We are excited to announce the general availability of security policies and policy insights in VMware Tanzu Mission Control. With the launch of these new capabilities, administrators can easily streamline and manage the security of their Kubernetes cluster fleet. They can also take advantage of the rich policy insights dashboard, which provides a centralized and holistic view of the current state of all policy events in their system.
Beef up security with policies
Kubernetes administrators are constantly looking for tools to help them define, deploy, and ensure security and compliance across cluster fleets using centralized management and supporting best practices. With the addition of security policies, they can now control and manage the security posture of a fleet of clusters efficiently and consistently. They can also take advantage of out-of-the-box templates to easily enforce fleet-wide security policies for their Kubernetes infrastructure. Tanzu Mission Control gives them granular control of any Kubernetes cluster or namespace so they can map their organization’s best security practices to it. Finally, in addition to the user interface, API and CLI support is available, including the ability to drive automation through GitOps workflows.
In recent months, the Kubernetes community has seen wide adoption of the open source Open Policy Agent/Gatekeeper project. VMware is committed to making the power of upstream Kubernetes accessible to businesses the world over, and so has actively contributed to this project. Not only is OPA/Gatekeeper the foundation that underpins security policies in our product today, it gives Tanzu Mission Control the flexibility to cater to a broad set of use cases. And for those administrators using Kubernetes-native pod security policies, it provides a seamless way to transition over to this new implementation.
Manage security with out-of-the-box templates
To help Kubernetes administrators set the right guardrails and adhere to best practices, Tanzu Mission Control provides predefined templates for a wide variety of policy types, including access, image, network, and quota policies. We are launching security policies with a strict template that serves as an opinionated profile for users who want hardened security for their fleet of clusters. Administrators can select this template and apply it to a group of clusters in a single-click operation to prevent the running of privileged containers, which adheres to the restricted policy definition for Kubernetes pod security standards.
Those that are early on in their Kubernetes journey can take advantage of these templates—which cover a wide variety of underlying use cases—without having to worry about detailed implementation nuances. And we will continue to add more templates to serve an even broader range of security use cases as time goes on.
Edit security templates to match custom requirements
Anyone transitioning to more advanced Kubernetes security postures can customize our security templates by adjusting the different input parameters and providing customized values. Once administrators create and apply their chosen parameters, Tanzu Mission Control ensures all containers admitted to a cluster satisfy the provided security constraints. The ability to compose and control individual aspects of security for clusters is all provided by way of a simple, easy-to-use user interface.
Manage at scale with granular control
Tanzu Mission Control supports a logical grouping of clusters called Cluster Groups. Because a cluster group is infrastructure-agnostic, this logical abstraction can be used to treat different types of clusters in a unified manner, simply and consistently. For example, if clusters that belong to a specific business unit or a particular environment (like production) need more hardened security, administrators can group them together and apply a common policy to the entire group.
Tanzu Mission Control also provides the ability to define policies that are scoped to individual clusters as well as to include or exclude certain namespaces through namespace selectors. This gives administrators a way to define more granular exceptions while still managing security in a centralized fashion. Namespace selectors work on label-based match expressions that allow administrators to run mixed security workloads through this intuitive workflow. Notably, adding more constraints will make the security more restrictive and users under no circumstances can override any security standards set by a higher-level administrator. The admission controller ensures that a pod meets all of the security constraints before being admitted.
Manage policies with insights
Tanzu Mission Control security policies also support a dry-run mode. This means they can be applied as “audit-only;” all violations are recorded but the admission of containers is not blocked. With the launch of our new insights capability, administrators can now view all policy-related information—including any sync issues and violations—through the command-line interface or in a centralized dashboard, which provides them with an essential feedback loop.
We are excited to be serving this community by being part of this journey! To learn more about this feature set, please see our documentation.
And if you are attending this year’s VMworld, make sure not to miss the following sessions, where you can learn more about Tanzu Mission Control: