SlideShare a Scribd company logo

Securing Cloud Resources Deployed with Control Planes on Kubernetes using Governance and Policy as Code

All Things Open
All Things Open

Presented at All Things Open 2023 Presented by Carlos Santana - AWS Title: Securing Cloud Resources Deployed with Control Planes on Kubernetes using Governance and Policy as Code Abstract: Are you concerned about the security of your cloud resources deployed on Kubernetes? Are you struggling to ensure compliance with regulatory requirements while managing your cloud infrastructure? If yes, then this talk is for you! We will discuss how to secure cloud resources deployed with Crossplane on Kubernetes using Governance and Policy as Code. We will explore how to leverage Governance and Policy as Code tools like Rego, Kyverno, and OPA to ensure security and compliance. By the end of this talk, you will have a better understanding of the challenges associated with securing cloud resources deployed with Crossplane or ACK on Kubernetes, the importance of Governance and Policy as Code in ensuring security and compliance, and why it is critical to use open source and open standards in these technologies. Find more info about All Things Open: On the web: https://www.allthingsopen.org/ Twitter: https://twitter.com/AllThingsOpen LinkedIn: https://www.linkedin.com/company/all-things-open/ Instagram: https://www.instagram.com/allthingsopen/ Facebook: https://www.facebook.com/AllThingsOpen Mastodon: https://mastodon.social/@allthingsopen Threads: https://www.threads.net/@allthingsopen 2023 conference: https://2023.allthingsopen.org/

Technology
1 of 22
Download to read offline
© 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved. © 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved. © 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved. © 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved. Control Planes on Kubernetes and Policy Validation Carlos Santana Sr. Specialist Solutions Architect, Kubernetes @csantanapr csantanapr
© 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved. © 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved. Amazon EKS is the most trusted and secure way to run Kubernetes Amazon EKS AWS is the best place to run Kubernetes. 65% of organizations choose AWS to run their containers. EKS makes Kubernetes operations, administration, and management simple and boring. EKS provides a managed Kubernetes experience for performant, reliable, and secure Kubernetes. EKS supports 5 versions of Kubernetes, giving customers time to test and roll out upgrades. EKS runs vanilla Kubernetes. EKS is upstream and certified conformant version of Kubernetes (with backported security fixes) CNCF State of Cloud Native Development
© 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved. © 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved. Deploy Kubernetes Applications Developer CI/CD Git Kubernetes Application
© 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved. © 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved. Deploy Kubernetes Applications Developer CI/CD Git Kubernetes Application Amazon S3 Amazon SQS Amazon DynamoDB
© 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved. © 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved. Deploy Kubernetes Applications Developer CI/CD Git Kubernetes Application Amazon S3 Amazon SQS Amazon DynamoDB Platform Team
© 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved. © 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved. Separation of Concerns I would like to standardize the deployment process for application teams while enforcing organizational standards for cloud. Platform Team Application Teams I would like to have full autonomy of applications and its cloud dependencies deployment lifecycle.
© 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved. © 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved. Autonomy vs Standardization A U T O N O M Y LEVEL OF STANDARDIZATION
© 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved. © 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved. Disjointed Workflows Adds Developer Overhead How do you get the state of the entire system? How do you debug and remediate issues? How do you pass secrets from one pipeline passed to the other? How do you tear-down all unused resources? Developers Request Database Repo Ticketing System Central Team Code Review Develop Develop RDS Kinesis Load Balancer EBS AWS CDK Platform Team AWS CloudFormation
© 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved. © 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved. 9 Kubernetes to Deploy Cloud Services Developers Repo Code Review RDS Kinesis Load Balancer EBS
© 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved. © 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved. Leverage existing workflows for deploying into Kubernetes without maintaining several pipelines Centralized cost, security, and auditing for any cloud resource with OPA or Kyverno, utilize existing RBAC and IRSA Self healing using GitOps for all cloud resources (containers, databases, queues, and streams)
© 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved. © 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved. Kubernetes Infrastructure Controller Developer CI/CD Git EKS Cluster Application Ticketing System Platform Team AWS CDK Amazon S3 Amazon SQS Amazon DynamoDB
© 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved. © 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved. Kubernetes Infrastructure Controller Git Developer CI/CD Kubernetes Application AWS Resource Claim ACK Crossplane Amazon S3 Amazon SQS Amazon DynamoDB
© 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved. © 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved. Infrastructure controllers Manage cloud services using Kubernetes API Create your own platform API A single API for Kubernetes and cloud services Declarative infrastructure configuration ACK Crossplane
© 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved. © 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved. Where to check? Developer Amazon S3 Amazon SQS Amazon DynamoDB Git Pre Commit CI (Pull Request) CRD Validation Validating Admission Policy Kube API Mutating Webhook Validating Webhook Dynamic Admission Control ACK Crossplane OPA Gatekeeper Kyverno ETCD CD (GitOps) Since 1.26, 1.28 (beta) Gator cli Conftest cli Kyverno cli KubeConform
© 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved. © 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved. Local Testing • Rego § opa § gator § conftest • Kyverno • Kubeconform Developer Git Pre Commit CI (Pull Request)
© 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved. © 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved. Kubernetes CRD • CRD Validation Expression • Common Expression Language (CEL) • 1.25 Beta • 1.29 GA (~12/23) KEP 2876 CD (GitOps) CRD Validation Kube API
© 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved. © 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved. Kubernetes CRD
© 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved. © 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved. Validating Admission • Validating Admission Policy • Common Expression Language (CEL) • 1.26 Beta • 1.29 GA (~12/23) KEP 3488 Validating Admission Policy Kube API
© 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved. © 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved. Validating Admission
© 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved. © 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved. Policy Engines • OPA/Gatekeeper § Webhooks, Controller § AWS Config custom rules • Kyverno § Webhooks, Controller § Adapter for EKS Validating Admission Policy Mutating Webhook Validating Webhook Dynamic Admission Control Kube API ETCD OPA Gatekeeper Kyverno AWS Config Amazon EKS
© 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved. © 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved. Kubernetes Infrastructure Controller AWS Account EKS Cluster Developer Platform Team code Deploy CI CD Helm Chart Prometheus Grafana OPA Policy Cost Control OTEL FluentBit Observability Auth Abstraction DB CR Amazon DynamoDB Amazon DynamoDB Crossplane values.yaml dynamodb: enable: true ACK Kyverno
© 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved. © 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved. Thank You carrlos@amazon.com Carlos Santana @csantanapr csantanapr GitHub Repo Demo and Resources

