Policy¶
Policy defines an organization's business rules and governance around areas like compliance, security, cost, and consistency. Policy can be applied to entities at different levels of granularity. It can be used either to surface non-compliance for audit purposes and/or to enforce compliance through policy gates for control purposes.
Policy as code is an approach that treats policy artifacts as source code. This is conceptually similar to Infrastructure as Code (IaC) and provides similar benefits around repeatability and version control.
Characteristics¶
Definitions¶
A policy definition is a policy artifact that at a minimum typically describes a collection of parameters, a set of compliance conditions, and the actions to take if the conditions aren't met.
Examples of policy definitions include Azure Policy Definition in the Azure Policy ecosystem and Constraint Templates in Gatekeeper ecosystem.
Assignment¶
A policy assignment is a policy artifact that applies an instance of a policy definition to a collection of entities through parameter values and scopes.
Examples of policy assignments include: Azure Policy Assignment and Gatekeeper Constraints.
Enforcement¶
A policy gate is used to enforce policy against entities being added to or modified within a system. The policy gate is typically built using a policy engine, the policy definitions, and the policy assignments.
Examples of services and tools that enforce policy include Azure Policy and Gatekeeper.
Audit¶
Often there is a requirement to report policy compliance through an audit across a collection of entities without taking any actions to enforce the policy. This may be due to policy updates over time and entities that no longer are compliant against updated policy. Manual intervention to correct entities may be preferred to automatic enforcement breaking the running system.
Examples of audit capability include Azure Policy Compliance States, and Gatekeeper Audit.
Examples¶
Enforcement¶
- The "Improve release artifact and workload integrity in Kubernetes via a secure software supply chain" solution demonstrates policy enforcement in an AKS cluster. The policy enforcement is achieved through the use of the Kubernetes admission controller mechanism which allows Kubernetes to intercept requests to the Kubernetes API server. In the solution, Gatekeeper is a policy controller that's registered with the admission controller and enforces policy related to software integrity and governance.