Policy-as-Code

At Lumeus, we firmly believe that policy management cannot scale without automation in today's world. As the number of policy rules and deployments increases, policies can no longer be managed using traditional UI-based interfaces or old style scripts. IT and Security teams need an ability to not just automate configuration but also manage version control, rollback, and track changes in case something goes wrong.

The Lumeus Policy engine supports complete automation with a Policy-as-Code approach. YAML is used as the language to specify the policies. Users can still use GUI based forms to modify individual policies, if needed.

The systems automatically store all the policies in a single config.yaml file and maintains the version.

On every policy update (using YAML or GUI form), the system automatically takes a backup of the existing configuration. Customers can download the policy configuration config.yaml file from the management portal for backup and store them in their versioning system. Therefore, Lumeus users can download, view, or re-apply any older versions of the policy configuration file.

Policy Configuration File

Lumeus YAML is centered around applications. It shows a list of rules and users who have been granted application access.

The code below shows an example of YAML code. It configures access to the following applications:

  • Kubernetes Cluster: Allow access to dev-clusters for K8 administrator and view-only users

  • SSH access to dev-servers for specific users and also to record each access session

kind: rules
spec:
    apps:
        - name: dev-clusters
          access:
            - rule: k8-admins
              resources:
                users:
                    - demo@abccorp.com
                    - engineer@abccorp.com
              role: k8-administrator
              action: allow
            - rule: viewer-rule
              resources:
                users:
                    - support@abccorp.com
              role: observer
              action: allow
        - name: dev-servers
          access:
            - rule: ssh-access
              resources:
                users:
                    - engineer@abccorp.com
              role: ssh-admin
              action: allow and record

Last updated