Recommended

Amazon EKS multi-cluster gitops-bridge
Amazon EKS multi-cluster gitops-bridgeAmazon EKS multi-cluster gitops-bridge
Amazon EKS multi-cluster gitops-bridgeCarlos Santana
 
Scaling production grade EKS Multi-Cluster environments using GitOps
Scaling production grade EKS Multi-Cluster environments using GitOpsScaling production grade EKS Multi-Cluster environments using GitOps
Scaling production grade EKS Multi-Cluster environments using GitOpsCarlos Santana
 
From Zero to Production with Amazon EKS Blueprints for Terraform
From Zero to Production with Amazon EKS Blueprints for Terraform From Zero to Production with Amazon EKS Blueprints for Terraform
From Zero to Production with Amazon EKS Blueprints for TerraformTal Hibner
 
Trusted Application Delivery: Achieving Ultimate Security
Trusted Application Delivery: Achieving Ultimate SecurityTrusted Application Delivery: Achieving Ultimate Security
Trusted Application Delivery: Achieving Ultimate SecurityWeaveworks
 
kreuzwerker AWS Modernizing Legacy Operations with Containerized Solutions 20...
kreuzwerker AWS Modernizing Legacy Operations with Containerized Solutions 20...kreuzwerker AWS Modernizing Legacy Operations with Containerized Solutions 20...
kreuzwerker AWS Modernizing Legacy Operations with Containerized Solutions 20...kreuzwerker GmbH
 
Architecting security and governance through policy guardrails in Amazon EKS ...
Architecting security and governance through policy guardrails in Amazon EKS ...Architecting security and governance through policy guardrails in Amazon EKS ...
Architecting security and governance through policy guardrails in Amazon EKS ...Amazon Web Services
 
AWS re:Invent 2023 re:Cap - AWS User Group Oslo - Håkon
AWS re:Invent 2023 re:Cap - AWS User Group Oslo - HåkonAWS re:Invent 2023 re:Cap - AWS User Group Oslo - Håkon
AWS re:Invent 2023 re:Cap - AWS User Group Oslo - HåkonHåkon Eriksen Drange
 
Application Portability with Kubernetes (CMP310-S) - AWS re:Invent 2018
Application Portability with Kubernetes (CMP310-S) - AWS re:Invent 2018Application Portability with Kubernetes (CMP310-S) - AWS re:Invent 2018
Application Portability with Kubernetes (CMP310-S) - AWS re:Invent 2018Amazon Web Services
 

Recommended

Amazon EKS multi-cluster gitops-bridge
Amazon EKS multi-cluster gitops-bridgeAmazon EKS multi-cluster gitops-bridge
Amazon EKS multi-cluster gitops-bridgeCarlos Santana
 
Scaling production grade EKS Multi-Cluster environments using GitOps
Scaling production grade EKS Multi-Cluster environments using GitOpsScaling production grade EKS Multi-Cluster environments using GitOps
Scaling production grade EKS Multi-Cluster environments using GitOpsCarlos Santana
 
From Zero to Production with Amazon EKS Blueprints for Terraform
From Zero to Production with Amazon EKS Blueprints for Terraform From Zero to Production with Amazon EKS Blueprints for Terraform
From Zero to Production with Amazon EKS Blueprints for TerraformTal Hibner
 
Trusted Application Delivery: Achieving Ultimate Security
Trusted Application Delivery: Achieving Ultimate SecurityTrusted Application Delivery: Achieving Ultimate Security
Trusted Application Delivery: Achieving Ultimate SecurityWeaveworks
 
kreuzwerker AWS Modernizing Legacy Operations with Containerized Solutions 20...
kreuzwerker AWS Modernizing Legacy Operations with Containerized Solutions 20...kreuzwerker AWS Modernizing Legacy Operations with Containerized Solutions 20...
kreuzwerker AWS Modernizing Legacy Operations with Containerized Solutions 20...kreuzwerker GmbH
 
Architecting security and governance through policy guardrails in Amazon EKS ...
Architecting security and governance through policy guardrails in Amazon EKS ...Architecting security and governance through policy guardrails in Amazon EKS ...
Architecting security and governance through policy guardrails in Amazon EKS ...Amazon Web Services
 
