-
Feature Request
-
Resolution: Can't Do
-
Major
-
None
-
None
-
None
-
False
-
None
-
False
-
Not Selected
-
-
-
Business Problem:
With Red Hat Advanced Cluster Security being available and adopted at customers, there comes a demand to expand Policy usage beyond what is available by default. Given Red Hat Advanced Cluster Security is used for security context, customers are also looking to implement policies for internal requirements such as:
- Are all pods in namespaces covered by PodDisruptionBudget
- Checking NetworkPolicies across namespaces to make sure development namespaces don't have access to production and the other way around (example)
- Validate whether serviceAccount has permissions assigned in alternate namespace
The above list just contains some examples can can be expanded by many other requirement based on customer internal requirements.
Given that the Red Hat Advanced Cluster Security - Policy Engine would be able to help validate and thus report on such requirements, it would be nice if those can be implemented without the need to raising a request for each kubernetes resource required. Instead, Red Hat Advanced Cluster Security should discover the resources dynamically on the attached OpenShift Container Platform 4 - Clusters and make them available to the Policy Engine. That way, even 3rd party resources can be validated and reported using Policy Engine
Use Cases:
The Red Hat Advanced Cluster Security - Engine Policy is very nice for reporting and validation of application workloads. While currently very much limited, customers have additional requirements that are also considered part of securing workloads and thus demand to have all kubernetes resources available/covered in Red Hat Advanced Cluster Security - Policy Engine to create custom policies and have them run against the different workloads.
Key Functionality:
It should be possible to create custom policies for every resources available on the different OpenShift Container Platform 4 - Clusters and hence validate all workloads against the same. That way, customer specific security requirements can be addressed and be nicely integrated into the Red Hat Advanced Cluster Security policy framework.
So customers don't require multiple different policy engines and reporting capabilities but can consolidate the same in Red Hat Advanced Cluster Security and steer customers there to have the full overview.
Benefits:
Single point to go for application developers/responsibilities and security Team to validate the state of OpenShift Container Platform 4 and the application running on top. They can quickly see all potential problematic CVEs but as well find and trigger action for policy violation. This not limited to the pre-defined policies but to a broad set of policies that can be customized for all resources available on the different OpenShift Container Platform 4 - Clusters.
Implementation Suggestions (optional):
N/A
Timeline:
As quickly as possible, as the current limited availability of kubernetes resources is making it difficult to completely adopt the Red Hat Advanced Cluster Security - Policy Engine.