Armory Policy Engine – CD Governed Admission Policy

Aug 5, 2021 by Nate Reid

In this demonstration, I’ve configured OPA policy at the K8s cluster, allowing only the Spinnaker service account to create a deployment via the kube-api server. Additionally, I’ve defined a policy within the pipeline via Armory Policy Engine, requiring all images be specified with a tag other than ‘latest’. This demonstrates the centralization and consolidation of admission policy for K8s.

Safe Continuous Deployment/Delivery (CD) is a key focus for us at Armory. Establishing policy-driven governance as a core part of CD pipelines is one way we enhance this goal. Through policy, elements of a CD pipeline are controlled at a much finer level than with RBAC alone.

Open Policy Agent (a.k.a. OPA) is a well-known project to Kubernetes (K8s) administrators, providing policy governance where K8s RBAC leaves off . The OPA project describes itself as “an open source, general-purpose policy engine that enables unified, context-aware policy enforcement across the entire stack”. So, OPA is is a general purpose policy engine that can integrate with any stack, K8s being one of them.

Armory Policy Engine integrates OPA with the CD stack. Policies are applied consistently before deployment, enabling the CD platform to consider policies specific to pipeline creation and execution, along with admissions policies that a kube-api server might otherwise rely on OPA for.

With OPA, we define allow/deny rules that can be applied to requests (CRUD operations, conditional approvals, etc.). These rules are evaluated within the context of those requests. When used with K8s, we insert OPA as an Admission Controller. The kube-api server checks with OPA before executing any CRUD requests that pass an RBAC privilege check.

For example, a principal might have RBAC privileges to create a pod, but we need to ensure the request only pulls images from a trusted registry. With OPA, we can define the list of allowed registries. The kube-api server checks the request against RBAC and then passes it to OPA. Then, OPA parses the registry/image value and returns either allow or deny based on defined policies.

One model I’ve recently begun contemplating is applying policy at the K8s cluster level to effectively deny all requests unless they originate from a CD pipeline. From the pipeline, we can manage the K8s admission policy.

This can be applied across all target clusters, preventing any direct interaction with resources via the kube-api server while enforcing consistent policy from a single policy set definition. Essentially, you can have a single (non-replicated) policy for potentially thousands of K8s clusters that is immediately consistent. Using CD and K8s RBAC, we can restrict privileges to only update the OPA rules via the same CD platform pattern. The end result is an entirely auditable and secure single-source for all K8s cluster policies.

Recently Published Posts

A Faster Way to Evaluate Self-Hosted Continuous Deployment from Armory

Sep 30, 2022

Introducing Quick Spin One of the most common challenges that organizations face when implementing a continuous deployment strategy is the time and focus that it takes to set up the tools and processes. But a secure, flexible, resilient and scalable solution is available right now. Want to see if it’s the right tool for your […]

Read more

3 Common Spinnaker Challenges (and Easy Ways to Solve Them)

Sep 27, 2022

Spinnaker is the most powerful continuous delivery tool on the market.  DevOps engineers and developers recognize this power and are looking to use Spinnaker as a foundational tool in their Continuous Integration and Continuous Delivery (CI/CD) process for hybrid and multi-cloud deployments. Such a powerful, expansive open source tool needs expertise within your organization to […]

Read more

Streamline Advanced Kubernetes Deployments from GitHub Actions with New Armory Service

Sep 23, 2022

Today, Armory is excited to announce the availability of the GitHub Action for Armory Continuous Deployment-as-a-Service. GitHub is where developers shape the future of software. After a developer writes and tests their code in GitHub, it must be deployed. Armory’s GitHub Action for Continuous Deployment-as-a-Service extends the best-in-class deployment capabilities to Kubernetes. CD-as-a-Service enables declarative […]

Read more