Policy Management
A policy is a logical grouping of rules that is attached to a cluster namespace to monitor the compliance state of all applications running in it.
Creating a Policy
You can create a policy using your Lens AppIQ dashboard through the Policy page. To access it, go to "Policies."
When you click on the Create button, a policy creation drawer will let you choose different options to secure your applications.
General
In order to create a policy it is required to define:
| Field | Description |
|---|---|
| Name | The name of the policy |
| Teams | The teams that will be able to use the policy |
Rules
The next step is to define the rules that the policy should monitor on your applications.
- Resource Consumption
Resource consumption rules are used to control the amount of CPU and memory that applications should reserve/consume. A policy violation is reported if an application uses more than the defined resource limits based on the workload spec definition (Deployment, StatefulSet, DaemonSet). These limits are also automatically enforced to apps when deploying using Lens AppIQ deployment engine.
- Auto Scale
Auto scale gives you control over application scalability by using Kubernetes' Horizontal Pod Autoscaler (commonly known as HPA). To monitor HPA in your apps, check the option "enable application auto-scale" and provide the required replicas and the CPU percentage that should be used as a threshold to trigger the autoscaling process. If an application has configured a different parameters for autoscaling, a violation will be reported.
- Registry Control
The registry control option is used to restrict the registries where application images can be pulled from. Multiple registry URLs can be specified if needed.
- CNAMEs
A list of CNAMEs that your application can have. Any CNAME added outside of this list will report a policy violation.
- Node Selectors
The node selector option is used for defining the list of labels and values that an application should have to be deployed in a specific node of the cluster. Furthermore, you are able to customize whether an application should have at least one or all of the node selectors that have been defined. Non-compliance of the node selectors by any application will report a policy violation.
- Network Policy Setup
A policy can be leveraged to enforce detailed network policies to applications. Ingress and Egress configurations defined here will automatically be applied to every application deployed through this policy.
When deploying an application that already has its own network policies configured then there's the option to respect those configurations by checking "Allow app-level policies".
To learn more about configuring network policies click here.
- Security Scans
Lens AppIQ has a built-in scanner, based on Clair, that can be leveraged to scan application images for vulnerabilities. Scans are run both during and post-deployment, or every time the policy definition changes.
If desired, a single or multiple components and CVEs can be specified to be ignored during the application scanning process. Any components or CVEs entered in this option are treated as exceptions by Lens AppIQ.
Scopes
Once the rules for the policy have been defined, the policy needs to be attached to the desired namespaces in order to monitor/enforce those rules on applications deployed to them.
Notifications (Optional)
As an optional step, notifications can be configured in order to receive alerts based on an application's compliance and violation of the rules defined for the policy.
Click Create and that's it! Your policy will be created and will be attached to the selected namespaces.
Our control plane will start running scans on the applications running in the namespaces to define their compliance status (based on the policy rules). If your applications are respecting the rules defined, they will be listed with 0 violations. If not, they will display a violation icon.
Click the number of violations in your app and see the report generated for it.
Now, it is easier than ever to ensure application compliance across multiple clusters.
Editing a Policy
You can edit existing policies using your Lens AppIQ dashboard through the policy page by clicking the View action.
When editing policies, Lens AppIQ will open the policy creation drawer to give you a structured view of all details assigned to the specific policy you are editing.
By clicking on Update at the bottom of the drawer, Lens AppIQ will update the policy information. Applications deployed through the policy will automatically have the new configuration enforced.
Detaching a Policy from a Namespace
To detach a policy from a given namespace, locate the "Scopes" section of the drawer and simply remove a namespace to detach the policy from it.
Note: A policy must be attached to at least one namespace.
Click Update and the policy will be immediately detached from the namespaces that were removed from the list.
Applications running in the namespaces that were removed from Scopes will no longer be monitored by the policy's rules. From that point forward no more policy violations will be reported for those applications.
Deleting a Policy
You can delete existing policies using your Lens AppIQ dashboard through the policy page. Locate the Delete button and click on it
Confirm the operation and wait until the policy is deleted. The policy will automatically be detached from any namespaces that it was attached to.
Updated about 2 months ago