76 lines
2.1 KiB
Markdown
76 lines
2.1 KiB
Markdown
---
|
||
title: "Policy as Code (PaC)"
|
||
type: concept
|
||
tags: [security, devops, compliance, automation]
|
||
date: 2025-03-01
|
||
---
|
||
|
||
## Definition
|
||
|
||
策略即代码(Policy as Code)是将安全、合规和运维策略编写为可执行代码的做法,通过自动化执行和持续验证替代人工审计和手动检查。
|
||
|
||
## Core Concept
|
||
|
||
```
|
||
传统模式: PaC模式:
|
||
───────── ─────────
|
||
人工编写策略 → 文档化 → 人工检查 → 间歇性审计
|
||
↓
|
||
策略代码化 → 自动执行 → 持续验证 → 实时合规
|
||
```
|
||
|
||
## Benefits
|
||
|
||
| 优势 | 描述 |
|
||
|------|------|
|
||
| **一致性** | 每次执行使用相同规则,消除人为错误 |
|
||
| **可版本控制** | 策略变更通过Git跟踪和审查 |
|
||
| **自动化** | CI/CD集成,持续验证 |
|
||
| **可测试** | 策略可单元测试和集成测试 |
|
||
| **审计友好** | 自动生成审计日志 |
|
||
|
||
## Implementation Patterns
|
||
|
||
### 1. OPA (Open Policy Agent)
|
||
```rego
|
||
# OPA Rego策略示例
|
||
package kubernetes.admission
|
||
|
||
deny[msg] {
|
||
input.request.kind.kind == "Pod"
|
||
not input.request.object.spec.hostIPC
|
||
msg := "HostIPC is not allowed"
|
||
}
|
||
```
|
||
|
||
### 2. Terraform Sentinel
|
||
```hcl
|
||
# Terraform策略即代码
|
||
policy "require-tags" {
|
||
enforcement_level = "advisory"
|
||
validate = func(resource) {
|
||
all resource.values.tags != undefined
|
||
}
|
||
}
|
||
```
|
||
|
||
### 3. In ITSM Context
|
||
|
||
在[[ITSM]]中,PaC支撑[[Security-and-Compliance]]:
|
||
|
||
- **变更合规** — 自动验证变更符合安全策略
|
||
- **配置基线** — 确保配置项符合基线
|
||
- **访问控制** — 自动执行最小权限原则
|
||
- **审计自动化** — 生成合规报告
|
||
|
||
## Related Concepts
|
||
|
||
- [[Zero-Trust-Architecture]] — ZTA依赖PaC实现自动化
|
||
- [[Security-and-Compliance]] — PaC的核心应用场景
|
||
- [[Infrastructure-as-Code]] — IaC与PaC的协同
|
||
- [[DevSecOps]] — PaC在DevSecOps中的角色
|
||
|
||
## Sources
|
||
|
||
- [[understanding-complete-itsm]] — Policy-as-Code在ITSM中的应用
|