Enable a Great Kubernetes Developer Platform Experience
A platform, also known as an internal developer platform (or IDP), is infrastructure that enables development teams to deliver applications more quickly, easily and consistently. Kubernetes itself is a powerful platform, but it introduces too much complexity and too many features to simply turn over to development teams as an IDP and expect them all to be successful. It’s very important to put some guardrails in place to enable them to use K8s effectively without increasing risks related to reliability, cost efficiency, and security.
While Kubernetes isn’t great as an IDP on its own, it is a solid foundation for building an IDP. Kubernetes provides platform engineers with many tools to build an IDP for developers that offers a more streamlined way of building and running applications. So, the next logical question is how to build a platform that provides a positive developer experience and doesn’t get in the way of deploying to production environments. There are some great ways you can prevent bad things from happening in your cluster by applying guardrails using policy and governance, role-based access control (RBAC) and default network policies.
Components of a Kubernetes Platform
A Kubernetes-based IDP includes not only Kubernetes, of course, but also the tooling and processes your developers need. The IDP needs to include the policies and governance that you want to establish as guardrails in Kubernetes as well. This combination enables you to provide your developers with a “happy path” that allows them to deploy applications faster. There are four primary components that make up your Kubernetes platform:
Add-Ons
Add-ons are the tools you need to provide default “out of the box” capabilities that extend the functionality of Kubernetes, including DNS, TLS, ingress, logging, tracing and more. These can be open source projects as well as vendor software.
Create Governance
Kubernetes governance is the process of creating policies, procedures and a standard set of policies that define and enforce best practices in the Kubernetes platform, as well as resource management, scheduling, upgrades and role-based access control.
Enable Deployment (CI/CD)
This is how your application gets from code into your platform. In an IDP, you’re creating a “happy path” for devs to deploy new applications and services into the platform more easily while still being efficient and secure.
Provide Feedback
An essential part of an IDP is providing timely feedback to development teams. This part of your platform must include rapid detection and notification of issues integrated with the tools they already use. It should also provide developers with suggested remediation options during the code review process.
Governance and Policy: A Three-Phased Approach
When you’re thinking about how to apply governance and policy in Kubernetes, it really is a process. It begins when you start selecting and/or creating the necessary policies. Next, you need an automated way of identifying policy violations, then guidance on how to remediate those policy violations. Finally, you need to be able to automatically block those violations from entering your cluster(s).
Teams frequently begin to deploy Kubernetes without encountering any initial issues. Your development teams may even seem content, coding and shipping apps and services without any apparent issues. Unfortunately, platform teams often realize later that they missed setting up some important guardrails to help maintain security and consistently apply best practices. In many platforms, it’s easy for devs to deploy what they want when they want. And unless someone on your team goes back and manually reviews all the settings, it’s possible to be unaware of any issues until something goes wrong.
You can use an open source policy engine, such as Polaris or Open Policy Agent (OPA), to apply your policies automatically in Kubernetes. Using solutions like these, you can make sure that your configurations align with your policies in your environments, which can help you keep everything running smoothly.
Selecting Policies
When embarking on a journey to use policy for enforcing Kubernetes best practices related to cost efficiency, security and reliability, operators are often not sure where to start or what to focus on. The best way to get started is by identifying what’s important to you—that’s how you’ll create your policies. If cost is the most important thing for you, then focus on policies that affect cost, such as resource requests and limits. If security is your primary focus, then tackle containers running as root or generating network policies. Our advice is to start small–pick one or two policies that move towards your goals and implement those across the board.
Identifying, Remediating and Blocking Violations
Next you need to figure out where you are currently violating policies in your cluster and begin remediating those issues one by one. After you fix the issues in your critical categories, you can begin enforcing your policies at admission time. Once you’ve started blocking these first one or two policies at admission, you can rest easy knowing that these issues shouldn’t pop up again, and you can repeat the process with the next set of policies you want to enforce. Before you know it, you’ll be as efficient and secure as possible.
Build a Robust IDP
For an internal developer platform, applying Kubernetes governance and policy enables you to efficiently and effectively manage your resources to help control costs and ensure applications have the resources they need to function optimally. It also helps you ensure security and compliance by controlling access and implementing best practices, as well as increasing reliability and resilience by establishing standard, automated processes for application deployment and scaling. Robust Kubernetes governance and policy are critical components of building a secure, efficient and reliable internal developer platform that serves the needs of both your developers and your organization as a whole.
