Policy Management
Policies are a logical grouping of rules applied to the applications you deploy through them.
Creating Policy Frameworks
You can create a policy framework using your Lens AppIQ dashboard through the Policy page. To access it, go to "Policies."
When you click on the Create button, a policy creation workflow will guide you through the different options you have to secure your applications.
- General
The first step in the workflow is the General tab, where you will be able to define:
| Field | Description |
|---|---|
| Name | The name of the framework |
- Resource Consumption
Resource consumption rules are used to limit the amount of CPU and memory can consume. A policy violation is reported if an application uses more than the defined resource limits as defined in its Deployment. These limits are also automatically applied to applications when deploying using Lens AppIQ.
- Access Control
The access control section of the workflow allows you to select which teams can deploy applications using the new framework. Multiple teams can be selected.
| Field | Description |
|---|---|
| Teams | The teams that can deploy their applications through the framework. Multiple teams can be selected and should have been created before creating the framework. |
| Make the framework public | If selected, this option will make the framework available to all teams on Lens AppIQ to deploy their applications through it. |
- Auto Scale
Auto scale gives you control over application scalability by using Kubernetes' Horizontal Pod Autoscaler (commonly known as HPA). To set it up for all the apps using the suggested framework, simply check the option "enable application auto-scale" and provide the required replicas and the CPU percentage that should be used as a threshold to trigger the autoscaling process
| Field | Description |
|---|---|
| Enable application auto-scale | Option to enable the setup of the auto-scale policy in the framework |
| Allow app-level policies | Option to determine if applications can override the framework auto-scaling rules during their deployment |
| Min replicas | The minimum amount of replicas that applications' pods should have |
| Max replicas | The maximum amount of replicas that applications' pods can reach when performing auto scales |
| CPU percentage | The CPU percentage threshold that pods should reach to trigger the auto scale |
- Registry Control
The registry control step of the workflow is used for limiting registries where application images can be pulled from.
Multiple registry URLs can be specified in this step, with one entry per line.
- Application Control
Node selector rules and Allowed CNAMEs that your applications using this framework should hold
| Field | Description |
|---|---|
| Node labels | list of labels and values that an application should hold to be deployed in a specific node of the cluster |
| Enable strict mode | Boolean flag that determines if only one of the node selectors should be present or if all of them should exist. Non-compliance of this rule by any app will report a policy violation |
| Allowed CNAMEs | A list of CNAMEs that your application can have. Any CNAME added outside of this list will report a policy violation |
- Network Policy Setup
You can leverage frameworks to enforce detailed network policies to applications deployed through them.
| Field | Description |
|---|---|
| Enforce Network Policy | If selected, the framework will add two additional steps to the workflow so you can define ingress and egress policies. Note: The network policies defined at the framework level will be automatically applied to every application deployed through this framework. |
| Allow app-level policies | When defining network policies at the framework level, every application deployed will automatically receive these policies. If you check this box, the application owner will have the capability of customizing the network policies for his specific application post-deployment. If not, the application owner won't be able to change his application's network policy. |
- Security Scans
Lens AppIQ has a built-in scanner, based on Clair, that you can leverage to scan applications, images and list specific vulnerabilities that Lens AppIQ should ignore when deploying applications. Scans are run both during and post-deployment.
| Field | Description |
|---|---|
| Disable app scans | If selected, Lens AppIQ will not perform automated application-level security scanning both at deployment and post-deployment time for applications deployed through the framework. |
| Disable platform scan | If selected, Lens AppIQ will not perform automated image-level security scanning both at deployment and post-deployment time for applications deployed through the framework. |
| Components to ignore on scans | If desired, you can specify an individual or a group of components that should be ignored by Lens AppIQ when scanning applications deployed through this framework. The components specified here are treated as exceptions by Shipa. |
| CVEs to ignore on scans | If desired, you can specify an individual or a group of CVEs that should be ignored by Lens AppIQ when scanning applications deployed through this framework. The components specified here are treated as exceptions by Shipa. |
Attaching a Policy to a Namespace
To enforce the policy over a group of applications, you will need to attach it to the namespace where those apps are deployed. To do so, go to your policy list and locate the button "Attach". Click on it to display more options.
A modal window appears listing all available namespaces (across different clusters) for you to select as many as needed. Pick the ones of your choice, and click the button Attach
That's it, your policies were applied to the selected namespaces, and now our control plane will start running scans against the apps running in them to define their compliance status (based on the policy rules). If your apps are respecting the rules defined, they will be listed with 0 violations. If not, they will display a violation icon.
Click the number of violations in your app and see the report generated for it.
Now, it is easier than ever to ensure the compliance of your applications running across multiple clusters.
Detaching a Policy from a Namespace
To detach a policy from a given namespace, locate the policy of your choice and click the option Detached.
A modal window will open to select all namespaces you want to detach from this policy. Enter your selection and click the button Detach
The policy will be immediately detached from the namespaces selected, and all apps running on them will be no longer monitored by its rules. From that point onward, no more policy violations will be reported for such apps.
Editing Policy
You can edit existing policies using your Lens AppIQ dashboard through the policy page.
When editing policies, Lens AppIQ will open the policy creation workflow to give you a structured view of all details assigned to the specific policy you are editing.
By clicking on Update at the end of the workflow, Lens AppIQ will update the policy information, and new applications deployed through it will automatically have the new configuration enforced.
Deleting Policy
You can delete existing policies using your Lens AppIQ dashboard through the policy page. Locate the Delete button and click on it
Confirm the operation and wait until the policy is removed.
Updated 17 days ago