Skip to main contentIBM Cloud Pak Playbook

MCM - Governance and Risk

Introduction

In this section, we describe how to define and review policy definitions and how to see the compliance state of managed clusters.

Create Simple Policy

Let’s create a new policy.

Open your MCM Web Console.

Navigate to Menu -> Govern risk -> Policies. This view displays the policies that have been created and the dashboard of policy compliance for each cluster.

Image

Click on the Create policy button.

Image

Fill in the values as specified in the table below:

Field NameValue
Namepolicy-namespace
NamespaceChoose: Namespace-must have namespace ‘prod’ Note: You will modify the name prod to k8demo. Selecting this will provide a template to have custom namespace policy definition
SpecificationsChoose: “Namespace”
Cluster BindingChoose name: “local-cluster”
StandardsChoose: “FISMA”
CategoriesChoose: “SystemAndInformationIntegrity”
ControlsChoose: “Mutation Advisor”
Enforce if SupportedLeave as is
Disable PolicyLeave as is

In the yaml file section, on the right, change prod to k8demo.

Changing the namespace will change the Policy Specifications to Custom Specifications as shown below. Notice that the policy is set to “inform” rather than “enforce”.

Image

Image

Click the button Create to create your new policy.

If you are not redirected automatically navigate to Menu -> Govern risk to return to the Dashboard.

In few seconds, the policy controller will check if the namespace k8demo is present and provide information regarding the current compliance of the policies.

Remember, you didn’t enforce this policy. Instead we specified inform. As such, the Governance and risk view displays a policy violation in our cluster, as illustrated below.

Image

Use the Cluster Violations link Image to find which cluster is violating the policy.

In this example, the local-cluster cluster is in violation of the policy which requires a namespace called “k8demo” to exist.

The local-cluster cluster is our cluster, and the same cluster that verified “k8sdemo” namespace does not exist. Hence it shows that there is no namespace “k8demo” in the cluster.

Image

Verify that the “k8demo” namespace still does not exist.

oc get projects

There should NOT be a namespace named k8demo listed, which indicates the policy did not ENFORCE it to be created.

Change the “policy-namespace” policy to be enforced.

When this policy is in “enforce” mode, the namespace will automatically be created if it does not exist, thereby forcing the cluster into compliance.

a. In the policies view, select POLICY VIOLATIONS

Image

b. Then, select the policy named policy-namespace and go to YAML view

c. Click on the Image button to go into edit mode.

d. Change the value of remediationAction: inform to remediationAction: enforce.

e. Click the Image button to submit the change.

Image

Select the policy-namespace link. A few seconds later, the policy violation will have gone away.

Image

You also can validate the same from the Violations view.

Run the command below command and ensure that the “k8demo” namespace has been created in the cluster.

oc get project | grep k8demo

!Image

Try deleting the namespace and see how it is re-created automatically.

oc delete project k8demo

Namespace Policy

This policy will check the Cluster Selector, and verify if a namespace named “policy-namespace-k8demo” exists. If the “Enforce if supported” parameter is “true”, the namespace will be automatically created on the selected cluster. If “false” then a violation/compliance of the policy will be reported on the dashboard.

The policy controller will check if the namespace “k8demo” is present and provides information regarding the current compliance of the policies.

Create policy by setting the following values:

Field NameValue
Namepolicy-namespace
NamespaceChoose: Namespace-must have namespace ‘prod’ Note: You will modify the name prod to k8demo. Selecting this will provide a template to have custom namespace policy definition
SpecificationsChoose: “Namespace”
Cluster BindingChoose name: “local-cluster”
StandardsChoose: “NIST-CSF”
CategoriesChoose: “SystemAndInformationIntegrity”
ControlsChoose: “Mutation Advisor”
Enforce if SupportedLeave as is
Disable PolicyLeave as is
Image

Here is the YAML that this generates.

Image

As we have set this policy to “enforce”, this will create a “prod” namespace on our targeted clusters.

oc get namespace | grep -i prod

Create some more policies and then explore the console that is used to give a high level view of the cluster compliance with your defined Policies.

Start with a high level view of the cluster policy compliance.

Image

Then by category look at which clusters are found to be not compliant with the named policies.

ImageImage

Finally, look at all of the policy compliance associated with you collection of PCI compliance policies.

Image

Network Policy

The Network Policy is used to control (block) network traffic from other pods.

Configure a new network policy according to the table below.

Field NameValue
NamePolicy-network-policy
NamespaceChoose: Namespace-must have namespace ‘prod’ Note: You will modify the name prod to k8demo. Selecting this will provide a template to have custom namespace policy definition
SpecificationsChoose: “NetworkPolicy”
Cluster BindingChoose name: “local-cluster”
StandardsChoose: “NIST-CSF”
CategoriesChoose: “SystemAndInformationIntegrity”
ControlsChoose: “Mutation Advisor”
Enforce if SupportedLeave as is
Disable PolicyLeave as is
Image
apiVersion: policy.mcm.ibm.com/v1alpha1
kind: Policy
metadata:
name: policy-networkpolicy
namespace: residency2020
annotations:
policy.mcm.ibm.com/standards: NIST-CSF
policy.mcm.ibm.com/categories: PR.AC Identity Management Authentication and Access Control
policy.mcm.ibm.com/controls: PR.AC-5 Network Integrity

You can validate the network policy that is created on the selected namespace.

