SlideShare a Scribd company logo

Control Planes on Kubernetes and Policy Validation

Carlos Santana
Carlos Santana

Are you concerned about the security of your cloud resources deployed on Kubernetes? Are you struggling to ensure compliance with regulatory requirements while managing your cloud infrastructure? If yes, then this talk is for you! We will discuss how to secure cloud resources deployed with Crossplane on Kubernetes using Governance and Policy as Code. We will explore how to leverage Governance and Policy as Code tools like Rego, Kyverno, and OPA to ensure security and compliance. By the end of this talk, you will have a better understanding of the challenges associated with securing cloud resources deployed with Crossplane or ACK on Kubernetes, the importance of Governance and Policy as Code in ensuring security and compliance, and why it is critical to use open source and open standards in these technologies.

Technology
1 of 22
Download to read offline
© 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved. © 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved. © 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved. © 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved. Control Planes on Kubernetes and Policy Validation Carlos Santana Sr. Specialist Solutions Architect, Kubernetes @csantanapr csantanapr
© 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved. © 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved. Amazon EKS is the most trusted and secure way to run Kubernetes Amazon EKS AWS is the best place to run Kubernetes. 65% of organizations choose AWS to run their containers. EKS makes Kubernetes operations, administration, and management simple and boring. EKS provides a managed Kubernetes experience for performant, reliable, and secure Kubernetes. EKS supports 5 versions of Kubernetes, giving customers time to test and roll out upgrades. EKS runs vanilla Kubernetes. EKS is upstream and certified conformant version of Kubernetes (with backported security fixes) CNCF State of Cloud Native Development
© 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved. © 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved. Deploy Kubernetes Applications Developer CI/CD Git Kubernetes Application
© 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved. © 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved. Deploy Kubernetes Applications Developer CI/CD Git Kubernetes Application Amazon S3 Amazon SQS Amazon DynamoDB
© 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved. © 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved. Deploy Kubernetes Applications Developer CI/CD Git Kubernetes Application Amazon S3 Amazon SQS Amazon DynamoDB Platform Team
© 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved. © 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved. Separation of Concerns I would like to standardize the deployment process for application teams while enforcing organizational standards for cloud. Platform Team Application Teams I would like to have full autonomy of applications and its cloud dependencies deployment lifecycle.
© 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved. © 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved. Autonomy vs Standardization A U T O N O M Y LEVEL OF STANDARDIZATION
© 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved. © 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved. Disjointed Workflows Adds Developer Overhead How do you get the state of the entire system? How do you debug and remediate issues? How do you pass secrets from one pipeline passed to the other? How do you tear-down all unused resources? Developers Request Database Repo Ticketing System Central Team Code Review Develop Develop RDS Kinesis Load Balancer EBS AWS CDK Platform Team AWS CloudFormation
© 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved. © 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved. 9 Kubernetes to Deploy Cloud Services Developers Repo Code Review RDS Kinesis Load Balancer EBS
© 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved. © 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved. Leverage existing workflows for deploying into Kubernetes without maintaining several pipelines Centralized cost, security, and auditing for any cloud resource with OPA or Kyverno, utilize existing RBAC and IRSA Self healing using GitOps for all cloud resources (containers, databases, queues, and streams)
© 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved. © 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved. Kubernetes Infrastructure Controller Developer CI/CD Git EKS Cluster Application Ticketing System Platform Team AWS CDK Amazon S3 Amazon SQS Amazon DynamoDB
© 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved. © 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved. Kubernetes Infrastructure Controller Git Developer CI/CD Kubernetes Application AWS Resource Claim ACK Crossplane Amazon S3 Amazon SQS Amazon DynamoDB
© 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved. © 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved. Infrastructure controllers Manage cloud services using Kubernetes API Create your own platform API A single API for Kubernetes and cloud services Declarative infrastructure configuration ACK Crossplane
© 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved. © 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved. Where to check? Developer Amazon S3 Amazon SQS Amazon DynamoDB Git Pre Commit CI (Pull Request) CRD Validation Validating Admission Policy Kube API Mutating Webhook Validating Webhook Dynamic Admission Control ACK Crossplane OPA Gatekeeper Kyverno ETCD CD (GitOps) Since 1.26, 1.28 (beta) Gator cli Conftest cli Kyverno cli KubeConform
© 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved. © 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved. Local Testing • Rego § opa § gator § conftest • Kyverno • Kubeconform Developer Git Pre Commit CI (Pull Request)
© 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved. © 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved. Kubernetes CRD • CRD Validation Expression • Common Expression Language (CEL) • 1.25 Beta • 1.29 GA (~12/23) KEP 2876 CD (GitOps) CRD Validation Kube API
© 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved. © 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved. Kubernetes CRD
© 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved. © 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved. Validating Admission • Validating Admission Policy • Common Expression Language (CEL) • 1.26 Beta • 1.29 GA (~12/23) KEP 3488 Validating Admission Policy Kube API
© 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved. © 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved. Validating Admission
© 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved. © 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved. Policy Engines • OPA/Gatekeeper § Webhooks, Controller § AWS Config custom rules • Kyverno § Webhooks, Controller § Adapter for EKS Validating Admission Policy Mutating Webhook Validating Webhook Dynamic Admission Control Kube API ETCD OPA Gatekeeper Kyverno AWS Config Amazon EKS
© 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved. © 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved. Kubernetes Infrastructure Controller AWS Account EKS Cluster Developer Platform Team code Deploy CI CD Helm Chart Prometheus Grafana OPA Policy Cost Control OTEL FluentBit Observability Auth Abstraction DB CR Amazon DynamoDB Amazon DynamoDB Crossplane values.yaml dynamodb: enable: true ACK Kyverno
© 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved. © 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved. Thank You carrlos@amazon.com Carlos Santana @csantanapr csantanapr GitHub Repo Demo and Resources

