Policy as code: building security into Kubernetes platforms

Bart: So, first things first: who are you, what's your role, and where do you work?

Note: While this transcript snippet doesn't contain any specific technical terms that require hyperlinks, I noticed the speaker is from Nirmata, which could be a potential link if more context were provided.

Jim: Jim Bugwadia, co-founder and CEO at Nirmata, is also a maintainer for the Kyverno project.

Bart: What are three emerging Kubernetes tools that you're keeping an eye on?

Jim: There are several interesting projects to pick from. Some I found notable include Kueue, a project from Workgroup Batch meant for batch workloads on Kubernetes. There's also Copa, or Copacetic, from Microsoft, which is a tool to patch images. And of course, Kyverno, which is something we look at every day.

Bart: Now, one of our podcast guests, Calin, said there's a fine line between restricting people and empowering them. When you build a central platform, you are codifying the view of one person or group. How do you balance standardization with team autonomy in your organization?

Jim: What Kyverno does is act as a policy engine where you can write declarative policies using CEL and other languages. This allows different developers and security operations teams to share and collaborate on policies. It strikes a balance between autonomy and self-service, much like every organization needs its policies.

Bart: Our guest, Stefan, chose KubeVirt over namespace isolation and vCluster because he needed to support privileged workloads and root access. What factors influence your choice of multi-tenancy solutions in Kubernetes?

Jim: Kubernetes is a bin packing scheduler at its core. Its heart is how to take heterogeneous workloads and distribute and manage them across resources on worker nodes. Starting with namespaces for soft multi-tenancy makes a lot of sense for different teams. If you need privileged access, you can move to container sandboxes, and where more isolation is required, projects like KubeVirt offer VM-based isolation. There's a range of options, but my recommendation would be to start simple: begin with namespaces as a service and move into harder multi-tenancy as required.

Bart: Our guest expressed that having an automated mechanism is better than enforcing processes. What automation tools or approaches do you recommend for managing Kubernetes resources?

Jim: We're big advocates of policy as code. Just like infrastructure as code has transformed configuration management and provisioning, we feel that policy as code is the transformational block for platform engineering teams to automate security. We believe this is the next big thing in Kubernetes.

Bart: With that in mind, there was a report from Red Hat in 2021 stating that 71% of security vulnerabilities in Kubernetes environments were because of misconfigurations. What's your take on that? What can developers do to implement guardrails from day one to have a better security mindset?

Jim: Using solutions like Kyverno, it's not just possible to shift left, but also to shift down and really build security into the platform itself. Everybody here is building platforms on top of Kubernetes. What we see is being able to bake security into the platform really makes a meaningful impact. Some of our customers at Nirmata first scan and do things in their pipelines, but then they are also able to block things at admission controls, leading to a very clean environment and clean clusters.

Bart: Security compliance in highly regulated environments—such as telco or healthcare—can seem boring. How do you create a security culture where people can be enthusiastic about working with compliance and security in these environments?

Jim: Security is sometimes considered a day two concern or something that gets in the way of productivity. However, we believe there is a balance between security, productivity, and agility. Just like with infrastructure as code, the "as code" part is crucial. Once you think of security or compliance as code, it becomes exciting. This is something platform engineers love and understand—we can integrate security into our GitOps platforms and solutions, automating security best practices.

Bart: Kubernetes turned 10 years old last year. What should we expect in the next 10 years?

Jim: Kubernetes will continue to become both more complex and easier to use. The amazing thing about it is that today you can run AI ML workloads—90% of LLMs run on Kubernetes. You can run very traditional workloads with projects like KubeVirt, and also run microservices running in pods that are completely stateless and ephemeral. Kubernetes serves all of these workloads in one common platform, which is fascinating.

More and more we'll see the emergence of reference architectures on top of Kubernetes with projects like Kyverno, ArgoCD, and several others within the community. These tools will become a reference stack for Kubernetes implementations. That's what we're really excited about, and I think it will help simplify Kubernetes even more for new users.

Bart: Back in 2021, we met when I was in the Data on Kubernetes community. We were talking about running stateful workloads on Kubernetes. At that point, it seemed to be quite a significant challenge. Many people didn't like the idea. It came up in the community several times that there are actually security benefits to running stateful workloads on Kubernetes. Do you have any opinion on that?

Jim: One big benefit of Kubernetes is that normalization. Everything, whether it's a stateful workload, a stateless workload, or a new LLM workload, ultimately is a pod. This allows us to standardize and automate. The process of first standardizing and then automating brings a lot of innovation to the space.

Bart: I notice that the transcript snippet is very short and lacks context. Could you provide more of the surrounding conversation or context about what Jim Bugwadia might be discussing "what's next" for? Without more context, I cannot confidently add hyperlinks.

Jim: We're announcing a cloud control point at KubeCon. This acts as an admission controller for cloud services. Kubernetes, of course, has built-in admission controls, but now with Nirmata, you can apply that same admission control logic to any cloud service, whether it's Azure Bedrock, ECS, or any cloud service or container service you're using.

Bart: Jim Bugwadia can likely be contacted through Nirmata, the company he works for, or potentially through the CNCF Slack community channels.

Jim: I'm available on Kubernetes and CNCF Slack as JimBugwadia, or you can reach out on LinkedIn, GitHub, or X. Feel free to contact me on any social media platform of your choice.