Policy-as-Code
Definition
Policy-as-Code is the practice of defining and managing security and compliance policies through code, enabling automated enforcement and validation across infrastructure and applications. This approach allows for version control, testing, and integration into CI/CD pipelines, ensuring consistent policy application and reducing human error. By treating policies as code, organizations can achieve greater agility and reliability in maintaining compliance and security standards.
Secure Settings Example
# Example of a Kubernetes PodSecurityPolicy using Policy-as-Code
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: restricted
spec:
privileged: false
allowPrivilegeEscalation: false
requiredDropCapabilities:
- ALL
runAsUser:
rule: 'MustRunAsNonRoot'
seLinux:
rule: 'RunAsAny'
fsGroup:
rule: 'MustRunAs'
ranges:
- min: 1
max: 65535
volumes:
- 'configMap'
- 'emptyDir'
- 'projected'
- 'secret'
- 'downwardAPI'
Insecure Settings Example
# Insecure Kubernetes PodSecurityPolicy example
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: permissive
spec:
privileged: true
allowPrivilegeEscalation: true
runAsUser:
rule: 'RunAsAny'
seLinux:
rule: 'RunAsAny'
fsGroup:
rule: 'RunAsAny'
volumes:
- '*'