Managing policies is not something that m9sweeper created but it is a process we can improve by leveraging an open source tool called Gatekeeper. Gatekeeper is a tool built as a Kubernetes interface around Open Policy Agent, a standard for describing policies with code. OPA has become the established standard for describing constraints that must be followed when teams are deploying things into a Kubernetes cluster. It lets you define these rules using OPA rego code and then it gives you ways of reporting on compliance as well as enforcing compliance.
Gatekeeper is generally very challenging for enterprises to implement. It does not provide a lot of sophistication, such as being able to have different rules for different business units within an enterprise. To accomplish that, a user must write code to define these kinds of exceptions (and oftentimes with errors), making it difficult to achieve a usable policy. Furthermore, OPA policies use an esoteric language called rego, which is nearly incomprehensible by most programmers, and near impossible to hire for, so adoption of OPA using Gateway within an enterprise is very challenging and often unachieved.
Using m9sweeper’s adaptation of Gateway fixes this by:
- Giving you a library of premade OPA policies with a graphical user interface for configuring the options for each policy.
- Giving you a way to create exceptions by namespace or image to a particular Gatekeeper constraint.
- Giving you a lightweight IDE for writing rego code (when necessary) and quickly testing/iterating on it in m9sweeper by simulating it against running applications.
M9sweeper is, by far, the easiest-to-install, lightest-touch Kubernetes compliance and security platform. It can be installed in a matter of minutes and uses as much disk space and memory as many mobile phone apps.
Your Kubernetes Cluster is only as secure as the software that is running on it. If you are running out of date operating system packages, using old code libraries, or running software with too many privileges, then you are open to attack.
Compliance and Security Policies are usually designed as an ideal-state goal, but in the real world, things do not always go as planned. Vulnerabilities can be discovered any day, and sometimes businesses have code-freezes or vendor software deployed that cannot be secured properly for weeks or months.
Managing policies is not something that M9sweeper invented. A tool called Gatekeeper has become incredibly popular for managing policies. Gatekeeper is built on top of Open Policy Agent, a standard for describing policies with code.
“If I had asked people what they wanted, they would have said faster horses.”
– Henry Ford