Recommended

Amazon EKS multi-cluster gitops-bridge
Amazon EKS multi-cluster gitops-bridgeAmazon EKS multi-cluster gitops-bridge
Amazon EKS multi-cluster gitops-bridgeCarlos Santana
 
Scaling production grade EKS Multi-Cluster environments using GitOps
Scaling production grade EKS Multi-Cluster environments using GitOpsScaling production grade EKS Multi-Cluster environments using GitOps
Scaling production grade EKS Multi-Cluster environments using GitOpsCarlos Santana
 
From Zero to Production with Amazon EKS Blueprints for Terraform
From Zero to Production with Amazon EKS Blueprints for Terraform From Zero to Production with Amazon EKS Blueprints for Terraform
From Zero to Production with Amazon EKS Blueprints for TerraformTal Hibner
 
Trusted Application Delivery: Achieving Ultimate Security
Trusted Application Delivery: Achieving Ultimate SecurityTrusted Application Delivery: Achieving Ultimate Security
Trusted Application Delivery: Achieving Ultimate SecurityWeaveworks
 
kreuzwerker AWS Modernizing Legacy Operations with Containerized Solutions 20...
kreuzwerker AWS Modernizing Legacy Operations with Containerized Solutions 20...kreuzwerker AWS Modernizing Legacy Operations with Containerized Solutions 20...
kreuzwerker AWS Modernizing Legacy Operations with Containerized Solutions 20...kreuzwerker GmbH
 
Architecting security and governance through policy guardrails in Amazon EKS ...
Architecting security and governance through policy guardrails in Amazon EKS ...Architecting security and governance through policy guardrails in Amazon EKS ...
Architecting security and governance through policy guardrails in Amazon EKS ...Amazon Web Services
 
AWS re:Invent 2023 re:Cap - AWS User Group Oslo - Håkon
AWS re:Invent 2023 re:Cap - AWS User Group Oslo - HåkonAWS re:Invent 2023 re:Cap - AWS User Group Oslo - Håkon
AWS re:Invent 2023 re:Cap - AWS User Group Oslo - HåkonHåkon Eriksen Drange
 
Application Portability with Kubernetes (CMP310-S) - AWS re:Invent 2018
Application Portability with Kubernetes (CMP310-S) - AWS re:Invent 2018Application Portability with Kubernetes (CMP310-S) - AWS re:Invent 2018
Application Portability with Kubernetes (CMP310-S) - AWS re:Invent 2018Amazon Web Services
 

Recommended

Amazon EKS multi-cluster gitops-bridge
Amazon EKS multi-cluster gitops-bridgeAmazon EKS multi-cluster gitops-bridge
Amazon EKS multi-cluster gitops-bridgeCarlos Santana
 
Scaling production grade EKS Multi-Cluster environments using GitOps
Scaling production grade EKS Multi-Cluster environments using GitOpsScaling production grade EKS Multi-Cluster environments using GitOps
Scaling production grade EKS Multi-Cluster environments using GitOpsCarlos Santana
 
From Zero to Production with Amazon EKS Blueprints for Terraform
From Zero to Production with Amazon EKS Blueprints for Terraform From Zero to Production with Amazon EKS Blueprints for Terraform
From Zero to Production with Amazon EKS Blueprints for TerraformTal Hibner
 
