We’ve already discussed that infrastructure should only be provisioned from cloud native applications. We know that the infrastructure is also responsible for running those same applications.
Running infrastructure provisioned and controlled by applications allows us to scale more easily. We scale our infrastructure by learning how to scale applications. We also secure our infrastructure by learning how to secure applications.
In a dynamic environment, we have shown that humans cannot scale to manage the complexity. Why would we think they can scale to handle the policy and security?
This means, just as we had to create the applications that enforce infrastructure state through the reconciler pattern, we need to create applications that enforce security policy. Before we create the applications to enforce policy, we need to write our policy in a machine-parsible format.
Policy is hard to put into code because it does not have cleanly defined technical implementations. It deals more with how business gets done more than what runs business.
Both the how and the what change frequently, but the how is much more opinionated and not easily abstracted. It also is organization specific and will likely need to know specific details about the communication structure of the people who create the infrastructure.
Policy needs to apply to multiple stages of the application life cycle. As we discussed in Chapter 7, applications generally have ...