured that pass.yaml passes all the rules and fail.yaml actually fails in all 8 rules. This is very crucial for developers looking for sample custom policies to implement in their organization.

Challenges we ran into

There were two rules on which I spent more than 4 hours but still couldn't implement for Datree platform. I did try to discuss that on their slack channel, but wasn't able to resolve the problems during the hackathon period. The two rules were:

  • Equal memory in requests and limit rule (Stability Policy): Kubernetes can terminate Pods requesting extra memory if memory is needed on the node. This rule promotes stability by ensuring that all containers requested memory limit is exactly equal to the memory limit. To implement this rule, I wanted to extract value for requests and compare it with value defined in limit.

  • Maximum ratio for container resource limits to requests (Governance Policy): This rule can be useful for organization that want to ensure that the ratio of limits and requests is under a certain value for containers. Keeping very high limit compared to request isn't a good practice and should be avoided. To implement this rule, I had to perform division operation on two values.

Accomplishments that we're proud of

  • Covering most of the use cases that an administrator might want to implement using custom policies. I am sure that my project would be helpful for all such admins who want to quickly get started with Datree platform and adopt it in their organizations.

What's next

  • Solve problem in implementing the two rules mentioned above. I'll discuss them with Datree core maintainers and try to come up with a possible solution
  • I am certain that there are few use cases which I would have missed covering in my policy. I would love to speak to more Kubernetes Administrators to find their policy challenges and implement them in the sample policy.

Built With

Share this project:

Updates