AWS re:Invent 2023 re:Cap - AWS User Group Oslo - Håkon
AWS re:Invent 2023 re:Cap - AWS User Group Oslo - HåkonAWS re:Invent 2023 re:Cap - AWS User Group Oslo - Håkon
AWS re:Invent 2023 re:Cap - AWS User Group Oslo - HåkonHåkon Eriksen Drange
 
Application Portability with Kubernetes (CMP310-S) - AWS re:Invent 2018
Application Portability with Kubernetes (CMP310-S) - AWS re:Invent 2018Application Portability with Kubernetes (CMP310-S) - AWS re:Invent 2018
Application Portability with Kubernetes (CMP310-S) - AWS re:Invent 2018Amazon Web Services
 
Göteborg Reinvent 2023_Aritra_updated.pptx
Göteborg Reinvent 2023_Aritra_updated.pptxGöteborg Reinvent 2023_Aritra_updated.pptx
Göteborg Reinvent 2023_Aritra_updated.pptxAritra Nag
 
AWS re-Invent re-Cap general deck 2022-2023 .pdf
AWS re-Invent re-Cap general deck 2022-2023 .pdfAWS re-Invent re-Cap general deck 2022-2023 .pdf
AWS re-Invent re-Cap general deck 2022-2023 .pdfRohini Gaonkar
 
Executando Kubernetes com Amazon EKS - DEV303 - Sao Paulo Summit
Executando Kubernetes com Amazon EKS - DEV303 - Sao Paulo SummitExecutando Kubernetes com Amazon EKS - DEV303 - Sao Paulo Summit
Executando Kubernetes com Amazon EKS - DEV303 - Sao Paulo SummitAmazon Web Services
 
AWS Lambda Powertools walkthrough.pdf
AWS Lambda Powertools walkthrough.pdfAWS Lambda Powertools walkthrough.pdf
AWS Lambda Powertools walkthrough.pdfHeitor Lessa
 
20191127 AWS Black Belt Online Seminar Amazon CloudWatch Container Insights で...
20191127 AWS Black Belt Online Seminar Amazon CloudWatch Container Insights で...20191127 AWS Black Belt Online Seminar Amazon CloudWatch Container Insights で...
20191127 AWS Black Belt Online Seminar Amazon CloudWatch Container Insights で...Amazon Web Services Japan
 
Deploying Microservices using AWS Fargate (CON315-R1) - AWS re:Invent 2018
Deploying Microservices using AWS Fargate (CON315-R1) - AWS re:Invent 2018Deploying Microservices using AWS Fargate (CON315-R1) - AWS re:Invent 2018
Deploying Microservices using AWS Fargate (CON315-R1) - AWS re:Invent 2018Amazon Web Services
 
From Code to a running container | AWS Summit Tel Aviv 2019
From Code to a running container | AWS Summit Tel Aviv 2019From Code to a running container | AWS Summit Tel Aviv 2019
From Code to a running container | AWS Summit Tel Aviv 2019Amazon Web Services
 
From Code to a running container | AWS Summit Tel Aviv 2019
From Code to a running container | AWS Summit Tel Aviv 2019From Code to a running container | AWS Summit Tel Aviv 2019
From Code to a running container | AWS Summit Tel Aviv 2019AWS Summits
 
AWS ReInvent 2023 Recap: AWS User GroupKolkata
AWS ReInvent 2023 Recap: AWS User GroupKolkataAWS ReInvent 2023 Recap: AWS User GroupKolkata
AWS ReInvent 2023 Recap: AWS User GroupKolkataAritra Nag
 
AWS reInvent 2023 re:Cap services Slide deck
AWS reInvent 2023 re:Cap services Slide deckAWS reInvent 2023 re:Cap services Slide deck
AWS reInvent 2023 re:Cap services Slide deckSammy Cheung
 
Introduction to Amazon EKS
Introduction to Amazon EKSIntroduction to Amazon EKS
Introduction to Amazon EKSAmazon Web Services
 
Amazon Elastic Container Service for Kubernetes (Amazon EKS)
Amazon Elastic Container Service for Kubernetes (Amazon EKS)Amazon Elastic Container Service for Kubernetes (Amazon EKS)
Amazon Elastic Container Service for Kubernetes (Amazon EKS)Amazon Web Services
 
Getting-started-with-containers on AWS
Getting-started-with-containers on AWSGetting-started-with-containers on AWS
Getting-started-with-containers on AWSAmazon Web Services
 
PaaS – From Code to Running Application using AWS Elastic Beanstalk (DEV323) ...
PaaS – From Code to Running Application using AWS Elastic Beanstalk (DEV323) ...PaaS – From Code to Running Application using AWS Elastic Beanstalk (DEV323) ...
PaaS – From Code to Running Application using AWS Elastic Beanstalk (DEV323) ...Amazon Web Services
 
SRV318 Running Kubernetes with Amazon EKS
SRV318 Running Kubernetes with Amazon EKSSRV318 Running Kubernetes with Amazon EKS
SRV318 Running Kubernetes with Amazon EKSAmazon Web Services
 
Running kubernetes with amazon eks
Running kubernetes with amazon eksRunning kubernetes with amazon eks
Running kubernetes with amazon eksyanaisama
 
