Styra Brings Compliance as Code to Kubernetes
Styra today announced it has added support for Kubernetes Mutating Webhooks and a new compliance pack for pod security policies (PSP) to its software-as-a-service (SaaS) platform for managing container compliance.
Company CEO Bill Mann says this marks the first time support for Kubernetes is being provided via the company’s Declarative Authorization Service (DAS), which is based on open source Open Policy Agent (OPA) software adopted as an incubation level project by the Cloud Native Computing Foundation (CNCF).
Mutating Webhooks are based on Kubernetes Admission Control application programming interfaces (APIs), which enable DevOps teams to programmatically add compliance controls as code to an application. Styra DAS leverages that capability, for example, to enforce a policy that automatically adds an appropriate sidecar, such as a proxy, to a workload.
PSPs, meanwhile, allow developers to control access to the host operating system. Built into a Kubernetes cluster as a core feature, PSPs allow developers to enforce runtime permissions for a container in addition to permit actions on the kernel. Via Styra DAS developers can now build, save and distribute PSP policy in discrete “packs” to reduce time spent writing and configuring policies from scratch. Styra DAS also makes it possible to automate the distribution of PSP policies across multiple clusters to eliminate the potential for human error.
Mann says Styra DAS is designed to enable DevOps teams to more easily author, distribute, monitor and analyze instances of compliance as code built using OPA. Rather than having to perform those tasks manually, Styra DAS provides access to a control plane to manage that process end to end, he says.
Adoption thus far of OPA and Styra DAS is being driven mainly by developers looking for a way to programmatically address compliance requirements before deploying containerized applications in a production environment, says Mann. However, as more Kubernetes clusters are deployed in those production environments, it is now only a matter of time before compliance teams within organizations start to exercise more influence, he notes, adding as that transition occurs, demand for a control plane in the cloud to oversee the implementation of compliance as code will only increase.
Much like security, responsibility for implementing compliance controls is increasingly shifting left toward developers. Many developers have historically viewed compliance as a corporate function that slows down the rate at which applications are deployed. Being able to implement compliance controls themselves significantly accelerates the compliance review process, assuming the controls any application requires are well-defined.
It’s not clear yet to what degree the teams who have managed compliance are embracing the concept of compliance as code. As with any shift to the left involving best DevOps practices, the biggest challenge is changing the culture within the organization. Traditional compliance teams will not be eliminated. Rather, their focus will be narrowed to defining and verifying that the proper compliance controls have been implemented. Of course, if those controls are defined as code, developers also have no excuse now for implementing them, which, in theory at least, should make the next compliance audit a whole lot less stressful for all concerned.
