Creating Enterprise Policy Frameworks

2 min read Security Testing & Tools

Creating Enterprise Policy Frameworks

Develop comprehensive policy frameworks that scale across organizations:

# enterprise-policy-framework.yaml
apiVersion: v1
kind: PolicyFramework
metadata:
  name: enterprise-container-security
  version: 2.0.0
  
spec:
  # Policy inheritance hierarchy
  hierarchy:
    - name: global
      policies:
        - no-root-containers
        - resource-limits-required
        - image-signing-required
        
    - name: production
      inherits: global
      additional_policies:
        - vulnerability-sla-enforcement
        - high-availability-required
        - pci-compliance
        
    - name: development
      inherits: global
      overrides:
        - image-signing-required: warn  # Don't block in dev
        
  # Policy definitions
  policies:
    no-root-containers:
      severity: deny
      message: "Containers must not run as root"
      rego: |
        package kubernetes.security
        
        violation[{"msg": msg}] {
          container := input.spec.template.spec.containers[_]
          has_security_context := container.securityContext
          not container.securityContext.runAsNonRoot == true
          msg := sprintf("Container '%s' runs as root", [container.name])
        }
        
    vulnerability-sla-enforcement:
      severity: deny
      parameters:
        critical_sla_hours: 24
        high_sla_days: 7
        medium_sla_days: 30
      rego: |
        package vulnerability.sla
        
        violation[{"msg": msg, "severity": severity}] {
          vuln := input.vulnerabilities[_]
          vuln.severity == "CRITICAL"
          age_hours := time.now_ns() - vuln.discovered_timestamp
          age_hours > (rego.metadata.parameters.critical_sla_hours * 3600000000000)
          msg := sprintf("Critical vulnerability %s exceeds SLA", [vuln.id])
          severity := "deny"
        }
        
    image-signing-required:
      severity: deny
      exceptions:
        - namespace: kube-system
        - namespace: kube-public
      rego: |
        package image.signing
        
        violation[{"msg": msg}] {
          container := input.spec.template.spec.containers[_]
          not container.image_signature
          not is_exception(input.metadata.namespace)
          msg := sprintf("Image %s is not signed", [container.image])
        }
        
        is_exception(namespace) {
          namespace == rego.metadata.exceptions[_].namespace
        }
        
  # Enforcement configuration
  enforcement:
    admission_control:
      enabled: true
      webhook_url: https://policy-engine.security.svc.cluster.local
      
    ci_cd_integration:
      enabled: true
      fail_on_violation: true
      
    monitoring:
      enabled: true
      alert_on_violation: true
      metrics_endpoint: /metrics
      
  # Reporting configuration
  reporting:
    dashboards:
      - type: grafana
        url: https://grafana.company.com
        
    notifications:
      - type: slack
        webhook: ${SLACK_WEBHOOK}
        channels:
          violations: "#security-violations"
          warnings: "#security-warnings"
          
    audit_logs:
      retention_days: 2555  # 7 years
      storage: s3://audit-logs/container-security/