Centralized Policy Management

Defines centralized policy management and describes the features and benefits of applying policies to Kubernetes clusters managed by HPE Ezmeral Runtime Enterprise. Not available in HPE Ezmeral Runtime Enterprise Essentials.

This feature is not available in HPE Ezmeral Runtime Enterprise Essentials.

What Is Centralized Policy Management?

Policy management is the fine-grained control of objects in your Kubernetes cluster using pre-written policies. Centralized policy management is the ability to define and manage policies stored in a Git repository and apply them automatically to Kubernetes clusters managed by HPE Ezmeral Runtime Enterprise.

Challenges Addressed by Centralized Policy Management

Centralized policy management addresses some specific challenges faced by operations personnel in managing Kubernetes clusters:
  • Maintaining control over sprawling Kubernetes clusters

    Because it is relatively easy to create Kubernetes clusters on premises, off premises, or in the cloud, many installations have too many of them. The nature and number of Kubernetes clusters can make it difficult to apply and govern policies consistently.

  • Inconsistent policies or a lack of policies pose a security threat

    Inconsistent policies or a lack of policies increase the management burden on operations personnel, rendering clusters less secure.

  • Manual policy management is tedious and burdensome for operations

    Policy drifts are hard to govern manually. This can lead to an endless cycle of defining and redefining and deploying and redeploying policies.

Features of Centralized Policy Management

The centralized policy management product capabilities in HPE Ezmeral Runtime Enterprise 5.3 provide the following features:
  • Git integration

    Git integration enables policies to be stored (backed up) in a source-control repository. For more information about GitOps, see What is GitOps?

  • Policy enforcement through an admission controller

    The HPE Ezmeral Runtime Enterprise policy controller leverages OPA Gatekeeper as an admission controller to validate and enforce policies on the cluster. OPA Gatekeeper is installed as a system add-on. For more information about OPA Gatekeeper, see Open Policy Agent.

  • Drift detection, reconciliation, and automatic policy synchronization (Argo CD)

    HPE Ezmeral Runtime Enterprise leverages Argo CD as the policy synchronizer engine for the continuous monitoring of policies on running Kubernetes clusters. The policy synchronizer watches for policy drifts and reconciles the changes by automatically synchronizing with the centralized policy defined in Git. Synchronization ensures policy immutability and the continuous compliance of each Kubernetes cluster.

    Versions 5.3 and later of the HPE Ezmeral Runtime Enterprise deploy Argo CD as a system add-on in every Kubernetes cluster created by the platform.

    HPE Ezmeral Runtime Enterprise uses Argo CD only for synchronization and policy validation. For more information about Argo CD, see Argo CD - Declarative GitOps CD for Kubernetes.

Benefits of Centralized Policy Management

Centralized policy management offers the following benefits:
  • Policy guardrails ensure consistent clusters across hybrid installations

    Policies serve as a blueprint for creating your clusters. Once applied, the policies are immutable and can only be changed by updating them in Git. This makes policies secure and centrally governed.

  • Policies ensure continuous compliance, control, and improved operations efficiency

    Policies give you greater control over objects, and the same policies can be applied to multiple clusters, ensuring consistency in your deployments.

  • Policies are subject to version control

    With version control, you can maintain multiple different versions of policies. And if you apply a policy that does not work as intended, you can roll back the policy.

Limitations of Centralized Policy Management

See Limitations of Centralized Policy Management.