Keynote Gregor Hohpe - Serverless Architectures
Keynote Gregor Hohpe - Serverless ArchitecturesKeynote Gregor Hohpe - Serverless Architectures
Keynote Gregor Hohpe - Serverless ArchitecturesBATbern
 
使用 Amazon EKS 打造高效的服務架構設計
使用 Amazon EKS 打造高效的服務架構設計使用 Amazon EKS 打造高效的服務架構設計
使用 Amazon EKS 打造高效的服務架構設計Amazon Web Services
 
Mohamed Wali_AWS Security Reference Architecture.pptx
Mohamed Wali_AWS Security Reference Architecture.pptxMohamed Wali_AWS Security Reference Architecture.pptx
Mohamed Wali_AWS Security Reference Architecture.pptxAWS Chicago
 
CI/CD with AWS Developer Tools and Fargate
CI/CD with AWS Developer Tools and FargateCI/CD with AWS Developer Tools and Fargate
CI/CD with AWS Developer Tools and FargateAmazon Web Services
 
Building Reliability - The Realities of Observability
Building Reliability - The Realities of ObservabilityBuilding Reliability - The Realities of Observability
Building Reliability - The Realities of ObservabilityAll Things Open
 
Modern Database Best Practices
Modern Database Best PracticesModern Database Best Practices
Modern Database Best PracticesAll Things Open
 

More Related Content

Similar to Securing Cloud Resources Deployed with Control Planes on Kubernetes using Governance and Policy as Code

Göteborg Reinvent 2023_Aritra_updated.pptx
Göteborg Reinvent 2023_Aritra_updated.pptxGöteborg Reinvent 2023_Aritra_updated.pptx
Göteborg Reinvent 2023_Aritra_updated.pptxAritra Nag
 
AWS re-Invent re-Cap general deck 2022-2023 .pdf
AWS re-Invent re-Cap general deck 2022-2023 .pdfAWS re-Invent re-Cap general deck 2022-2023 .pdf
AWS re-Invent re-Cap general deck 2022-2023 .pdfRohini Gaonkar
 
Executando Kubernetes com Amazon EKS - DEV303 - Sao Paulo Summit
Executando Kubernetes com Amazon EKS - DEV303 - Sao Paulo SummitExecutando Kubernetes com Amazon EKS - DEV303 - Sao Paulo Summit
Executando Kubernetes com Amazon EKS - DEV303 - Sao Paulo SummitAmazon Web Services
 
AWS Lambda Powertools walkthrough.pdf
AWS Lambda Powertools walkthrough.pdfAWS Lambda Powertools walkthrough.pdf
AWS Lambda Powertools walkthrough.pdfHeitor Lessa
 
20191127 AWS Black Belt Online Seminar Amazon CloudWatch Container Insights で...
20191127 AWS Black Belt Online Seminar Amazon CloudWatch Container Insights で...20191127 AWS Black Belt Online Seminar Amazon CloudWatch Container Insights で...
20191127 AWS Black Belt Online Seminar Amazon CloudWatch Container Insights で...Amazon Web Services Japan
 
Deploying Microservices using AWS Fargate (CON315-R1) - AWS re:Invent 2018
Deploying Microservices using AWS Fargate (CON315-R1) - AWS re:Invent 2018Deploying Microservices using AWS Fargate (CON315-R1) - AWS re:Invent 2018
Deploying Microservices using AWS Fargate (CON315-R1) - AWS re:Invent 2018Amazon Web Services
 
From Code to a running container | AWS Summit Tel Aviv 2019
From Code to a running container | AWS Summit Tel Aviv 2019From Code to a running container | AWS Summit Tel Aviv 2019
From Code to a running container | AWS Summit Tel Aviv 2019Amazon Web Services
 
From Code to a running container | AWS Summit Tel Aviv 2019
From Code to a running container | AWS Summit Tel Aviv 2019From Code to a running container | AWS Summit Tel Aviv 2019
From Code to a running container | AWS Summit Tel Aviv 2019AWS Summits
 
AWS ReInvent 2023 Recap: AWS User GroupKolkata
AWS ReInvent 2023 Recap: AWS User GroupKolkataAWS ReInvent 2023 Recap: AWS User GroupKolkata
AWS ReInvent 2023 Recap: AWS User GroupKolkataAritra Nag
 
AWS reInvent 2023 re:Cap services Slide deck
AWS reInvent 2023 re:Cap services Slide deckAWS reInvent 2023 re:Cap services Slide deck
AWS reInvent 2023 re:Cap services Slide deckSammy Cheung
 
Amazon Elastic Container Service for Kubernetes (Amazon EKS)
Amazon Elastic Container Service for Kubernetes (Amazon EKS)Amazon Elastic Container Service for Kubernetes (Amazon EKS)
Amazon Elastic Container Service for Kubernetes (Amazon EKS)Amazon Web Services
 
Getting-started-with-containers on AWS
Getting-started-with-containers on AWSGetting-started-with-containers on AWS
Getting-started-with-containers on AWSAmazon Web Services
 
PaaS – From Code to Running Application using AWS Elastic Beanstalk (DEV323) ...
PaaS – From Code to Running Application using AWS Elastic Beanstalk (DEV323) ...PaaS – From Code to Running Application using AWS Elastic Beanstalk (DEV323) ...
PaaS – From Code to Running Application using AWS Elastic Beanstalk (DEV323) ...Amazon Web Services
 