Trusted Application Delivery: Achieving Ultimate Security
Trusted Application Delivery: Achieving Ultimate SecurityTrusted Application Delivery: Achieving Ultimate Security
Trusted Application Delivery: Achieving Ultimate SecurityWeaveworks
 
kreuzwerker AWS Modernizing Legacy Operations with Containerized Solutions 20...
kreuzwerker AWS Modernizing Legacy Operations with Containerized Solutions 20...kreuzwerker AWS Modernizing Legacy Operations with Containerized Solutions 20...
kreuzwerker AWS Modernizing Legacy Operations with Containerized Solutions 20...kreuzwerker GmbH
 
Architecting security and governance through policy guardrails in Amazon EKS ...
Architecting security and governance through policy guardrails in Amazon EKS ...Architecting security and governance through policy guardrails in Amazon EKS ...
Architecting security and governance through policy guardrails in Amazon EKS ...Amazon Web Services
 
AWS re:Invent 2023 re:Cap - AWS User Group Oslo - Håkon
AWS re:Invent 2023 re:Cap - AWS User Group Oslo - HåkonAWS re:Invent 2023 re:Cap - AWS User Group Oslo - Håkon
AWS re:Invent 2023 re:Cap - AWS User Group Oslo - HåkonHåkon Eriksen Drange
 
Application Portability with Kubernetes (CMP310-S) - AWS re:Invent 2018
Application Portability with Kubernetes (CMP310-S) - AWS re:Invent 2018Application Portability with Kubernetes (CMP310-S) - AWS re:Invent 2018
Application Portability with Kubernetes (CMP310-S) - AWS re:Invent 2018Amazon Web Services
 
Göteborg Reinvent 2023_Aritra_updated.pptx
Göteborg Reinvent 2023_Aritra_updated.pptxGöteborg Reinvent 2023_Aritra_updated.pptx
Göteborg Reinvent 2023_Aritra_updated.pptxAritra Nag
 
AWS re-Invent re-Cap general deck 2022-2023 .pdf
AWS re-Invent re-Cap general deck 2022-2023 .pdfAWS re-Invent re-Cap general deck 2022-2023 .pdf
AWS re-Invent re-Cap general deck 2022-2023 .pdfRohini Gaonkar
 
Executando Kubernetes com Amazon EKS - DEV303 - Sao Paulo Summit
Executando Kubernetes com Amazon EKS - DEV303 - Sao Paulo SummitExecutando Kubernetes com Amazon EKS - DEV303 - Sao Paulo Summit
Executando Kubernetes com Amazon EKS - DEV303 - Sao Paulo SummitAmazon Web Services
 
AWS Lambda Powertools walkthrough.pdf
AWS Lambda Powertools walkthrough.pdfAWS Lambda Powertools walkthrough.pdf
AWS Lambda Powertools walkthrough.pdfHeitor Lessa
 
20191127 AWS Black Belt Online Seminar Amazon CloudWatch Container Insights で...
20191127 AWS Black Belt Online Seminar Amazon CloudWatch Container Insights で...20191127 AWS Black Belt Online Seminar Amazon CloudWatch Container Insights で...
20191127 AWS Black Belt Online Seminar Amazon CloudWatch Container Insights で...Amazon Web Services Japan
 
Deploying Microservices using AWS Fargate (CON315-R1) - AWS re:Invent 2018
Deploying Microservices using AWS Fargate (CON315-R1) - AWS re:Invent 2018Deploying Microservices using AWS Fargate (CON315-R1) - AWS re:Invent 2018
Deploying Microservices using AWS Fargate (CON315-R1) - AWS re:Invent 2018Amazon Web Services
 
From Code to a running container | AWS Summit Tel Aviv 2019
From Code to a running container | AWS Summit Tel Aviv 2019From Code to a running container | AWS Summit Tel Aviv 2019
From Code to a running container | AWS Summit Tel Aviv 2019Amazon Web Services
 
From Code to a running container | AWS Summit Tel Aviv 2019
From Code to a running container | AWS Summit Tel Aviv 2019From Code to a running container | AWS Summit Tel Aviv 2019
From Code to a running container | AWS Summit Tel Aviv 2019AWS Summits
 
AWS ReInvent 2023 Recap: AWS User GroupKolkata
AWS ReInvent 2023 Recap: AWS User GroupKolkataAWS ReInvent 2023 Recap: AWS User GroupKolkata
AWS ReInvent 2023 Recap: AWS User GroupKolkataAritra Nag
 
AWS reInvent 2023 re:Cap services Slide deck
AWS reInvent 2023 re:Cap services Slide deckAWS reInvent 2023 re:Cap services Slide deck
AWS reInvent 2023 re:Cap services Slide deckSammy Cheung
 
Introduction to Amazon EKS
Introduction to Amazon EKSIntroduction to Amazon EKS
Introduction to Amazon EKSAmazon Web Services
 
