Security Policies
This section provides an overview of the security policies used in Wayfinder. The policies described here are implemented using Kyverno, a Kubernetes policy engine that can validate, mutate, and generate Kubernetes resources based on custom policies. The policies aim to ensure that the Kubernetes cluster is secure, efficient, and in compliance with best practices.
Our GlobalClusterPolicy object allows any additional policies required to be distributed to all clusters, or a subset of clusters identified by labels. Our default cluster labelling allows targeting by stage, plan, cloud and workspace, and additional labels can be enforced via a cluster plan if finer-grained targeting is needed.
Global Policies
Flux Helm Releases
This global cluster policy validates that all flux HelmRelease resources specify a ServiceAccount (with a specific exception for the Wayfinder service account).
Limit Ranges and Resource Quotas
This global cluster policy restricts changes to the ResourceQuota constraints for resources and the LimitRange policy for objects. ResourceQuota constraints limit the aggregate resource consumption per namespace. The LimitRange policy limits the resource allocation for each object in a namespace. This global cluster policy enforces that only Wayfinder can create, update, or delete ResourceQuota constraints and LimitRange policies.
Default Network Policy
This global cluster policy restricts changes to the default NetworkPolicy. NetworkPolicies govern the network communication between objects such as pods. This enforces that the default-denial-ingress NetworkPolicy cannot be deleted except by a Wayfinder administrator. The default-denial-ingress NetworkPolicy acts as an isolation policy where by default, no ingress traffic between pods are allowed for a specified namespace.
Persistent Volume Storage Classes
This global cluster policy restricts both StatefulSet resources and manually-defined PersistentVolumeClaims from using the "manual" StorageClass.
Block NodePort Service
This global cluster policy prevents the creation of NodePort services for the entire cluster. NodePorts expose a group of pods directly to the outside world.
Below is a summary of the security policies outlined above.
Object Name | Policy Type | Resource Type | Policy Name | Description |
---|---|---|---|---|
flux.default.global | Global | HelmRelease | validate-helmrelease-serviceaccount | Validates that HelmReleases specify a ServiceAccount |
limitranges.default.global | Global | LimitRange, ResourceQuota | block-limitranges-changes | Blocks changes to LimitRanges and ResourceQuotas by non-admins |
networkpolicy.default.global | Global | NetworkPolicy | block-default-policy-changes | Blocks changes to the default denial NetworkPolicy by non-admins |
pvc.storageclass.global | Global | PersistentVolumeClaim, StatefulSet | block-manual-pvc-storageclass, block-manual-statefulset-storageclass | Blocks the use of the manual storage class by PVCs and StatefulSets |
service.nodeport.global | Global | Service | validate-nodeport | Prevents the creation of Services of type NodePort |
Other policies used in Wayfinder
Pod Security Standard (PSS)
PSS allows you to specify security constraints that pods must adhere to before they can be scheduled in your cluster. PSS can be used to restrict which users can create privileged pods or to prevent pods from running as the root user. The PSS level enforced in our default plans is ‘Baseline’, but this can be changed per plan and per cluster as needed.
Network Policies
Network Policies allow you to define rules that control how pods can communicate with each other and with the outside world. You can use Network Policies to enforce segmentation, restrict egress traffic, and block unauthorised access to your applications.
Wayfinder provides a default 'deny all' network policy via the global cluster policy 'networkpolicy.default.global'. This enforces a requirement that all ingress must have an explicit network policy created to permit the traffic, and prevents changes to this default network policy itself, in all application namespaces.
View global policies
Use the wf get globalclusterpolicy
command to view a list of global cluster policies.
wf get globalclusterpolicy
NAME STATUS AGE
flux.default.global Success 172d
limitranges.default.global Success 172d
networkpolicy.default.global Success 172d
pvc.storageclass.global Success 172d
service.nodeport.global Success 172d
Create a new network policy
You can follow these steps to create a custom policy for any of the global cluster policies.
Create a new network policy by making a copy of the existing networkpolicy.default.global
policy:
- Get the yaml for the existing network policy:
wf get globalclusterpolicy networkpolicy.default.global -o yaml > MYPOLICY.yaml
This copies the the networkpolicy.default.global policy and places it in a file MYPOLICY.yaml.
-
Edit the
kyverno
block in the policy as needed, but remember to change thename
to reflect that this is a new custom network policy. -
After you made your edits, apply the new custom network policy:
wf apply -f MYPOLICY.yaml
wf get globalclusterpolicy networkpolicy.default.global -o yaml
apiVersion: policydelivery.appvia.io/v1alpha1
kind: GlobalClusterPolicy
metadata:
name: networkpolicy.custom <--- Remember to update the name
spec:
policy:
kyverno: <--- Update the kyverno block as needed
validationFailureAction: enforce
background: false
rules:
- name: block-default-policy-changes
match:
resources:
kinds:
- NetworkPolicy
names:
- default-denial-ingress
exclude:
subjects:
- kind: ServiceAccount
name: "wf-cluster-admin"
namespace: "kube-system"
validate:
message: "The default denial NetworkPolicy cannot be deleted"
deny:
conditions:
any:
- key: "{{request.operation || 'BACKGROUND'}}"
operator: AnyIn
value:
- DELETE
- UPDATE
- PATCH
- CREATE
type: Kyverno
target:
cluster: {}
namespace: {}
Role-Based Access Control (RBAC)
RBAC allows you to define granular permissions for users and service accounts in your cluster. With RBAC, you can restrict who can access and modify resources in your cluster, preventing unauthorised access and reducing the risk of misconfigurations. Wayfinder allows fine-grained control of RBAC in clusters, with just-in-time role binding to allow short-term privilege escalation for specific users, groups or access tokens.
For more information, see the following topics: