Loft Labs Launches Open Source K8s Compliance Project
Loft Labs today launched jsPolicy as an open source project to enable compliance in Kubernetes environments to be achieved using code written in JavaScript.
Lukas Gentele, Loft Labs CEO, says jsPolicy differs from other approaches to compliance-as-code in that it employs a programming language that large numbers of developers already know. The JavaScript execution in jsPolicy is based on the V8 JavaScript engine developed by Google, so it’s also faster and uses less memory than the Rego programming language developers need to learn to employ Open Policy Agent (OPA) software, notes Gentele.
That approach also makes it simpler for software engineers to understand why an operation might have been denied because they can understand code written in JavaScript, adds Gentele.
OPA is being advanced under the auspices of the Cloud Native Computing Foundation (CNCF). It became an incubating project in 2019 and officially graduated in February of 2021. Gentele suggests that more time should pass before officially designating one approach versus another as being graduated. The CNCF makes it clear it is not trying to pick a winner in any category, but assigning a project a top-level status creates a perception within the larger open source community that might discourage additional innovation, notes Gentele.
Regardless, it’s not uncommon for the CNCF to adopt projects that address the same issue in a different manner once it’s deemed there is a sufficient level of support for a project.
The compliance framework is the second open source project launched by Loft Labs in as many months. The company has also launched an open source vcluster project, which makes available a tool to enable applications to share the same Kubernetes cluster in isolation from one another.
As DevSecOps best practices for managing security as code continues to gain traction it’s only a matter of time before more organizations start to also manage compliance as code. As is the case with security, the challenge is finding a way to make managed compliance-as-code a natural extension of a DevOps workflow without significantly slowing down the rate at which applications are developed.
Just as in security, there are also whole cadres of IT professionals that focus on compliance management. The processes those compliance teams employ will need to be aligned with DevSecOps workflows.
It’s conceivable the motivation to incorporate compliance tools within DevOps workflows is actually higher than it is for security tools. There is a very real cost that organizations experience when a compliance mandate is not met or simply ignored. In contrast, security is perceived as a potential risk that might create some unknown cost, which makes it challenging to ascribe a specific return on investment to any security tool.
One way or another, however, both compliance and security will become extensions of DevOps workflows. There may even come a day when both security and compliance are just one more requirement in a larger quality assurance process that most application development teams, to varying degrees, already implement.