Amazon Elastic Container Service for Kubernetes (Amazon EKS)
Amazon Elastic Container Service for Kubernetes (Amazon EKS)Amazon Elastic Container Service for Kubernetes (Amazon EKS)
Amazon Elastic Container Service for Kubernetes (Amazon EKS)Amazon Web Services
 
Getting-started-with-containers on AWS
Getting-started-with-containers on AWSGetting-started-with-containers on AWS
Getting-started-with-containers on AWSAmazon Web Services
 
PaaS – From Code to Running Application using AWS Elastic Beanstalk (DEV323) ...
PaaS – From Code to Running Application using AWS Elastic Beanstalk (DEV323) ...PaaS – From Code to Running Application using AWS Elastic Beanstalk (DEV323) ...
PaaS – From Code to Running Application using AWS Elastic Beanstalk (DEV323) ...Amazon Web Services
 
SRV318 Running Kubernetes with Amazon EKS
SRV318 Running Kubernetes with Amazon EKSSRV318 Running Kubernetes with Amazon EKS
SRV318 Running Kubernetes with Amazon EKSAmazon Web Services
 
Running kubernetes with amazon eks
Running kubernetes with amazon eksRunning kubernetes with amazon eks
Running kubernetes with amazon eksyanaisama
 
Keynote Gregor Hohpe - Serverless Architectures
Keynote Gregor Hohpe - Serverless ArchitecturesKeynote Gregor Hohpe - Serverless Architectures
Keynote Gregor Hohpe - Serverless ArchitecturesBATbern
 
使用 Amazon EKS 打造高效的服務架構設計
使用 Amazon EKS 打造高效的服務架構設計使用 Amazon EKS 打造高效的服務架構設計
使用 Amazon EKS 打造高效的服務架構設計Amazon Web Services
 
Mohamed Wali_AWS Security Reference Architecture.pptx
Mohamed Wali_AWS Security Reference Architecture.pptxMohamed Wali_AWS Security Reference Architecture.pptx
Mohamed Wali_AWS Security Reference Architecture.pptxAWS Chicago
 
CI/CD with AWS Developer Tools and Fargate
CI/CD with AWS Developer Tools and FargateCI/CD with AWS Developer Tools and Fargate
CI/CD with AWS Developer Tools and FargateAmazon Web Services
 
Building a Bridge between Terraform and ArgoCD
Building a Bridge between Terraform and ArgoCDBuilding a Bridge between Terraform and ArgoCD
Building a Bridge between Terraform and ArgoCDCarlos Santana
 
Navigating Disaster Recovery in Kubernetes and CNCF Crossplane
Navigating Disaster Recovery in Kubernetes and CNCF Crossplane Navigating Disaster Recovery in Kubernetes and CNCF Crossplane
Navigating Disaster Recovery in Kubernetes and CNCF Crossplane Carlos Santana
 

More Related Content

Similar to Control Planes on Kubernetes and Policy Validation

Göteborg Reinvent 2023_Aritra_updated.pptx
Göteborg Reinvent 2023_Aritra_updated.pptxGöteborg Reinvent 2023_Aritra_updated.pptx
Göteborg Reinvent 2023_Aritra_updated.pptxAritra Nag
 
AWS re-Invent re-Cap general deck 2022-2023 .pdf
AWS re-Invent re-Cap general deck 2022-2023 .pdfAWS re-Invent re-Cap general deck 2022-2023 .pdf
AWS re-Invent re-Cap general deck 2022-2023 .pdfRohini Gaonkar
 
Executando Kubernetes com Amazon EKS - DEV303 - Sao Paulo Summit
Executando Kubernetes com Amazon EKS - DEV303 - Sao Paulo SummitExecutando Kubernetes com Amazon EKS - DEV303 - Sao Paulo Summit
Executando Kubernetes com Amazon EKS - DEV303 - Sao Paulo SummitAmazon Web Services
 
AWS Lambda Powertools walkthrough.pdf
AWS Lambda Powertools walkthrough.pdfAWS Lambda Powertools walkthrough.pdf
AWS Lambda Powertools walkthrough.pdfHeitor Lessa
 
20191127 AWS Black Belt Online Seminar Amazon CloudWatch Container Insights で...
20191127 AWS Black Belt Online Seminar Amazon CloudWatch Container Insights で...20191127 AWS Black Belt Online Seminar Amazon CloudWatch Container Insights で...
20191127 AWS Black Belt Online Seminar Amazon CloudWatch Container Insights で...Amazon Web Services Japan
 
