Stage 7 · Master
Policy as Code & Security Guardrails
Compliance & Audit Automation
Continuous compliance: policy reports, drift detection, evidence collection for SOC2/PCI. Dashboard for auditors.
Compliance Frameworks
| Framework | Focus | Key Requirements | Platform Mapping |
|---|---|---|---|
| SOC 2 Type II | Security, Availability, Confidentiality | Access control, encryption, monitoring, incident response | RBAC, encryption at rest/transit, audit logs, IR runbooks |
| PCI DSS | Payment card data | Network segmentation, encryption, vulnerability mgmt, access control | Network policies, TLS, scanning, least privilege |
| HIPAA | Health data privacy | Access control, audit logs, encryption, BAA | RBAC, audit logs, encryption, BAA with cloud |
| GDPR | Personal data protection | Data minimization, consent, right to deletion, DPIA | Data catalog, deletion workflows, DPIA templates |
| FedRAMP | US federal cloud | Continuous monitoring, incident response, supply chain | Continuous compliance, IR, SBOM, provenance |
| ISO 27001 | InfoSec management | Risk assessment, controls, internal audit, management review | Risk register, control mapping, audit automation |
Continuous Compliance
Traditional compliance: point-in-time audit, manual evidence gathering, months of prep. Continuous compliance: automated policy evaluation, real-time drift detection, evidence generated continuously, always audit-ready.
- Policy evaluation: Every 5 minutes (Kyverno background scan) + on every admission
- Drift detection: Compare live state vs Git (ArgoCD) + policy state (Kyverno)
- Evidence generation: Automated screenshots, logs, config dumps, policy results
- Evidence storage: Immutable object storage (S3/GCS with Object Lock) + blockchain anchor (optional)
- Auditor access: Read-only portal with filtered views, export packages
- Remediation: Auto-fix for known patterns (labels, annotations, resource limits), manual for complex
Evidence Collection
Evidence must be: authentic (tamper-proof), complete (covers all controls), timely (generated at control execution), and attributable (linked to policy, resource, time).
apiVersion: platform.example.com/v1
kind: EvidencePolicy
metadata:
name: soc2-evidence
spec:
framework: SOC2
controls:
- id: CC6.1
title: "Logical Access Controls"
evidence:
- type: policy_evaluation
policy: rbac-least-privilege
frequency: continuous
- type: config_dump
resource: ClusterRoleBinding
filter: "platform.example.com/managed=true"
frequency: daily
- type: audit_log
query: "verb in (create,update,delete) AND objectRef.resource=clusterrolebinding"
frequency: continuous
- id: CC6.7
title: "Data Encryption"
evidence:
- type: policy_evaluation
policy: encryption-at-rest
frequency: continuous
- type: config_dump
resource: PersistentVolumeClaim
filter: "storageclass.kubernetes.io/is-default-class=true"
frequency: daily
- type: config_dump
resource: Secret
filter: "type=kubernetes.io/tls"
frequency: daily
- id: CC7.2
title: "System Monitoring"
evidence:
- type: policy_evaluation
policy: monitoring-coverage
frequency: continuous
- type: metric_snapshot
query: "up{job=~'.*'}"
frequency: hourly
retention: 7y
storage:
type: s3
bucket: platform-compliance-evidence
objectLock: true
encryption: SSE-KMS
Evidence policy defines what to collect, how often, where to store. Immutable storage with Object Lock for tamper-proofing.
Auditor Dashboard
- Framework view: SOC2, PCI, HIPAA tabs with control mapping
- Control status: Pass/Fail/Partial with evidence links
- Drift timeline: When did control fail? When recovered? Duration?
- Evidence browser: Search by control, resource, time, policy
- Export package: ZIP with all evidence for control, signed manifest
- Read-only: No write access, no PII exposure, audit trail of auditor access
Automated Remediation
| Remediation Type | Examples | Risk | Approval |
|---|---|---|---|
| Auto-fix (Safe) | Add missing labels, set default resource limits, add standard annotations | Low | Pre-approved policy |
| Auto-fix (Medium) | Add NetworkPolicy for namespace, set PodSecurityStandard, enable ServiceMonitor | Medium | Platform team review |
| Guided | Developer gets PR with fix, must approve merge | Low-Medium | Developer + platform review |
| Manual | Architecture changes, secret rotation, capacity planning | High | Platform team + stakeholder |
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: add-missing-labels
spec:
rules:
- name: add-platform-labels
match:
any:
- resources:
kinds: ["Deployment", "StatefulSet", "Service", "ConfigMap", "Secret"]
mutate:
patchStrategicMerge:
metadata:
labels:
+platform.example.com/managed-by: "platform-controller"
+platform.example.com/created-at: "{{ time_now | date "2006-01-02" }}"
# Auto-remediate existing resources
autoGenRules:
generateExisting: true
synchronize: true
---
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: set-default-resources
spec:
rules:
- name: default-resource-limits
match:
any:
- resources:
kinds: ["Deployment", "StatefulSet"]
mutate:
patchStrategicMerge:
spec:
template:
spec:
containers:
- name: "*"
resources:
limits:
cpu: "1000m"
memory: "1Gi"
requests:
cpu: "100m"
memory: "128Mi"
autoGenRules:
generateExisting: true
synchronize: true
Kyverno mutate rules add missing labels, set default resources. autoGenRules applies to existing resources. synchronize keeps them in sync.
Compliance Reporting
- Executive Summary: Overall posture, trend, risk heat map
- Control Detail: Per-control status, evidence, drift history, remediation actions
- Resource Inventory: All resources with compliance tags, owner, last scan
- Drift Report: Resources that drifted, duration, auto-remediated vs manual
- Exception Report: Active exceptions, expiration, approver, migration plan
- Trend Analysis: Compliance score over time, MTTR for drift, policy coverage
- Auditor Package: One-click export for specific framework/control set
Treat compliance policies like application code: versioned, tested, reviewed, deployed via CI/CD. Auditors get access to the policy repo + evidence store. No more 'compliance theater' — real-time proof.
Mark this lesson complete to store local progress and unlock a cleaner resume path the next time you visit.