SRV318 Running Kubernetes with Amazon EKS
SRV318 Running Kubernetes with Amazon EKSSRV318 Running Kubernetes with Amazon EKS
SRV318 Running Kubernetes with Amazon EKSAmazon Web Services
 
Running kubernetes with amazon eks
Running kubernetes with amazon eksRunning kubernetes with amazon eks
Running kubernetes with amazon eksyanaisama
 
Keynote Gregor Hohpe - Serverless Architectures
Keynote Gregor Hohpe - Serverless ArchitecturesKeynote Gregor Hohpe - Serverless Architectures
Keynote Gregor Hohpe - Serverless ArchitecturesBATbern
 
使用 Amazon EKS 打造高效的服務架構設計
使用 Amazon EKS 打造高效的服務架構設計使用 Amazon EKS 打造高效的服務架構設計
使用 Amazon EKS 打造高效的服務架構設計Amazon Web Services
 
Mohamed Wali_AWS Security Reference Architecture.pptx
Mohamed Wali_AWS Security Reference Architecture.pptxMohamed Wali_AWS Security Reference Architecture.pptx
Mohamed Wali_AWS Security Reference Architecture.pptxAWS Chicago
 
CI/CD with AWS Developer Tools and Fargate
CI/CD with AWS Developer Tools and FargateCI/CD with AWS Developer Tools and Fargate
CI/CD with AWS Developer Tools and FargateAmazon Web Services
 

Similar to Securing Cloud Resources Deployed with Control Planes on Kubernetes using Governance and Policy as Code (20)

Göteborg Reinvent 2023_Aritra_updated.pptx
Göteborg Reinvent 2023_Aritra_updated.pptxGöteborg Reinvent 2023_Aritra_updated.pptx
Göteborg Reinvent 2023_Aritra_updated.pptx
 
AWS re-Invent re-Cap general deck 2022-2023 .pdf
AWS re-Invent re-Cap general deck 2022-2023 .pdfAWS re-Invent re-Cap general deck 2022-2023 .pdf
AWS re-Invent re-Cap general deck 2022-2023 .pdf
 
Executando Kubernetes com Amazon EKS - DEV303 - Sao Paulo Summit
Executando Kubernetes com Amazon EKS - DEV303 - Sao Paulo SummitExecutando Kubernetes com Amazon EKS - DEV303 - Sao Paulo Summit
Executando Kubernetes com Amazon EKS - DEV303 - Sao Paulo Summit
 
AWS Lambda Powertools walkthrough.pdf
AWS Lambda Powertools walkthrough.pdfAWS Lambda Powertools walkthrough.pdf
AWS Lambda Powertools walkthrough.pdf
 
20191127 AWS Black Belt Online Seminar Amazon CloudWatch Container Insights で...
20191127 AWS Black Belt Online Seminar Amazon CloudWatch Container Insights で...20191127 AWS Black Belt Online Seminar Amazon CloudWatch Container Insights で...
20191127 AWS Black Belt Online Seminar Amazon CloudWatch Container Insights で...
 
Deploying Microservices using AWS Fargate (CON315-R1) - AWS re:Invent 2018
Deploying Microservices using AWS Fargate (CON315-R1) - AWS re:Invent 2018Deploying Microservices using AWS Fargate (CON315-R1) - AWS re:Invent 2018
Deploying Microservices using AWS Fargate (CON315-R1) - AWS re:Invent 2018
 
From Code to a running container | AWS Summit Tel Aviv 2019
From Code to a running container | AWS Summit Tel Aviv 2019From Code to a running container | AWS Summit Tel Aviv 2019
From Code to a running container | AWS Summit Tel Aviv 2019
 
From Code to a running container | AWS Summit Tel Aviv 2019
From Code to a running container | AWS Summit Tel Aviv 2019From Code to a running container | AWS Summit Tel Aviv 2019
From Code to a running container | AWS Summit Tel Aviv 2019
 
AWS ReInvent 2023 Recap: AWS User GroupKolkata
AWS ReInvent 2023 Recap: AWS User GroupKolkataAWS ReInvent 2023 Recap: AWS User GroupKolkata
AWS ReInvent 2023 Recap: AWS User GroupKolkata
 
AWS reInvent 2023 re:Cap services Slide deck
AWS reInvent 2023 re:Cap services Slide deckAWS reInvent 2023 re:Cap services Slide deck
AWS reInvent 2023 re:Cap services Slide deck
 
Introduction to Amazon EKS
Introduction to Amazon EKSIntroduction to Amazon EKS
Introduction to Amazon EKS
 
Amazon Elastic Container Service for Kubernetes (Amazon EKS)
Amazon Elastic Container Service for Kubernetes (Amazon EKS)Amazon Elastic Container Service for Kubernetes (Amazon EKS)
Amazon Elastic Container Service for Kubernetes (Amazon EKS)
 
Getting-started-with-containers on AWS
Getting-started-with-containers on AWSGetting-started-with-containers on AWS
Getting-started-with-containers on AWS
 
PaaS – From Code to Running Application using AWS Elastic Beanstalk (DEV323) ...
PaaS – From Code to Running Application using AWS Elastic Beanstalk (DEV323) ...PaaS – From Code to Running Application using AWS Elastic Beanstalk (DEV323) ...
PaaS – From Code to Running Application using AWS Elastic Beanstalk (DEV323) ...
 
