/
Cyber Resilience

A Guide to Navigating the Policy Overload in Today’s Distributed Systems

I challenge you to attend KubeCon and go to a session about “policy.” When you get there, don’t be surprised if you’re left wondering, “Which kind of policy is this actually about?”

At the recent KubeCon in Salt Lake City, I found myself sprinting between sessions where “policy” was prominent in the titles. But for each speaker, the word meant something completely different.

Blue and purple mountains with the KubeCon logo

As someone focused on label-based network policies, I often had to catch speakers beforehand to ask, “Is this policy session about network policies, admission controllers, or compliance?”

These exchanges reveal a growing issue in today’s cloud-native and distributed computing ecosystems. The term “policy” is used so broadly that it’s practically an abstraction in itself.

To untangle this, I’ll take a closer look at the eight different types of policies frequently discussed under this broad term and why they’re crucial to understanding the infrastructure, security, and automation in distributed systems.

1. Network policies

Network policies are important for controlling and managing how systems in a network communicate with each other, especially in environments like Kubernetes.

Most network policies use an allow-list approach. This means connections are blocked by default unless they are specifically allowed by the policy. These policies can use rules based on IP addresses or labels to decide which resources can communicate.

As microservices and container-based applications become more common, it’s even more important to carefully control how services communicate and keep them isolated when needed.

For example, Kubernetes network policies are highly customizable. They can set traffic rules for internal traffic (east-west) and external traffic (north-south). This flexibility makes them powerful tools for keeping systems secure, but it also makes them more complicated to build and manage.

2. Admission controller policies

Admission controllers are specialized policies in Kubernetes. They evaluate API requests to decide if they should be allowed or changed. They're essentially gatekeepers. They enforce certain standards or security practices across the cluster before an API request can move forward.

For example, admission controller policies can:

  • Automatically enforce resource limits
  • Add labels to deployments
  • Block unsafe configurations from being used

These kinds of policies can intercept and mutate requests. This makes them crucial to maintaining consistent security within clusters. But they only address policies in the Kubernetes API-call lifecycle.  

3. OPA and Kyverno policies

Are OPA and Kyverno policies simply admission controllers, or are they something more?

Open Policy Agent (OPA) and Kyverno offer more than traditional admission controllers. While they often work as admission controllers in Kubernetes, they introduce a more flexible, comprehensive policy language. This allows organizations to define and apply complex rules across multiple systems.

  • OPA (Open Policy Agent) is a versatile policy engine that can be used across environments. It uses a language called Rego which can handle complex policy requirements. Besides Kubernetes, OPA can manage policies for CI/CD pipelines, microservices, and even cloud resources.
  • Kyverno is a policy engine made specifically for Kubernetes. It’s a simpler way to define policies in YAML. Many people prefer it for configuring Kubernetes. It works well with native Kubernetes objects which makes it easy to build and apply policies.

These tools can control what gets access to a system, but they can do much more across a range of apps and systems. They can manage:

  • Lifecycle management
  • Validation
  • Custom compliance checks

4. Resource quotas and limit policies

Resource management policies help control how much CPU, memory, and storage a Kubernetes cluster can use. These policies are important in shared environments because they prevent one app or user from using too many resources.

  • Quotas are usually set for each namespace. They limit the total amount of resources a namespace can use so no single namespace takes over too much.
  • Limits define the smallest and largest number of resources a container or pod can use. This makes sure no single workload uses too many resources and causes problems for the rest of the system.

With these policies, admins can balance resources which is especially important in environments with many users or apps that scale dynamically. While these policies help keep the system stable, they also make things more complicated as they interact other policy layers like automation and admission controls.

These policies help admins balance resources which is especially important in systems with lots of users or apps that scale dynamically. However, managing these policies can be challenging. They often overlap with other policies like automation and admission controls.

5. Pod Security Policies (PSPs)

Pod Security Policies (PSPs) in Kubernetes set security configurations at the pod level. This includes stopping containers from running as root or requiring certain Linux capabilities.  

But PSPs are being phased out in Kubernetes. They’re getting replaced by newer options like Pod Security Standards (PSS) and external tools like OPA and Kyverno.

PSPs were designed to add granular security settings that prevent workloads from running with overly permissive configurations. While they are useful, managing PSPs along with other policies can get confusing. Newer tools offer more flexible ways to enforce security, often under the general term "security policies."

6. Service mesh policies

In microservices environments, service meshes like Istio or Linkerd add another policy layer which secures and monitors communication between services. These policies often:  

  • Authenticate and authorize traffic: Service meshes use mTLS (mutual TLS) to encrypt communication between services. They also allow you to set policies for which services can communicate with each other, adding another layer of access control.
  • Manage traffic: Service mesh policies control routing, load balancing, and failover. This makes it easier to do things like A/B testing, canary releases, or route traffic to different service versions.  