Deploying Microservices using AWS Fargate (CON315-R1) - AWS re:Invent 2018
Deploying Microservices using AWS Fargate (CON315-R1) - AWS re:Invent 2018Deploying Microservices using AWS Fargate (CON315-R1) - AWS re:Invent 2018
Deploying Microservices using AWS Fargate (CON315-R1) - AWS re:Invent 2018Amazon Web Services
 
From Code to a running container | AWS Summit Tel Aviv 2019
From Code to a running container | AWS Summit Tel Aviv 2019From Code to a running container | AWS Summit Tel Aviv 2019
From Code to a running container | AWS Summit Tel Aviv 2019Amazon Web Services
 
From Code to a running container | AWS Summit Tel Aviv 2019
From Code to a running container | AWS Summit Tel Aviv 2019From Code to a running container | AWS Summit Tel Aviv 2019
From Code to a running container | AWS Summit Tel Aviv 2019AWS Summits
 
AWS ReInvent 2023 Recap: AWS User GroupKolkata
AWS ReInvent 2023 Recap: AWS User GroupKolkataAWS ReInvent 2023 Recap: AWS User GroupKolkata
AWS ReInvent 2023 Recap: AWS User GroupKolkataAritra Nag
 
AWS reInvent 2023 re:Cap services Slide deck
AWS reInvent 2023 re:Cap services Slide deckAWS reInvent 2023 re:Cap services Slide deck
AWS reInvent 2023 re:Cap services Slide deckSammy Cheung
 
Amazon Elastic Container Service for Kubernetes (Amazon EKS)
Amazon Elastic Container Service for Kubernetes (Amazon EKS)Amazon Elastic Container Service for Kubernetes (Amazon EKS)
Amazon Elastic Container Service for Kubernetes (Amazon EKS)Amazon Web Services
 
Getting-started-with-containers on AWS
Getting-started-with-containers on AWSGetting-started-with-containers on AWS
Getting-started-with-containers on AWSAmazon Web Services
 
PaaS – From Code to Running Application using AWS Elastic Beanstalk (DEV323) ...
PaaS – From Code to Running Application using AWS Elastic Beanstalk (DEV323) ...PaaS – From Code to Running Application using AWS Elastic Beanstalk (DEV323) ...
PaaS – From Code to Running Application using AWS Elastic Beanstalk (DEV323) ...Amazon Web Services
 
SRV318 Running Kubernetes with Amazon EKS
SRV318 Running Kubernetes with Amazon EKSSRV318 Running Kubernetes with Amazon EKS
SRV318 Running Kubernetes with Amazon EKSAmazon Web Services
 
Running kubernetes with amazon eks
Running kubernetes with amazon eksRunning kubernetes with amazon eks
Running kubernetes with amazon eksyanaisama
 
Keynote Gregor Hohpe - Serverless Architectures
Keynote Gregor Hohpe - Serverless ArchitecturesKeynote Gregor Hohpe - Serverless Architectures
Keynote Gregor Hohpe - Serverless ArchitecturesBATbern
 
使用 Amazon EKS 打造高效的服務架構設計
使用 Amazon EKS 打造高效的服務架構設計使用 Amazon EKS 打造高效的服務架構設計
使用 Amazon EKS 打造高效的服務架構設計Amazon Web Services
 
Mohamed Wali_AWS Security Reference Architecture.pptx
Mohamed Wali_AWS Security Reference Architecture.pptxMohamed Wali_AWS Security Reference Architecture.pptx
Mohamed Wali_AWS Security Reference Architecture.pptxAWS Chicago
 
CI/CD with AWS Developer Tools and Fargate
CI/CD with AWS Developer Tools and FargateCI/CD with AWS Developer Tools and Fargate
CI/CD with AWS Developer Tools and FargateAmazon Web Services
 

Similar to Control Planes on Kubernetes and Policy Validation (20)

Göteborg Reinvent 2023_Aritra_updated.pptx
Göteborg Reinvent 2023_Aritra_updated.pptxGöteborg Reinvent 2023_Aritra_updated.pptx
Göteborg Reinvent 2023_Aritra_updated.pptx
 
AWS re-Invent re-Cap general deck 2022-2023 .pdf
AWS re-Invent re-Cap general deck 2022-2023 .pdfAWS re-Invent re-Cap general deck 2022-2023 .pdf
AWS re-Invent re-Cap general deck 2022-2023 .pdf
 
Executando Kubernetes com Amazon EKS - DEV303 - Sao Paulo Summit
Executando Kubernetes com Amazon EKS - DEV303 - Sao Paulo SummitExecutando Kubernetes com Amazon EKS - DEV303 - Sao Paulo Summit
Executando Kubernetes com Amazon EKS - DEV303 - Sao Paulo Summit
 
AWS Lambda Powertools walkthrough.pdf
AWS Lambda Powertools walkthrough.pdfAWS Lambda Powertools walkthrough.pdf
AWS Lambda Powertools walkthrough.pdf
 
20191127 AWS Black Belt Online Seminar Amazon CloudWatch Container Insights で...
20191127 AWS Black Belt Online Seminar Amazon CloudWatch Container Insights で...20191127 AWS Black Belt Online Seminar Amazon CloudWatch Container Insights で...
20191127 AWS Black Belt Online Seminar Amazon CloudWatch Container Insights で...
 
