- Role-based, attribute-based, & just-in-time access to infrastructure
- Connect any person or service to any infrastructure, anywhere
- Logging like you've never seen
Kubernetes adoption presents new challenges for governance, as operations teams must verify and enforce rules across Kubernetes clusters and the applications running in those clusters. That’s why Justin McCarthy, CTO and co-founder of StrongDM, recently sat down with Techstrong Group CCO Mike Vizard and a panel of experts to discuss common governance pitfalls, plus the tools and frameworks DevOps, compliance, and security teams are using to help manage them.
The full panel included:
- Ritesh Patel—Co-founder and VP of Product at Nirmata
- Mohamed Ahmed—VP of Developer Platforms at Weaveworks
- Rachel Sweeney—Insights Enablement Engineer at Fairwinds
- Haseeb Budhani—Co-Founder and CEO at Rafay Systems
So, what is required for successful Kubernetes adoption? Here’s the recap:
Flexibility, Meet Standardization
The panel discussed the pitfalls and challenges of Kubernetes governance, including:
- What makes Kubernetes governance so challenging?
- How do you prevent misconfigurations from being distributed across everything and creating havoc?
- How do you apply governance across multiple clouds? What about data centers?
- Are freedom and flexibility the enemies of standardization and governance?
Rachel Sweeney suggested that the best way to avoid misconfigurations and apply governance across multiple platforms is to shift governance earlier in the CI/CD pipeline. That way, she says, “It doesn't matter whether you're going to AWS or to every cloud out there. You can catch [mistakes] early.”
Mohamed Achmed countered–or perhaps expanded on–this idea, saying, “Ideally you should have your governance applied everywhere: at commit time, at build time, and at run time.”
When Ad Hoc Wreaks Havoc
Mike Vizard also asked a series of questions around the topic of shifting left when it comes to cloud security.
- Who's in charge of governance? Developers? At what point does somebody else get involved? What is that relationship, and how is it evolving?
- At what point in your deployment does governance become an issue?
- How often is there forethought, and how often is Kubernetes governance ad hoc?
- Does shifting left make sense for Kubernetes governance? If so, what role do compliance and security teams play?
When it comes to establishing governance from the moment of adoption, Justin McCarthy thinks we’re on the right track, especially for teams deploying an application in a commercial environment. He joked, “You only care about governance if your data is important, and it seems like a minority of companies that would say their data isn't important.”
And security and compliance teams do have a role to play. Justin added, “there is a limit to how much you can pull left at the Kubernetes level,” particularly when working with third-party auditors. While automation is an important tool in gathering and presenting evidence for an audit, you still need a human who knows how the system is configured and how it is supposed to work.
“As-Code” in K8s Governance
Finally, the panelists addressed emerging tools and frameworks to help integrate Kubernetes governance into workflows.
- Are you seeing the emergence of governance as code, where people are using APIs to embed the governance into their flow?
- Does there need to be a change in mindset among security and compliance folks toward more open-source governance tools?
Justin said that automation has a role to play in Kubernetes governance, for example in the form of “automated binding to an identity provider.”
Rachel added that both open-source and SaaS offerings can also play a part, depending on the maturity of the organization. The right choice lands “on a spectrum of how much time and experience you have, and that's going to put you on one end of the spectrum of doing it yourself, hiring somebody to do it for you, or using their software to do it.”
About the Author
Maile McCarthy, Contributing Writer and Illustrator, has a passion for helping people bring their ideas to life through web and book illustration, writing, and animation. In recent years, her work has focused on researching the context and differentiation of technical products and relaying that understanding through appealing and vibrant language and images. She holds a B.A. in Philosophy from the University of California, Berkeley. To contact Maile, visit her on LinkedIn.