HomeArchitectureContainer PlatformHow to implement a 'shift down’ approach in Kubernetes when it comes...

How to implement a ‘shift down’ approach in Kubernetes when it comes to security

Larger enterprises face diverse challenges, including the growing number of developers and the constant need to adopt technologies like Kubernetes. These enterprises are moving away from locking into a single platform or security vendor due to the rapid evolution in the open-source community. The flexibility and extensibility of Kubernetes allow these companies to compose their own platforms by selecting best-in-class projects from the Cloud Native Computing Foundation (CNCF) and other sources.

The industry grappled with setting up the first Kubernetes clusters in the initial stages, which involved significant complexity. Over time, the landscape has evolved, and today, various tools and abstractions are available for managing workload, monitoring, and visibility.

However, the intersection of operations and security is critical to the success of any open-source project. Considering the challenges of managing and securing complex systems at scale, the traditional approach of treating security as an afterthought or pushing it far left to developers’ responsibilities isn’t scalable.

This blog post is based on a Podcast with Jim Bugwadia, CEO and Co-Founder of Nirmata. 

Governance and Kubernetes

The concept of governance, especially in the context of policies and their role, is crucial in the cloud-native landscape. Policies serve as building blocks, and effective implementation is key to ensuring a system operates according to defined standards and requirements. The overarching goal of governance is to ensure that everything runs by policies. 

For instance, policies could range from basic security measures (e.g., restricting root user access in pods) to broader compliance requirements (e.g., following NSA Kubernetes hardening guidelines or NIST 850-53 standards). The challenge lies in determining compliance across multiple clusters and ensuring that new clusters or namespaces are secure by default.

Governance extends beyond security to encompass broader areas such as regulatory compliance, internal standards, and cost/resource management. Policies can cover various aspects, from security and operations to best practices and resource allocation. Effective governance adds another layer of business value by ensuring the entire system adheres to defined policies, contributing to overall reliability and compliance.

‘Shift down’ approach to security  

‘Shift down security’ involves embedding security directly into the platform. This approach recognizes the need for security to be an integral part of the operational processes, similar to how it is ingrained in telecom and mission-critical systems. Instead of burdening developers with additional security responsibilities, Nirmata advocates treating internal platforms as products and applying the same engineering discipline used for customer-facing products.

The key idea is to bake security into the platform, providing guardrails and enabling self-service without compromising security. Nirmata sees policy as code and other Cloud-native best practices as the essential means to achieve this. By operationalizing and automating security within the platform, Nirmata aims to empower platform engineering teams to implement and maintain robust security practices effectively. This approach is distinct from traditional security solutions and emphasizes integrating security seamlessly into the platform.

Treating the internal platform as a product and making it technology and vendor-agnostic is particularly relevant for mid-to-large enterprises with complex needs. Leveraging existing managed services from cloud providers may be more practical for smaller teams or startups.

Nimrata’s approach to governing Kubernetes

Kyverno is an open-source project that serves as the foundation of Nimrata. Unlike many open-source businesses that start with a project and later build a commercial business around it, Nimrata already had a successful business when Kyverno emerged. Initially, Kyverno was a module or service within Nimrata’s platform designed for Kubernetes management, specifically focusing on policy and governance.

As Kubernetes matured, Nimrata recognized the opportunity to expand Kyverno into the control plane. “Kyverno,” which means “to govern” in Greek, aligns with its role in providing policy governance and guard rails for platform teams. Around Kubernetes version 1.16, Kyverno had the necessary features to run admission controllers at scale within clusters. Nimrata open-sourced Kyverno after integrating it into their commercial offering, later donating it to the Cloud Native Computing Foundation (CNCF).

Kyverno stands out by focusing on validation, enforcement, and security and automating critical use cases related to security. Despite existing technologies like the open policy agent that uses a language called Rego, Nimrata identified a significant gap and introduced Kyverno. The project has gained substantial traction, with around 2.7 billion downloads and approximately 4.6k GitHub Stars. Nimrata recently applied for CNCF graduation, highlighting the remarkable success and widespread adoption of the Kyverno project.

6 methods to implement shift down approach 

1. Namespace Quotas

Namespace quotas are a pivotal mechanism to regulate resource usage within designated namespaces. When developers seek access to Kubernetes namespaces, Nirmata employs policies to enforce quotas on critical resources such as CPU and memory.

2. Multi-tenancy policies

In the realm of Kubernetes orchestration, multi-tenancy policies play a vital role in addressing diverse resource requirements within the platform. When users create namespaces with varying resource needs, Nirmata implements robust multi-tenancy policies prioritizing secure isolation and efficient resource allocation.

3. Resource utilization monitoring

Effective resource utilization is essential for optimizing the performance and efficiency of Kubernetes environments. When users allocate resources that are not fully utilized, Nirmata implements proactive resource utilization monitoring policies. These policies continually assess the usage patterns within namespaces.

4. Security and compliance policies

Kubernetes demands the assurance of security best practices and compliance. Nirmata addresses this imperative by incorporating robust security and compliance policies within its framework. The notable benefit of these integrated policies is facilitating a secure development environment.

5. Automated Cleanup policies

Resource management is crucial to avoid inefficiencies and resource wastage. By implementing automated cleanup policies, Nirmata takes a policy-driven approach that ensures that the automated processes continually monitor namespaces for idle or unneeded resources. The notable benefit of these cleanup policies lies in their ability to prevent resource wastage.

6. Dynamic Quota Adjustments

In Kubernetes, workload demands and resource requirements are subject to constant change. Nirmata addresses this challenge by implementing dynamic quota adjustment policies. These policies support real-time modifications of resource quotas based on the evolving demands of workloads within the system.

Nirmata’s vision is for security to be so well-implemented and straightforward that it becomes a natural part of systems. The goal is to make security easy and intrinsic. Nirmata is enthusiastic about contributing to this transformation and simplifying security for the broader community and industry.


Receive our top stories directly in your inbox!

Sign up for our Newsletters