Deploying Microservices using AWS Fargate (CON315-R1) - AWS re:Invent 2018
Deploying Microservices using AWS Fargate (CON315-R1) - AWS re:Invent 2018Deploying Microservices using AWS Fargate (CON315-R1) - AWS re:Invent 2018
Deploying Microservices using AWS Fargate (CON315-R1) - AWS re:Invent 2018
 
From Code to a running container | AWS Summit Tel Aviv 2019
From Code to a running container | AWS Summit Tel Aviv 2019From Code to a running container | AWS Summit Tel Aviv 2019
From Code to a running container | AWS Summit Tel Aviv 2019
 
From Code to a running container | AWS Summit Tel Aviv 2019
From Code to a running container | AWS Summit Tel Aviv 2019From Code to a running container | AWS Summit Tel Aviv 2019
From Code to a running container | AWS Summit Tel Aviv 2019
 
AWS ReInvent 2023 Recap: AWS User GroupKolkata
AWS ReInvent 2023 Recap: AWS User GroupKolkataAWS ReInvent 2023 Recap: AWS User GroupKolkata
AWS ReInvent 2023 Recap: AWS User GroupKolkata
 
AWS reInvent 2023 re:Cap services Slide deck
AWS reInvent 2023 re:Cap services Slide deckAWS reInvent 2023 re:Cap services Slide deck
AWS reInvent 2023 re:Cap services Slide deck
 
Introduction to Amazon EKS
Introduction to Amazon EKSIntroduction to Amazon EKS
Introduction to Amazon EKS
 
Amazon Elastic Container Service for Kubernetes (Amazon EKS)
Amazon Elastic Container Service for Kubernetes (Amazon EKS)Amazon Elastic Container Service for Kubernetes (Amazon EKS)
Amazon Elastic Container Service for Kubernetes (Amazon EKS)
 
Getting-started-with-containers on AWS
Getting-started-with-containers on AWSGetting-started-with-containers on AWS
Getting-started-with-containers on AWS
 
PaaS – From Code to Running Application using AWS Elastic Beanstalk (DEV323) ...
PaaS – From Code to Running Application using AWS Elastic Beanstalk (DEV323) ...PaaS – From Code to Running Application using AWS Elastic Beanstalk (DEV323) ...
PaaS – From Code to Running Application using AWS Elastic Beanstalk (DEV323) ...
 
SRV318 Running Kubernetes with Amazon EKS
SRV318 Running Kubernetes with Amazon EKSSRV318 Running Kubernetes with Amazon EKS
SRV318 Running Kubernetes with Amazon EKS
 
Running kubernetes with amazon eks
Running kubernetes with amazon eksRunning kubernetes with amazon eks
Running kubernetes with amazon eks
 
Keynote Gregor Hohpe - Serverless Architectures
Keynote Gregor Hohpe - Serverless ArchitecturesKeynote Gregor Hohpe - Serverless Architectures
Keynote Gregor Hohpe - Serverless Architectures
 
使用 Amazon EKS 打造高效的服務架構設計
使用 Amazon EKS 打造高效的服務架構設計使用 Amazon EKS 打造高效的服務架構設計
使用 Amazon EKS 打造高效的服務架構設計
 
Mohamed Wali_AWS Security Reference Architecture.pptx
Mohamed Wali_AWS Security Reference Architecture.pptxMohamed Wali_AWS Security Reference Architecture.pptx
Mohamed Wali_AWS Security Reference Architecture.pptx
 
CI/CD with AWS Developer Tools and Fargate
CI/CD with AWS Developer Tools and FargateCI/CD with AWS Developer Tools and Fargate
CI/CD with AWS Developer Tools and Fargate
 

More from Carlos Santana

Building a Bridge between Terraform and ArgoCD
Building a Bridge between Terraform and ArgoCDBuilding a Bridge between Terraform and ArgoCD
Building a Bridge between Terraform and ArgoCDCarlos Santana
 
Navigating Disaster Recovery in Kubernetes and CNCF Crossplane
Navigating Disaster Recovery in Kubernetes and CNCF Crossplane Navigating Disaster Recovery in Kubernetes and CNCF Crossplane
Navigating Disaster Recovery in Kubernetes and CNCF Crossplane Carlos Santana
 
