Documentation
Kubernetes Integration
Comprehensive guide for integrating PolicyCortex with Kubernetes clusters. Implement governance policies for containers, pods, and cluster configurations.
Quick Start Guide for PolicyCortex Kubernetes Integration
Quick Setup
Cluster Access Configuration
Configure PolicyCortex to access your Kubernetes clusters with appropriate RBAC permissions.
Create Service Account and RBACyaml
# Create service account for PolicyCortex
apiVersion: v1
kind: ServiceAccount
metadata:
name: policycortex-sa
namespace: policycortex-system
---
# Create ClusterRole with necessary permissions
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: policycortex-reader
rules:
- apiGroups: [""]
resources: ["*"]
verbs: ["get", "list", "watch"]
- apiGroups: ["apps", "extensions"]
resources: ["*"]
verbs: ["get", "list", "watch"]
- apiGroups: ["networking.k8s.io"]
resources: ["*"]
verbs: ["get", "list", "watch"]
---
# Bind role to service account
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: policycortex-binding
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: policycortex-reader
subjects:
- kind: ServiceAccount
name: policycortex-sa
namespace: policycortex-systemKubernetes Policy Types
Security Policies
Enforce security best practices and compliance standards
- • Pod Security Standards
- • Network Policy enforcement
- • RBAC validation
- • Secret management
Resource Policies
Manage resource allocation and optimization
- • Resource quotas
- • Limit ranges
- • HPA configuration
- • Node affinity rules
Configuration Policies
Validate workload configurations and standards
- • Label requirements
- • Image policy enforcement
- • Deployment standards
- • ConfigMap validation
Compliance Policies
Ensure adherence to regulatory requirements
- • CIS Kubernetes Benchmark
- • NSA/CISA hardening guide
- • SOC 2 compliance
- • HIPAA requirements
Example Kubernetes Policies
Pod Security Policy
Require Security Contextyaml
# Ensure all pods run with non-root user
policy:
name: "k8s-pod-security-context"
description: "Pods must run with security context configured"
resource_type: "Pod"
rules:
- condition: "spec.securityContext.runAsNonRoot != true"
effect: "DENY"
message: "Pod must run as non-root user"
- condition: "spec.securityContext.runAsUser == null"
effect: "DENY"
message: "Pod must specify runAsUser in security context"
exemptions:
- namespace: "kube-system"
- labels:
"app.kubernetes.io/name": "privileged-app"Resource Governance
Resource Limits Requiredyaml
# Ensure all containers have resource limits
policy:
name: "k8s-resource-limits-required"
description: "All containers must have CPU and memory limits"
resource_type: "Pod"
rules:
- condition: "spec.containers[*].resources.limits.cpu == null"
effect: "DENY"
message: "Container must specify CPU limits"
- condition: "spec.containers[*].resources.limits.memory == null"
effect: "DENY"
message: "Container must specify memory limits"
compliance_mapping:
- framework: "CIS_KUBERNETES"
control: "5.1.3"