SRV318 Running Kubernetes with Amazon EKS
SRV318 Running Kubernetes with Amazon EKSSRV318 Running Kubernetes with Amazon EKS
SRV318 Running Kubernetes with Amazon EKS
 
Running kubernetes with amazon eks
Running kubernetes with amazon eksRunning kubernetes with amazon eks
Running kubernetes with amazon eks
 
Keynote Gregor Hohpe - Serverless Architectures
Keynote Gregor Hohpe - Serverless ArchitecturesKeynote Gregor Hohpe - Serverless Architectures
Keynote Gregor Hohpe - Serverless Architectures
 
使用 Amazon EKS 打造高效的服務架構設計
使用 Amazon EKS 打造高效的服務架構設計使用 Amazon EKS 打造高效的服務架構設計
使用 Amazon EKS 打造高效的服務架構設計
 
Mohamed Wali_AWS Security Reference Architecture.pptx
Mohamed Wali_AWS Security Reference Architecture.pptxMohamed Wali_AWS Security Reference Architecture.pptx
Mohamed Wali_AWS Security Reference Architecture.pptx
 
CI/CD with AWS Developer Tools and Fargate
CI/CD with AWS Developer Tools and FargateCI/CD with AWS Developer Tools and Fargate
CI/CD with AWS Developer Tools and Fargate
 

More from All Things Open

Building Reliability - The Realities of Observability
Building Reliability - The Realities of ObservabilityBuilding Reliability - The Realities of Observability
Building Reliability - The Realities of ObservabilityAll Things Open
 
Modern Database Best Practices
Modern Database Best PracticesModern Database Best Practices
Modern Database Best PracticesAll Things Open
 
Open Source and Public Policy
Open Source and Public PolicyOpen Source and Public Policy
Open Source and Public PolicyAll Things Open
 
Weaving Microservices into a Unified GraphQL Schema with graph-quilt - Ashpak...
Weaving Microservices into a Unified GraphQL Schema with graph-quilt - Ashpak...Weaving Microservices into a Unified GraphQL Schema with graph-quilt - Ashpak...
Weaving Microservices into a Unified GraphQL Schema with graph-quilt - Ashpak...All Things Open
 
The State of Passwordless Auth on the Web - Phil Nash
The State of Passwordless Auth on the Web - Phil NashThe State of Passwordless Auth on the Web - Phil Nash
The State of Passwordless Auth on the Web - Phil NashAll Things Open
 
Total ReDoS: The dangers of regex in JavaScript
Total ReDoS: The dangers of regex in JavaScriptTotal ReDoS: The dangers of regex in JavaScript
Total ReDoS: The dangers of regex in JavaScriptAll Things Open
 
What Does Real World Mass Adoption of Decentralized Tech Look Like?
What Does Real World Mass Adoption of Decentralized Tech Look Like?What Does Real World Mass Adoption of Decentralized Tech Look Like?
What Does Real World Mass Adoption of Decentralized Tech Look Like?All Things Open
 
How to Write & Deploy a Smart Contract
How to Write & Deploy a Smart ContractHow to Write & Deploy a Smart Contract
How to Write & Deploy a Smart ContractAll Things Open
 
Spinning Your Drones with Cadence Workflows, Apache Kafka and TensorFlow
Spinning Your Drones with Cadence Workflows, Apache Kafka and TensorFlow Spinning Your Drones with Cadence Workflows, Apache Kafka and TensorFlow
Spinning Your Drones with Cadence Workflows, Apache Kafka and TensorFlowAll Things Open
 
DEI Challenges and Success
DEI Challenges and SuccessDEI Challenges and Success
DEI Challenges and SuccessAll Things Open
 
Scaling Web Applications with Background
Scaling Web Applications with BackgroundScaling Web Applications with Background
Scaling Web Applications with BackgroundAll Things Open
 
Supercharging tutorials with WebAssembly
Supercharging tutorials with WebAssemblySupercharging tutorials with WebAssembly
Supercharging tutorials with WebAssemblyAll Things Open
 
Using SQL to Find Needles in Haystacks
Using SQL to Find Needles in HaystacksUsing SQL to Find Needles in Haystacks
Using SQL to Find Needles in HaystacksAll Things Open
 
Configuration Security as a Game of Pursuit Intercept
Configuration Security as a Game of Pursuit InterceptConfiguration Security as a Game of Pursuit Intercept
Configuration Security as a Game of Pursuit InterceptAll Things Open
 
Scaling an Open Source Sponsorship Program
Scaling an Open Source Sponsorship ProgramScaling an Open Source Sponsorship Program
Scaling an Open Source Sponsorship ProgramAll Things Open
 
Build Developer Experience Teams for Open Source
Build Developer Experience Teams for Open SourceBuild Developer Experience Teams for Open Source
Build Developer Experience Teams for Open SourceAll Things Open
 
Deploying Models at Scale with Apache Beam
Deploying Models at Scale with Apache BeamDeploying Models at Scale with Apache Beam
Deploying Models at Scale with Apache BeamAll Things Open
 
Sudo – Giving access while staying in control
Sudo – Giving access while staying in controlSudo – Giving access while staying in control
Sudo – Giving access while staying in controlAll Things Open
 
Fortifying the Future: Tackling Security Challenges in AI/ML Applications
Fortifying the Future: Tackling Security Challenges in AI/ML ApplicationsFortifying the Future: Tackling Security Challenges in AI/ML Applications
Fortifying the Future: Tackling Security Challenges in AI/ML ApplicationsAll Things Open
 