NodeJS Serverless backends for your frontends
NodeJS Serverless backends for your frontendsNodeJS Serverless backends for your frontends
NodeJS Serverless backends for your frontendsCarlos Santana
 
OpenWhisk Meetup - Austin, TX 07/2017
OpenWhisk Meetup - Austin, TX 07/2017OpenWhisk Meetup - Austin, TX 07/2017
OpenWhisk Meetup - Austin, TX 07/2017Carlos Santana
 
Shark Tank OpenWhisk Incubating at ApacheCon 2017
Shark Tank OpenWhisk Incubating at ApacheCon 2017Shark Tank OpenWhisk Incubating at ApacheCon 2017
Shark Tank OpenWhisk Incubating at ApacheCon 2017Carlos Santana
 
OpenWhisk: Where Did My Servers Go?
OpenWhisk: Where Did My Servers Go?OpenWhisk: Where Did My Servers Go?
OpenWhisk: Where Did My Servers Go?Carlos Santana
 
How to contribute to Serverless Apache OpenWhisk OpenSource101 NCSU
How to contribute to Serverless Apache OpenWhisk OpenSource101 NCSUHow to contribute to Serverless Apache OpenWhisk OpenSource101 NCSU
How to contribute to Serverless Apache OpenWhisk OpenSource101 NCSUCarlos Santana
 

More from Carlos Santana (7)

Building a Bridge between Terraform and ArgoCD
Building a Bridge between Terraform and ArgoCDBuilding a Bridge between Terraform and ArgoCD
Building a Bridge between Terraform and ArgoCD
 
Navigating Disaster Recovery in Kubernetes and CNCF Crossplane
Navigating Disaster Recovery in Kubernetes and CNCF Crossplane Navigating Disaster Recovery in Kubernetes and CNCF Crossplane
Navigating Disaster Recovery in Kubernetes and CNCF Crossplane
 
NodeJS Serverless backends for your frontends
NodeJS Serverless backends for your frontendsNodeJS Serverless backends for your frontends
NodeJS Serverless backends for your frontends
 
OpenWhisk Meetup - Austin, TX 07/2017
OpenWhisk Meetup - Austin, TX 07/2017OpenWhisk Meetup - Austin, TX 07/2017
OpenWhisk Meetup - Austin, TX 07/2017
 
Shark Tank OpenWhisk Incubating at ApacheCon 2017
Shark Tank OpenWhisk Incubating at ApacheCon 2017Shark Tank OpenWhisk Incubating at ApacheCon 2017
Shark Tank OpenWhisk Incubating at ApacheCon 2017
 
OpenWhisk: Where Did My Servers Go?
OpenWhisk: Where Did My Servers Go?OpenWhisk: Where Did My Servers Go?
OpenWhisk: Where Did My Servers Go?
 
How to contribute to Serverless Apache OpenWhisk OpenSource101 NCSU
How to contribute to Serverless Apache OpenWhisk OpenSource101 NCSUHow to contribute to Serverless Apache OpenWhisk OpenSource101 NCSU
How to contribute to Serverless Apache OpenWhisk OpenSource101 NCSU
 

Recently uploaded

costume and set research powerpoint presentation
costume and set research powerpoint presentationcostume and set research powerpoint presentation
costume and set research powerpoint presentationphoebematthew05
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024The Digital Insurer
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksSoftradix Technologies
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
Unlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power SystemsUnlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power SystemsPrecisely
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersThousandEyes
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024Neo4j
 
APIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGAPIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGMarianaLemus7
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxMaking_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxnull - The Open Security Community
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr LapshynFwdays
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 

Recently uploaded (20)

costume and set research powerpoint presentation
costume and set research powerpoint presentationcostume and set research powerpoint presentation
costume and set research powerpoint presentation
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other Frameworks
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
Unlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power SystemsUnlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power Systems
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024
 
APIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGAPIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDG
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxMaking_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 

