Agility is in the crosshairs of governance and cost

Most Enterprises want to drive agility by enabling self-service cloud environments for their development teams but they face challenges in ensuring governance and managing costs when self-service is enabled. Additionally, certain developer resources have dependency on resources that are controlled by the central cloud or platform teams and require privileged access. How do you ensure that these resources are created by the right team as needed to deliver secure self-service environments for the developers?

The Solution

Nirmata DevSecOps Platform, a SaaS Kubernetes platform for policy-based operations, along with Crossplane, an open-source Kubernetes-native Infrastructure-as-Code (IaC) project part of the CNCF ecosystem, tackle this challenge. 

Crossplane is a powerful open-source tool that leverages Kubernetes as a control plane for provisioning infrastructure across cloud and on-prem environments.  Kubernetes has fast moved beyond application deployments to becoming the orchestration engine for all types of resources and Crossplane is one project that extends Kubernetes API to provision and manage infrastructure resources. 

While Crossplane solves the resource provisioning and management problem, Catalog, Role Based Access Controls, and Policy Management using Nirmata can be leveraged to enable self-service resource and environment provisioning for developers.  As a result, Nirmata enables different catalog of services along with workflows for both central platform teams as well as developers so the self-service environments can be made available with all the guardrails needed for governance.   

Crossplane extends your Kubernetes cluster, providing you with Custom Resource Definitions (CRDs) for any infrastructure or managed service. Nirmata composes these granular resources into higher level abstractions reducing infrastructure complexity that can be versioned, deployed and managed.  And these abstractions can be combined together in workflows that can be automated for operators and developers with necessary governance. This post describes how Crossplane can be used in Nirmata to automate resource creation with governance.

Automated deployment workflows with Nirmata

Nirmata provides capabilities to automate resources creation workflow, dependencies, state management, and separation of operator and developer workflows, Kyverno provides the necessary governance for resources and cross-plane which is leveraged for actual resource provisioning. 

In Nirmata, an AWS resource catalog can be created for both operators and developers with necessary dependencies, which can be leveraged to create different resources as needed. Here is an example of an Operator with all the resources defined along with the restriction, required for the developer team.

Application dependencies are defined to make sure that the resources are deployed in the order they need to be deployed. In this example, VPC will be deployed first then the subnet and other resources in similar fashion. The application has two policies which restrict the creation of ec2 using any instance type other than t3.medium and an s3 bucket for any region apart from ap-southeast-1.

S3-restrict-poilcy.yaml:

apiVersion: "kyverno.io/v1"
kind: "ClusterPolicy"
metadata:
  annotations:
    policies.kyverno.io/description: "Allow creating S3 bucket in ap-southeast-1 only"
    pod-policies.kyverno.io/autogen-controllers: "none"
    policies.kyverno.io/subject: "Bucket"
    policies.kyverno.io/title: "Allow creating S3 bucket in ap-southeast-1 only"
  name: "allow-s3-ap-southeast-1-only"
spec:
  validationFailureAction: "enforce"
  background: true
  rules:
  - name: "s3-in-ap-southeast-1-only"
    match:
      resources:
        kinds:
        - "Bucket"
    validate:
      pattern:
        spec:
          forProvider:
            locationConstraint: "ap-southeast-1"
      message: "Using any location other than `ap-southeast-1` is not allowed"

EC2-instance-restrict-policy.yaml:

apiVersion: "kyverno.io/v1"
kind: "ClusterPolicy"
metadata:
  annotations:
    policies.kyverno.io/description: "instance-t3.medium-allow-only"
    pod-policies.kyverno.io/autogen-controllers: "none"
    policies.kyverno.io/subject: "instance"
    policies.kyverno.io/title: "instance-t3.medium-allow-only"
  name: "instance-t3.medium-allow-only"
spec:
  validationFailureAction: "enforce"
  background: true
  rules:
  - name: "instance-t3.medium-allow-only"
    match:
      resources:
        kinds:
        - "instance"
    validate:
      pattern:
        spec:
          forProvider:
            instanceType: "t3.medium"
      message: "Using any instance type other than `t3.medium` is not allowed"

Once the operator orchestrates and deploys the entire workflow.The catalog application for a developer has an example of ec2 instance and S3 bucket. A DevOps user have the aws resources YAML in the nirmata catalog, using which an S3 bucket and ec2 instance can be deployed 

EC2-instance.yaml:

apiVersion: "ec2.aws.crossplane.io/v1alpha1"
kind: "Instance"
metadata:
  name: "sample-instance"

spec:
  providerConfigRef:
    name: "awsconfig"
  forProvider:
    subnetId: "subnet-xx"
    imageId: "ami-xx"
    securityGroupIds:
    - "sg-xx"
    instanceType: "t3.medium"
    region: "us-west-1"

S3.yaml:-

apiVersion: "s3.aws.crossplane.io/v1beta1"
kind: "Bucket"
metadata:
  annotations:
    crossplane.io/external-name: "crossplane-example-repl-dest"
  name: "repl-test"

spec:
  providerConfigRef:
    name: "awsconfig"
  forProvider:
    locationConstraint: "us-west-1"
    serverSideEncryptionConfiguration:
      rules:

 - applyServerSideEncryptionByDefault:
          sseAlgorithm: "AES256"
    versioningConfiguration:
      status: "Enabled"
    paymentConfiguration:
      payer: "BucketOwner"
    acl: "private"
  deletionPolicy: "Delete"

This workflow can be automated by integrating and creating a git upstream application. You can find the resources yamls here.

Cloud Governance with Kyverno

Kyverno provides the necessary governance for resources and crossplane which is leveraged for actual resource provisioning, providing a centralized platform where you can define policies and ensure the configurations are compliant with the security and best practices standards for the cloud service. Here is a video that demonstrates how policies can be used along with resources provisions using Crossplane.

Resource creation with Crossplane

Crossplane catalog application can be created using the public GitHub repository for crossplane which can be selected when creating a cluster type so crossplane is deployed to any cluster created with that cluster type. Using crossplane, AWS resources can be provisioned with Nirmata that help operator deploy the required CRDs and orchestrate the entire application workflow allowing developers to create the required resources that are compliant with best security standards for the cloud services

Summary

Nirmata DevSecOps Platform can automate  resource provisioning with governance using Crossplane and Kyverno. In addition to deploying and managing AWS resources, you can also create Kyerno policies to ensure that the generated resources are compliant with your company’s requirements.