What is a Policy Exception

Often, only some policies and rules the security or platform team defines are universally applicable. Sometimes, a developer needs an exception from a specific policy or rule for a particular application or namespace, such as for debugging or doing a PoC. Without a policy exception, the only options are to turn off the policy or exclude the namespace, requiring policy modifications. This is where Kyverno’s PolicyException becomes useful. PolicyException is a custom resource in Kyverno that allows bypassing specific policies and rules. You can define a policy exception for any policy or rule and resource within a designated namespace. For more details on exceptions and instructions on defining one, refer to the official Kyverno documentation. By deploying exceptions, the policy engine does not block the specified resources.

In a corporate environment, it is crucial to maintain strict control over policy updates and exceptions to uphold security standards. For developers needing to request an exception, it is essential to follow the proper protocol and notify the appropriate security and platform teams. The platform teams must also have a system to monitor and manage existing exceptions effectively. The Nirmata Policy Manager streamlines this process, enabling developers and platform/security administrators to request, review, and implement exceptions seamlessly. Notably, the system ensures that exceptions are temporary and can be managed efficiently. Managing Policy Exceptions

With Nirmata’s policy exception workflow, requesting an exception is streamlined and straightforward. You can provide the necessary details (select the clusters, namespaces, and violations) and specify an end time, ensuring exceptions are not permanent. Optionally, you can also set a start time for the exception. Add the required reviewers and the request will be routed to the appropriate personnel for review and approval.

The reviewer can add other relevant reviewers, request changes, and approve or deny the request. Once the necessary approvals are obtained, exceptions can be rolled out to clusters. Exceptions will be automatically removed from the cluster based on their expiry time, preventing unnecessary exceptions from lingering after their intended use. Additionally, an admin can revoke an active exception at any time.

An admin can configure various settings related to policy exceptions, such as defining an initial set of reviewers, allowing admins to bypass the review process, and tightening the approval process by requiring 2FA for all approvals. The workflow is highly flexible, allowing you to tailor it to your organization’s requirements.

Auditing these activities is essential, especially for policy exceptions. Nirmata offers an audit log that records all user actions for thorough oversight.

What’s Next

Looking forward, we are anticipating significant enhancements. Our upcoming plans include implementing a feature that will facilitate the assignment of policy owners, thereby enabling the automatic detection and allocation of reviewers based on the policies associated with each request. Furthermore, we intend to establish integration with GitOps. This will particularly benefit organizations that adhere to the GitOps methodology for deploying resources within their clusters, seamlessly integrating with their workflow. Following the approval of an exception request, we will automatically generate pull requests to the designated Git repository and branch, streamlining the deployment process for PolicyException YAML configurations.

Conclusion

Managing policy exceptions is crucial for balancing security and operational flexibility in an enterprise setting. Kyverno’s PolicyException provides a solution by allowing exceptions without compromising policy integrity. Nevertheless, the process must be carefully managed to ensure security and accountability. The Nirmata Policy Manager streamlines this process by enabling seamless requests, reviews, deployments, and auditing of policy exceptions.

Register for Nirmata’s free trial account today to experience this workflow at no cost. We value your feedback and look forward to further updates. For more details, please feel free to contact us at support@nirmata.com.