Skip to content
Kubees

Concepts

Kubees is an audit solution dedicated to the Kubernetes environment. There are three major goals for the project:

  • Federate the compliance status of a fleet of Kubernetes clusters in real time
  • Leverage existing ecosystem to get started faster on solid bases
  • Be an interface for the different actors of security and governance in a company

Majors components are described in the Architecture section.

Concepts

Applications

An application is a set of Kubernetes resources that are grouped to create an higher level view of the workloads. They share philosophy of kubernetes-sigs/application and OAM specifications.

In Kubees, an application can be defined from the following metadatas:

  • A namespace from a single cluster
  • A set of Kubernetes resources labels (Docs)
  • A set of Kubernetes resources annotations (Docs)

This logical entity will be the primary interface of the developers leveraging the plaform.

Policies

A policy is a declarative definition of constraints that can be enforced across the organization. For example, one could forbid all pods running with privileged: true in their security context. The user will be able to see all infringements of this constraint to be reported by following audits.

This interface is destinated to the governance team members, which shall be the only one authorized to edit policies.

Derogation

As the policies are applied across the entire fleet of clusters, this can cause problems in heterogeneous environments, think for example to the difference between development and production environments: the former might need more lenient constraints for a better developer experience.

Risks

A risk is an infrigment to a policy on a set of Kubernetes resources.

Audits

An audit is the snapshot of a policy compliance at a given time, it lists the risks identified along with the affected resources and clusters.

Personas

Developer

Application developer that uses the Kubernetes platform to deploy its work.

Operator

An operator is responsible for one or more Kubernetes cluster, it manages their lifecycles, OS level security and configuration, but also the global resources (i.e: non namespace scoped) of it’s clusters.

Governance

Responsible for the organization security, they are mainly concerned by the policies enforced across the infrastructure.