How to establish a Kubernetes governance strategy
As the leading IT delivery tool, Kubernetes plays a key role in organizational governance – so much so that developing an effective Kubernetes governance strategy can help establish comprehensive IT governance. Governance is a set of tools and practices that govern the way an organization and its people operate, including how people are held accountable for their decisions and actions. It combines with compliance with applicable laws and regulations, industry standards and internally defined policies.
Without proper governance, organizations face risks ranging from civil and criminal penalties to operational inefficiencies and dissatisfied employees, partners and customers. For this reason, getting Kubernetes governance right is crucial.
Implement Kubernetes governance
Kubernetes governance applies cluster allocation, provisioning, redeployment, and scaling policies. These policies can be set in response to external regulations, by company policies, or by designing an efficient pool of resources and ensuring high application availability and quality of experience.
If Kubernetes governance includes an IT budget justification, these policies can also enforce the conditions set out in the budget justification to ensure the business case is met.
The 3 Elements of a Kubernetes Governance Strategy
Three elements are involved in a Kubernetes governance implementation strategy: goals, scope, and policy guidelines.
- Goals are the specific policy objectives that the strategy must meet. Direct Goals, Governance Goals, and Derived Goals represent internal steps IT teams must take to ensure the organization achieves those defined goals. The operations team typically establishes these goals as the first step in creating a governance framework.
- scope is the set of elements to which policies should be applied in order to achieve the goals and must take into account all components visible to Kubernetes. Many organizations derive technical scope from the top, starting with the enterprise and facility divisions.
- Political Policies Use Kubernetes features to direct governance policies across the specified scopes to the direct and derived goals. As the end result of a Kubernetes governance framework, policy policies are the final step in establishing Kubernetes governance and are the focus of governance projects.
Types of Kubernetes governance goals
Organizations can group Kubernetes governance goals into the following categories:
- security
- Container Image Controls
- Network controls and configurations
- Application deployment, redeployment and scaling
Teams assign a scope to the goals within each category. IT admins use the combinations of goals and scope to create specific policy statements.
Security governance for Kubernetes is typically enforced using third-party tools such as Open Policy Agent, KubeLinter, kube-bench, and kube-hunter. Service meshes like Istio can also be used for containerized microservices. Choose tools carefully, as some security tools can also enforce policies in other target categories. In general, the fewer tools you use, the better.
Container image controls relate to the development and testing process and practices required to move software from testing to production. Governance is enforced here via associated tools and throughout the development and testing processes.
Most organizations enforce more granular restrictions on development and testing than is typically considered part of governance. Start with specific governance requirements—for example, specific test flows and the number of alerts—and refine them with additional development guidelines to create a framework that works for governance as well as development and software quality control.
The chosen virtual network tool is the main provider for network control in Kubernetes. Kubernetes assumes that the nodes of a cluster are mutually addressable within the cluster address space, but anything addressed from outside must be exposed explicitly.
The question of what to disclose lies in the application design. Deploy no more than is necessary to improve application security. Controlling addressability within a cluster is possible using virtual network functions, but this can create confusion in cluster maintenance and must be carefully documented.
Configuration policies limit what cluster resources organizations or individuals can allocate in the cloud when there are additional costs to consider. They can also prevent organizations from consuming more data center resources than they are entitled to. This type of control is accessed directly from Kubernetes management functions.
Kubernetes Features
Application deployment, redeployment, and scaling are the most prominent of all Kubernetes policy categories. These guidelines manage the fundamental problem of orchestration: how pods are assigned to nodes and how those assignments change over time.
Four Kubernetes features are typically involved in pod mapping:
- Affinities describing attractors pull pods to specific nodes. This specifies which related application components should be kept together for performance reasons.
- Stains—unlike affinities—repel pods from nodes. This is useful when local regulations about data and content types make it undesirable to host information on a specific node, or to prevent low-priority applications from using resources needed by higher-priority applications.
- Tolerances allow granular control of pod assignments to nodes. Pods with a tolerance for a specific taint are the only ones that can be scheduled on the taint node. This allows for a graduated application of taints rather than a strict yes-or-no decision.
- Horizontal pod autoscaling is a Kubernetes feature that controls a specific pod’s response to demand. Under load, a given pod can “scale out” by assigning more nodes to pod replicas, or “scale back” by removing replica assignments. This controls whether a given application incurs variable costs to allocate work to resources, which can easily result in massive cost overruns.
When working with any of these policy categories, IT teams should consider all of their governance goals together to avoid creating policies that are redundant or conflicting. Consistency is critical to the success of any governance strategy, and for Kubernetes as a whole.