Building AlmaLinux OS without RHEL sources code
Building AlmaLinux OS without RHEL sources codeBuilding AlmaLinux OS without RHEL sources code
Building AlmaLinux OS without RHEL sources codeAll Things Open
 

More from All Things Open (20)

Building Reliability - The Realities of Observability
Building Reliability - The Realities of ObservabilityBuilding Reliability - The Realities of Observability
Building Reliability - The Realities of Observability
 
Modern Database Best Practices
Modern Database Best PracticesModern Database Best Practices
Modern Database Best Practices
 
Open Source and Public Policy
Open Source and Public PolicyOpen Source and Public Policy
Open Source and Public Policy
 
Weaving Microservices into a Unified GraphQL Schema with graph-quilt - Ashpak...
Weaving Microservices into a Unified GraphQL Schema with graph-quilt - Ashpak...Weaving Microservices into a Unified GraphQL Schema with graph-quilt - Ashpak...
Weaving Microservices into a Unified GraphQL Schema with graph-quilt - Ashpak...
 
The State of Passwordless Auth on the Web - Phil Nash
The State of Passwordless Auth on the Web - Phil NashThe State of Passwordless Auth on the Web - Phil Nash
The State of Passwordless Auth on the Web - Phil Nash
 
Total ReDoS: The dangers of regex in JavaScript
Total ReDoS: The dangers of regex in JavaScriptTotal ReDoS: The dangers of regex in JavaScript
Total ReDoS: The dangers of regex in JavaScript
 
What Does Real World Mass Adoption of Decentralized Tech Look Like?
What Does Real World Mass Adoption of Decentralized Tech Look Like?What Does Real World Mass Adoption of Decentralized Tech Look Like?
What Does Real World Mass Adoption of Decentralized Tech Look Like?
 
How to Write & Deploy a Smart Contract
How to Write & Deploy a Smart ContractHow to Write & Deploy a Smart Contract
How to Write & Deploy a Smart Contract
 
Spinning Your Drones with Cadence Workflows, Apache Kafka and TensorFlow
Spinning Your Drones with Cadence Workflows, Apache Kafka and TensorFlow Spinning Your Drones with Cadence Workflows, Apache Kafka and TensorFlow
Spinning Your Drones with Cadence Workflows, Apache Kafka and TensorFlow
 
DEI Challenges and Success
DEI Challenges and SuccessDEI Challenges and Success
DEI Challenges and Success
 
Scaling Web Applications with Background
Scaling Web Applications with BackgroundScaling Web Applications with Background
Scaling Web Applications with Background
 
Supercharging tutorials with WebAssembly
Supercharging tutorials with WebAssemblySupercharging tutorials with WebAssembly
Supercharging tutorials with WebAssembly
 
Using SQL to Find Needles in Haystacks
Using SQL to Find Needles in HaystacksUsing SQL to Find Needles in Haystacks
Using SQL to Find Needles in Haystacks
 
Configuration Security as a Game of Pursuit Intercept
Configuration Security as a Game of Pursuit InterceptConfiguration Security as a Game of Pursuit Intercept
Configuration Security as a Game of Pursuit Intercept
 
Scaling an Open Source Sponsorship Program
Scaling an Open Source Sponsorship ProgramScaling an Open Source Sponsorship Program
Scaling an Open Source Sponsorship Program
 
Build Developer Experience Teams for Open Source
Build Developer Experience Teams for Open SourceBuild Developer Experience Teams for Open Source
Build Developer Experience Teams for Open Source
 
Deploying Models at Scale with Apache Beam
Deploying Models at Scale with Apache BeamDeploying Models at Scale with Apache Beam
Deploying Models at Scale with Apache Beam
 
Sudo – Giving access while staying in control
Sudo – Giving access while staying in controlSudo – Giving access while staying in control
Sudo – Giving access while staying in control
 
Fortifying the Future: Tackling Security Challenges in AI/ML Applications
Fortifying the Future: Tackling Security Challenges in AI/ML ApplicationsFortifying the Future: Tackling Security Challenges in AI/ML Applications
Fortifying the Future: Tackling Security Challenges in AI/ML Applications
 
Building AlmaLinux OS without RHEL sources code
Building AlmaLinux OS without RHEL sources codeBuilding AlmaLinux OS without RHEL sources code
Building AlmaLinux OS without RHEL sources code
 

Recently uploaded

Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024BookNet Canada
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024The Digital Insurer
 
Artificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraArtificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraDeakin University
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
Science&tech:THE INFORMATION AGE STS.pdf
Science&tech:THE INFORMATION AGE STS.pdfScience&tech:THE INFORMATION AGE STS.pdf
Science&tech:THE INFORMATION AGE STS.pdfjimielynbastida
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr LapshynFwdays
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 

Recently uploaded (20)

Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024
 
Artificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraArtificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning era
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
Science&tech:THE INFORMATION AGE STS.pdf
Science&tech:THE INFORMATION AGE STS.pdfScience&tech:THE INFORMATION AGE STS.pdf
Science&tech:THE INFORMATION AGE STS.pdf
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 

Securing Cloud Resources Deployed with Control Planes on Kubernetes using Governance and Policy as Code