Control Planes on Kubernetes and Policy Validation

  • 1. © 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved. © 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved. © 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved. © 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved. Control Planes on Kubernetes and Policy Validation Carlos Santana Sr. Specialist Solutions Architect, Kubernetes @csantanapr csantanapr
  • 2. © 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved. © 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved. Amazon EKS is the most trusted and secure way to run Kubernetes Amazon EKS AWS is the best place to run Kubernetes. 65% of organizations choose AWS to run their containers. EKS makes Kubernetes operations, administration, and management simple and boring. EKS provides a managed Kubernetes experience for performant, reliable, and secure Kubernetes. EKS supports 5 versions of Kubernetes, giving customers time to test and roll out upgrades. EKS runs vanilla Kubernetes. EKS is upstream and certified conformant version of Kubernetes (with backported security fixes) CNCF State of Cloud Native Development
  • 3. © 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved. © 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved. Deploy Kubernetes Applications Developer CI/CD Git Kubernetes Application
  • 4. © 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved. © 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved. Deploy Kubernetes Applications Developer CI/CD Git Kubernetes Application Amazon S3 Amazon SQS Amazon DynamoDB
  • 5. © 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved. © 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved. Deploy Kubernetes Applications Developer CI/CD Git Kubernetes Application Amazon S3 Amazon SQS Amazon DynamoDB Platform Team
  • 6. © 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved. © 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved. Separation of Concerns I would like to standardize the deployment process for application teams while enforcing organizational standards for cloud. Platform Team Application Teams I would like to have full autonomy of applications and its cloud dependencies deployment lifecycle.
  • 7. © 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved. © 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved. Autonomy vs Standardization A U T O N O M Y LEVEL OF STANDARDIZATION
  • 8. © 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved. © 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved. Disjointed Workflows Adds Developer Overhead How do you get the state of the entire system? How do you debug and remediate issues? How do you pass secrets from one pipeline passed to the other? How do you tear-down all unused resources? Developers Request Database Repo Ticketing System Central Team Code Review Develop Develop RDS Kinesis Load Balancer EBS AWS CDK Platform Team AWS CloudFormation
  • 9. © 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved. © 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved. 9 Kubernetes to Deploy Cloud Services Developers Repo Code Review RDS Kinesis Load Balancer EBS
  • 10. © 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved. © 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved. Leverage existing workflows for deploying into Kubernetes without maintaining several pipelines Centralized cost, security, and auditing for any cloud resource with OPA or Kyverno, utilize existing RBAC and IRSA Self healing using GitOps for all cloud resources (containers, databases, queues, and streams)
  • 11. © 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved. © 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved. Kubernetes Infrastructure Controller Developer CI/CD Git EKS Cluster Application Ticketing System Platform Team AWS CDK Amazon S3 Amazon SQS Amazon DynamoDB
  • 12. © 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved. © 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved. Kubernetes Infrastructure Controller Git Developer CI/CD Kubernetes Application AWS Resource Claim ACK Crossplane Amazon S3 Amazon SQS Amazon DynamoDB
  • 13. © 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved. © 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved. Infrastructure controllers Manage cloud services using Kubernetes API Create your own platform API A single API for Kubernetes and cloud services Declarative infrastructure configuration ACK Crossplane
  • 14. © 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved. © 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved. Where to check? Developer Amazon S3 Amazon SQS Amazon DynamoDB Git Pre Commit CI (Pull Request) CRD Validation Validating Admission Policy Kube API Mutating Webhook Validating Webhook Dynamic Admission Control ACK Crossplane OPA Gatekeeper Kyverno ETCD CD (GitOps) Since 1.26, 1.28 (beta) Gator cli Conftest cli Kyverno cli KubeConform
  • 15. © 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved. © 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved. Local Testing • Rego § opa § gator § conftest • Kyverno • Kubeconform Developer Git Pre Commit CI (Pull Request)
  • 16. © 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved. © 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved. Kubernetes CRD • CRD Validation Expression • Common Expression Language (CEL) • 1.25 Beta • 1.29 GA (~12/23) KEP 2876 CD (GitOps) CRD Validation Kube API
  • 17. © 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved. © 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved. Kubernetes CRD
  • 18. © 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved. © 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved. Validating Admission • Validating Admission Policy • Common Expression Language (CEL) • 1.26 Beta • 1.29 GA (~12/23) KEP 3488 Validating Admission Policy Kube API
  • 19. © 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved. © 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved. Validating Admission
  • 20. © 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved. © 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved. Policy Engines • OPA/Gatekeeper § Webhooks, Controller § AWS Config custom rules • Kyverno § Webhooks, Controller § Adapter for EKS Validating Admission Policy Mutating Webhook Validating Webhook Dynamic Admission Control Kube API ETCD OPA Gatekeeper Kyverno AWS Config Amazon EKS
  • 21. © 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved. © 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved. Kubernetes Infrastructure Controller AWS Account EKS Cluster Developer Platform Team code Deploy CI CD Helm Chart Prometheus Grafana OPA Policy Cost Control OTEL FluentBit Observability Auth Abstraction DB CR Amazon DynamoDB Amazon DynamoDB Crossplane values.yaml dynamodb: enable: true ACK Kyverno
  • 22. © 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved. © 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved. Thank You carrlos@amazon.com Carlos Santana @csantanapr csantanapr GitHub Repo Demo and Resources