Using the CLI, run the following command to get the network policies for the namespace.

oc get networkpolicies -n <namespace>

This kind of policy can be used to allow or deny the communication between pods living on different namespaces.

Pod must exist in a given namespace Policy

This kind of policy validates if a pod is present in a given namespace.

Configure the new policy, requiring that a pod be present, according to the table below:

Field NameValue
Namepolicy-namespace
NamespaceChoose: Namespace-must have namespace ‘prod’ Note: You will modify the name prod to k8demo. Selecting this will provide a template to have custom namespace policy definition
SpecificationsChoose: “Pod-nginx” must exist
Cluster BindingChoose name: “local-cluster”
StandardsChoose: “NIST-CSF”
CategoriesChoose: “SystemAndInformationIntegrity”
ControlsChoose: “Mutation Advisor”
Enforce if SupportedLeave as is
Disable PolicyLeave as is

Notice that you can change the name of the pod and the image in the yaml section to create any kind of pod. Make sure to write a valid value on the image parameter.

Also you can change in the namespaces section, the namespaces where you want your policy to take effect.

Image
apiVersion: policy.mcm.ibm.com/v1alpha1
kind: Policy
metadata:
name: policy-pod
namespace: residency2020
annotations:
policy.mcm.ibm.com/standards: NIST-CSF
policy.mcm.ibm.com/categories: PR.AC Identity Management Authentication and Access Control, DE.CM Security Continuous Monitoring, PR.IP Information Protection Processes and Procedures, PR.PT Protective Technology
policy.mcm.ibm.com/controls: PR.AC-5 Network Integrity, DE.CM-7 Monitoring for unauthorized activity, PR.IP-1 Baseline configuration, PR.PT-3 Least Functionality

Limit memory range for a namespace Policy

Configure the new policy, enforcing quota limits, according to the table below:

Field NameValue
Namepolicy-namespace
NamespaceChoose: Namespace-must have namespace ‘prod’ Note: You will modify the name prod to k8demo. Selecting this will provide a template to have custom namespace policy definition
SpecificationsChoose: “Limitrange-limit memory usage”
Cluster BindingChoose name: “local-cluster”
StandardsChoose: “NIST-CSF”
CategoriesChoose: “SystemAndInformationIntegrity”
ControlsChoose: “Mutation Advisor”
Enforce if SupportedLeave as is
Disable PolicyLeave as is

To validate that the quota is created on the selected namespace.

Image
oc get networkpolicies -n <namespace>
oc -n <namespace> get limits
oc -n <namespace> get limits –o yaml
apiVersion: policy.mcm.ibm.com/v1alpha1
kind: Policy
metadata:
name: policy-limitrange
namespace: residency2020
annotations:
policy.mcm.ibm.com/standards: NIST-CSF
policy.mcm.ibm.com/categories: PR.AC Identity Management Authentication and Access Control, DE.CM Security Continuous Monitoring, PR.IP Information Protection Processes and Procedures, PR.PT Protective Technology
policy.mcm.ibm.com/controls: PR.AC-5 Network Integrity, DE.CM-7 Monitoring for unauthorized activity, PR.IP-1 Baseline configuration, PR.PT-3 Least Functionality

Mutation Policy

A mutation policy contains the specifications of which pods to monitor and what action to take if a mutation is detected. For example, if this policy is created and configured for a specific namespace, and you change something (such as edit or delete a file) in a running pod of that namespace, a violation will be notified. If the policy is configured as “enforced”, the pod will be restarted.

Field NameValue
Namepolicy-namespace
NamespaceChoose: Namespace-must have namespace ‘prod’ Note: You will modify the name prod to k8demo. Selecting this will provide a template to have custom namespace policy definition
SpecificationsChoose: “Mutation Policy”
Cluster BindingChoose name: “local-cluster”
StandardsChoose: “NIST-CSF”
CategoriesChoose: “SystemAndInformationIntegrity”
ControlsChoose: “Mutation Advisor”
Enforce if SupportedLeave as is
Disable PolicyLeave as is
Image
apiVersion: policy.mcm.ibm.com/v1alpha1
kind: Policy
metadata:
name: policy-mutationpolicy
namespace: residency2020
annotations:
policy.mcm.ibm.com/standards: NIST-CSF
policy.mcm.ibm.com/categories: PR.AC Identity Management Authentication and Access Control, DE.CM Security Continuous Monitoring
policy.mcm.ibm.com/controls: PR.AC-5 Network Integrity, DE.CM-7 Monitoring for unauthorized activity