  • 1. © 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved. © 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved. © 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved. © 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved. Control Planes on Kubernetes and Policy Validation Carlos Santana Sr. Specialist Solutions Architect, Kubernetes @csantanapr csantanapr
  • 2. © 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved. © 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved. Amazon EKS is the most trusted and secure way to run Kubernetes Amazon EKS AWS is the best place to run Kubernetes. 65% of organizations choose AWS to run their containers. EKS makes Kubernetes operations, administration, and management simple and boring. EKS provides a managed Kubernetes experience for performant, reliable, and secure Kubernetes. EKS supports 5 versions of Kubernetes, giving customers time to test and roll out upgrades. EKS runs vanilla Kubernetes. EKS is upstream and certified conformant version of Kubernetes (with backported security fixes) CNCF State of Cloud Native Development
  • 3. © 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved. © 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved. Deploy Kubernetes Applications Developer CI/CD Git Kubernetes Application
  • 4. © 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved. © 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved. Deploy Kubernetes Applications Developer CI/CD Git Kubernetes Application Amazon S3 Amazon SQS Amazon DynamoDB
  • 5. © 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved. © 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved. Deploy Kubernetes Applications Developer CI/CD Git Kubernetes Application Amazon S3 Amazon SQS Amazon DynamoDB Platform Team
  • 6. © 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved. © 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved. Separation of Concerns I would like to standardize the deployment process for application teams while enforcing organizational standards for cloud. Platform Team Application Teams I would like to have full autonomy of applications and its cloud dependencies deployment lifecycle.
  • 7. © 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved. © 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved. Autonomy vs Standardization A U T O N O M Y LEVEL OF STANDARDIZATION
  • 8. © 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved. © 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved. Disjointed Workflows Adds Developer Overhead How do you get the state of the entire system? How do you debug and remediate issues? How do you pass secrets from one pipeline passed to the other? How do you tear-down all unused resources? Developers Request Database Repo Ticketing System Central Team Code Review Develop Develop RDS Kinesis Load Balancer EBS AWS CDK Platform Team AWS CloudFormation
  • 9. © 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved. © 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved. 9 Kubernetes to Deploy Cloud Services Developers Repo Code Review RDS Kinesis Load Balancer EBS
  • 10. © 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved. © 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved. Leverage existing workflows for deploying into Kubernetes without maintaining several pipelines Centralized cost, security, and auditing for any cloud resource with OPA or Kyverno, utilize existing RBAC and IRSA Self healing using GitOps for all cloud resources (containers, databases, queues, and streams)
  • 11. © 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved. © 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved. Kubernetes Infrastructure Controller Developer CI/CD Git EKS Cluster Application Ticketing System Platform Team AWS CDK Amazon S3 Amazon SQS Amazon DynamoDB
  • 12. © 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved. © 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved. Kubernetes Infrastructure Controller Git Developer CI/CD Kubernetes Application AWS Resource Claim ACK Crossplane Amazon S3 Amazon SQS Amazon DynamoDB
  • 13. © 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved. © 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved. Infrastructure controllers Manage cloud services using Kubernetes API Create your own platform API A single API for Kubernetes and cloud services Declarative infrastructure configuration ACK Crossplane
  • 14. © 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved. © 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved. Where to check? Developer Amazon S3 Amazon SQS Amazon DynamoDB Git Pre Commit CI (Pull Request) CRD Validation Validating Admission Policy Kube API Mutating Webhook Validating Webhook Dynamic Admission Control ACK Crossplane OPA Gatekeeper Kyverno ETCD CD (GitOps) Since 1.26, 1.28 (beta) Gator cli Conftest cli Kyverno cli KubeConform
  • 15. © 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved. © 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved. Local Testing • Rego § opa § gator § conftest • Kyverno • Kubeconform Developer Git Pre Commit CI (Pull Request)
  • 16. © 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved. © 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved. Kubernetes CRD • CRD Validation Expression • Common Expression Language (CEL) • 1.25 Beta • 1.29 GA (~12/23) KEP 2876 CD (GitOps) CRD Validation Kube API
  • 17. © 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved. © 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved. Kubernetes CRD
  • 18. © 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved. © 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved. Validating Admission • Validating Admission Policy • Common Expression Language (CEL) • 1.26 Beta • 1.29 GA (~12/23) KEP 3488 Validating Admission Policy Kube API
  • 19. © 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved. © 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved. Validating Admission
  • 20. © 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved. © 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved. Policy Engines • OPA/Gatekeeper § Webhooks, Controller § AWS Config custom rules • Kyverno § Webhooks, Controller § Adapter for EKS Validating Admission Policy Mutating Webhook Validating Webhook Dynamic Admission Control Kube API ETCD OPA Gatekeeper Kyverno AWS Config Amazon EKS
  • 21. © 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved. © 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved. Kubernetes Infrastructure Controller AWS Account EKS Cluster Developer Platform Team code Deploy CI CD Helm Chart Prometheus Grafana OPA Policy Cost Control OTEL FluentBit Observability Auth Abstraction DB CR Amazon DynamoDB Amazon DynamoDB Crossplane values.yaml dynamodb: enable: true ACK Kyverno
  • 22. © 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved. © 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved. Thank You carrlos@amazon.com Carlos Santana @csantanapr csantanapr GitHub Repo Demo and Resources