rad-guard
Overview
RAD-Guard is an in-cluster plugin that enforces GuardPolicies, which are written in Rego, during the admission of Kubernetes resources. Its main function is to permit or deny resource admission based on policy evaluations. Configurations for RAD-Guard’s operation are specified within the helm chart values file under theguard section. The plugin operates as a scalable, multi-replica Deployment, ensuring fault tolerance and the ability to handle increased load.
Performance Considerations
RAD-Guard prioritizes minimizing latency and ensuring decisive policy enforcement:- Efficient Violation Handling: RAD-Guard terminates the evaluation process upon detecting the first policy violation, instantly making a decision to allow or block the resource admission, preventing unnecessary processing and potential slowdowns.
- Complete Policy Evaluation: In cases where all GuardPolicies pass, the plugin completes the full policy evaluation and communicates the results back to RAD.
Blocking Modes
The plugin’s blocking behavior is adaptable to meet varying security requirements:- Global Blocking Configuration: Blocking is managed at a global level within the cluster through three primary flags:
block-on-error,block-on-timeout, andblock-on-violation.
Specific Flag Functions
- block-on-error: When enabled, any execution errors that occur while assessing GuardPolicies result in the admission request being blocked.
- block-on-timeout: This flag, when set to true, will block any admission request that exceeds the designated timeout window for policy decision-making.
- block-on-violation: If activated, any breach of GuardPolicy will lead to the blocking of the request. If disabled, the request proceeds but is reported back to RAD.
Non-Blocking Default: By default, RAD-Guard is configured not to block requests, with all blocking-related flags set to ‘false’.
Configuration
The RAD Guard component has a set of flags that can be modified if needed. To modify the value from the default, add the name as an environment variable and change the value to the desired value.| Environment Variable | Default Value | Description |
|---|---|---|
| BLOCK_ON_ERROR | false | If true, the webhook will block admission on error |
| BLOCK_ON_TIMEOUT | false | If true, the webhook will block admission on timeout |
| BLOCK_ON_POLICY_VIOLATION | false | If true, the webhook will block admission on policy violation |
| ENABLE_WARNING_LOGS | false | If true, enables the logging of warnings |
| HEALTH_PROBE_PORT | 8001 | The port on which the health probe listens |
| METRICS_PORT | 8080 | The port for exposing metrics |
| WEBHOOK_PORT | 9443 | The port that the webhook listens on |
| WEBHOOK_TIMEOUT | 10 seconds | The timeout duration for the webhook |
| WORKERS_POOL_SIZE | 100 | The size of the workers pool |