generated from coulomb/repo-seed
77 lines
2.3 KiB
Markdown
77 lines
2.3 KiB
Markdown
# Pattern: Policy-as-Code Admission
|
|
|
|
Status: seed
|
|
Readiness target: RL3 production
|
|
Primary owners: Railiance platform, NetKingdom
|
|
|
|
## Problem
|
|
|
|
Unsafe workloads can enter production when deployment checks depend on
|
|
manual review, inconsistent conventions, or late runtime detection.
|
|
|
|
## Context
|
|
|
|
Use this pattern for Kubernetes manifests, Helm releases, GitOps
|
|
deployments, image admission, network policy, pod security, and tenant
|
|
guardrails.
|
|
|
|
## Forces
|
|
|
|
- Product teams need self-service deployments.
|
|
- Platform teams need enforceable production baselines.
|
|
- Policies must be reviewable and testable.
|
|
- Emergency exceptions need explicit expiry and audit.
|
|
|
|
## Solution
|
|
|
|
Represent deployment and platform safety rules as policy packages that
|
|
run before workloads are admitted. Reject or quarantine unsafe manifests
|
|
before runtime.
|
|
|
|
## Implementation Sketch
|
|
|
|
1. Define baseline policies for pod security, RBAC, image trust,
|
|
namespace ownership, labels, resources, and network intent.
|
|
2. Run policy checks in CI and admission.
|
|
3. Version policy packages through Git review.
|
|
4. Support exceptions with owner, reason, expiry, and risk acceptance.
|
|
5. Emit policy decision events to the audit ledger.
|
|
|
|
## Failure Modes
|
|
|
|
| Failure | Mitigation |
|
|
| --- | --- |
|
|
| Policies only run in CI | enforce at admission too |
|
|
| Exceptions never expire | require expiry and review |
|
|
| Policy language is opaque to teams | publish examples and test fixtures |
|
|
| Admission outage blocks recovery | document break-glass admission process |
|
|
|
|
## Related Capabilities
|
|
|
|
- Platform and Kubernetes hardening.
|
|
- Security governance and production readiness.
|
|
- Software supply chain security.
|
|
- Observability, detection, and audit.
|
|
|
|
## Maturity
|
|
|
|
Seed. The pattern is a baseline candidate, but tool choice and policy
|
|
package lifecycle need implementation work.
|
|
|
|
## Verification
|
|
|
|
- Unsafe manifests are rejected before runtime.
|
|
- Policy packages have tests and change review.
|
|
- Exceptions are time bounded and visible.
|
|
- Admission decisions are logged.
|
|
|
|
## Research Basis
|
|
|
|
Seeded by policy-as-code admission control, pod security
|
|
baseline/restricted, signed image admission, and GitOps with guardrails.
|
|
|
|
## References
|
|
|
|
- Initial exploration: Kubernetes and platform patterns.
|
|
- Initial exploration: Platform and Kubernetes hardening.
|