Collie: A toolkit for securing cloud controller provisioned infrastructure

By Rowan Baker & Henry Mortimer

ControlPlane open sources Collie, a toolkit for demonstrating compliance and securing infrastructure provisioned by Kubernetes Cloud Infrastructure Controllers, such as Crossplane.

SecurityCon Talk

Organisations moving into cloud typically provision hardened infrastructure by developing Infrastructure as Code templates with pipeline policy gates. However, Kubernetes itself can provision infrastructure natively, through Load Balancer Services or third party cloud controllers, such as Crossplane.

This provides a challenge in large regulated organisations, which invest heavily in IAC and Policy patterns providing directive and preventive security controls, forming an integral part of their enterprise security architecture.

The lack of an equivalent pattern for infrastructure provisioned by cloud controllers will impede the adoption of these technologies, despite the benefits of

  • Developer simplicity via consumption of a single K8s deployment pipeline for apps and infrastructure
  • GitOps enablement for infrastructure
  • Drift protection, as cloud controllers continuously reconcile

The first release of Collie provides a set of NIST 800-53r5 compliant Kyverno policies for AWS RDS instances and S3 buckets provisioned by Crossplane, and leverages OSCAL documents and Lula to enable automated compliance validation.

The goal is to create confidence in using cloud controllers to provision infrastructure from Kubernetes by demonstrating a pattern that ensures infrastructure is configured securely using policy controllers and is able to be automatically validated against compliance standards.

You can try out the policies here by running the end to end test suite or by using the terraform to stand up a cluster with crossplane and Kyverno installed, then install some policies and create some cloud resources!

ControlPlane is at Kubecon EU this week! Come say “hoi!” at our booth (SU57) near the Cloud Native Corner Store, to chat with us about interesting Cloud Native security challenges, find out more about how we can help, and grab some of our award-winning swag.

We build and secure zero trust platforms

Learn More