Unlike network policies, service mesh policies work at the application layer, affecting how services interact. These policies are crucial for managing service-to-service traffic. But they can sometimes be confusing because they overlap with network policies.

7. Compliance policies

Compliance policies can cover data management, access, and operational standards to ensure systems meet legal or internal compliance requirements, such as GDPR, HIPAA, or SOC 2. These policies can play a major role in many parts of a system, affecting security, logging, and data storage.

For example, a compliance policy might require that data only be stored in specific locations (data residency) or that audit logs are kept for a certain amount of time. In Kubernetes, tools like OPA and Kyverno are often used to enforce these policies by continuously monitoring and auditing systems in real time to make sure they meet the standards.

Compliance policies are especially important in industries with strict regulations, like healthcare and finance. Because they work across many parts of a system and often overlap with security policies, managing them can become complex. Despite this, they are crucial for ensuring systems stay secure, organized, and compliant.

8. Automation and lifecycle policies

Automation policies control when and how infrastructure resources are created, updated, or removed. These policies are an important part of Infrastructure as Code (IaC) where resource configurations are written as code and managed through CI/CD pipelines.

For example, automation policies can handle tasks like automatically scaling resources, cleaning up unused ones, or managing the steps in a deployment's lifecycle. They can also integrate with CI/CD pipelines to trigger builds, run tests, and manage deployments. This creates self-managing environments that can adjust to workload changes in real time.

Automation policies can simplify resource management and ensure best practices in cloud-native environments. But they interact closely with other policies, like those for resource management and admission control, which can add complexity.

Are you still following? The overlap of “policy” continues…

If you’re not yet overwhelmed, here’s the twist. Many organizations now have policies for policy.  

These are called “meta-policies.” They act as guardrails, setting rules for who can make, manage, or apply other policies.  

For example, a meta-policy might decide which teams can create specific network policies or who’s authorized to create admission control policies. These policies often rely on role-based access control (RBAC).

In large systems, RBAC policies for policies are essential. They make sure only specific administrators or teams can make changes to policies. By enforcing strict RBAC controls, these “policies for policy” ensure that other policies don’t overreach or interfere with critical infrastructure.

Final thoughts: A roadmap through policy overload

As cloud-native and distributed environments grow, the idea of "policy" will continue change. They'll become more complicated, specialized, and sometimes even contradictory.

To avoid policy overload, it’s important to use clear naming conventions, create documentation that defines each policy type, and make good use of policy tooling.

And the next time you're at a tech conference and you hear "policy," take a moment to ask, "Which one?!" It could save you from a lot of confusion—or even a cross-hall sprint!

Get in touch with us today to learn how Illumio can simplify your network security policies across cloud, endpoint, and data center environments.  

Related topics

No items found.

Related articles

Understanding EU Compliance Mandates
Cyber Resilience

Understanding EU Compliance Mandates

A compliance mandate provides a baseline level of security, or a general improvement in posture, and the ability to evaluate it reliably.

Exploring the Use of NGFW Functionality in a Microsegmentation Environment
Cyber Resilience

Exploring the Use of NGFW Functionality in a Microsegmentation Environment

Learn more about Illumio's research on the possibilities of implementing NGFW features in a microsegmentation environment.

Did Cybersecurity Predictions for 2023 Come True? Here’s What We Found
Cyber Resilience

Did Cybersecurity Predictions for 2023 Come True? Here’s What We Found

Learn how 3 key predictions for the cybersecurity industry in 2023 played out this year.

The Evolution of Systems Design: From Write-Only Interfaces to Multi-Cloud Automation
Cyber Resilience

The Evolution of Systems Design: From Write-Only Interfaces to Multi-Cloud Automation

Get insight into the evolution of systems design and distributed systems — and the challenges and opportunities that lie ahead.

Why More Flexible Cloud Service Models Are Less Expensive
Cyber Resilience

Why More Flexible Cloud Service Models Are Less Expensive

Better understand the economic calculations of public cloud providers and make informed choices about resource allocation tradeoffs.

Kubernetes Cluster I/O Is a Big Mess – But Help Is on the Way
Cyber Resilience

Kubernetes Cluster I/O Is a Big Mess – But Help Is on the Way

Learn about Kubernetes cluster I/O proliferation and the efforts being made to simplify the landscape.

Assume Breach.
Minimize Impact.
Increase Resilience.

Ready to learn more about Zero Trust Segmentation?