Files
infospace-bench/infospaces/patterns-of-it-securita-architecture/artifacts/entities/pattern-policy-as-code-admission.md

2.3 KiB

Pattern: Policy-as-Code Admission

Status: seed Readiness target: RL3 production Primary owners: Railiance platform, NetKingdom

Problem

Unsafe workloads can enter production when deployment checks depend on manual review, inconsistent conventions, or late runtime detection.

Context

Use this pattern for Kubernetes manifests, Helm releases, GitOps deployments, image admission, network policy, pod security, and tenant guardrails.

Forces

  • Product teams need self-service deployments.
  • Platform teams need enforceable production baselines.
  • Policies must be reviewable and testable.
  • Emergency exceptions need explicit expiry and audit.

Solution

Represent deployment and platform safety rules as policy packages that run before workloads are admitted. Reject or quarantine unsafe manifests before runtime.

Implementation Sketch

  1. Define baseline policies for pod security, RBAC, image trust, namespace ownership, labels, resources, and network intent.
  2. Run policy checks in CI and admission.
  3. Version policy packages through Git review.
  4. Support exceptions with owner, reason, expiry, and risk acceptance.
  5. Emit policy decision events to the audit ledger.

Failure Modes

Failure Mitigation
Policies only run in CI enforce at admission too
Exceptions never expire require expiry and review
Policy language is opaque to teams publish examples and test fixtures
Admission outage blocks recovery document break-glass admission process
  • Platform and Kubernetes hardening.
  • Security governance and production readiness.
  • Software supply chain security.
  • Observability, detection, and audit.

Maturity

Seed. The pattern is a baseline candidate, but tool choice and policy package lifecycle need implementation work.

Verification

  • Unsafe manifests are rejected before runtime.
  • Policy packages have tests and change review.
  • Exceptions are time bounded and visible.
  • Admission decisions are logged.

Research Basis

Seeded by policy-as-code admission control, pod security baseline/restricted, signed image admission, and GitOps with guardrails.

References

  • Initial exploration: Kubernetes and platform patterns.
  • Initial exploration: Platform and Kubernetes hardening.