SlideShare a Scribd company logo

Kubernetes Policy As Code usando WebAssembly | Flavio Castelli

KCDItaly
KCDItaly

Mettere in sicurezza un cluster Kubernetes richiede l'uso di diverse strategie e di strumenti per attuarle. Tra queste, i Dynamic Admission Controllers giocano un ruolo fondamentale per garantire non solo la sicurezza di un cluster, ma anche la sua compliance. Infatti tramite di essi è possibile definire, ed applicare, regole personalizzate. Nonostante molte organizzazioni riconoscano l'importanza di abbracciare la "filosofia" Policy As Code, sono purtroppo poche le realtà in cui questa metodologia viene utilizzata in ambienti di produzione. Durante questo talk mostrerò come WebAssembly, una tecnologia nata originariamente per il Web, possa essere utilizzato per implementare strategie di Policy As Code in Kubernetes. Vedremo come l'adozione di WebAssembly semplifichi il processo di creazione, mantenimento e distribuzione di queste policy.

Technology
1 of 34
Download to read offline
Copyright © SUSE 2021 Kubernetes Policy As Code usando WebAssembly N OVE M BE R 2021 Flavio Castelli Distinguished Engineer SUSE
Copyright © SUSE 2021 2 Kubernetes security: biggest concerns 1% 8% 12% 17% 19% 21% 23% Other Secrets management Unpatched CVE in Kubernetes distribution Control access to the cluster Securing container images inside CI/CD pipelines Securing workload at runtime Applying policies consistently Source: “The State of Kubernetes 2021” - VMware, June 2021
Copyright © SUSE 2021 — Role Based Access Control (RBAC) — Pod Security Policy (PSP) — Network Policy — Admission Controller 3 Kubernetes Policy As Code
Copyright © SUSE 2021 4 Admission Controller: overview JSON object Business logic Accept Reject Mutate
Copyright © SUSE 2021 5 Who is responsible for Kubernetes’ security? 27% 21% 18% 18% 15% DevOps Ops DevSecOps Security Developer Source: “State of Kubernetes Security” – Red Hat, June 2021
Copyright © SUSE 2021 6 Introducing Kubewarden A policy engine for Kubernetes. Its mission is to simplify the adoption of Policy As Code.
Copyright © SUSE 2021 Copyright © SUSE 2021 7 Feel immediately productive Policy Authors
Copyright © SUSE 2021 8 Validation
Copyright © SUSE 2021 9 Validation
Copyright © SUSE 2021 10 Validation
Copyright © SUSE 2021 Copyright © SUSE 2021 11 Leverage SDKs Policy Authors
Copyright © SUSE 2021 12 Mutation
Copyright © SUSE 2021 13 Policy configuration
Copyright © SUSE 2021 14 Validation of Policy configuration
Copyright © SUSE 2021 Copyright © SUSE 2021 15 Treat policies as regular code Policy Authors
Copyright © SUSE 2021 16 Reuse known tools
Copyright © SUSE 2021 17 Integrate into CI/CD systems
Copyright © SUSE 2021 Copyright © SUSE 2021 18 How is that done?
Copyright © SUSE 2021 19 What is WebAssembly? WebAssembly module (Wasm)
Copyright © SUSE 2021 20 What is WebAssembly? WebAssembly module (Wasm) Polyglot C Cpp Rust Javascript Go Swift … … … … Build
Copyright © SUSE 2021 21 What is WebAssembly? WebAssembly module (Wasm) Small Go 300 Kb Rust 1.5 Mb
Copyright © SUSE 2021 22 What is WebAssembly? WebAssembly module (Wasm) Portable x86_64 ARM64 ... Linux Windows macOS Browser Wasm runtime Run
Copyright © SUSE 2021 23 What is WebAssembly? WebAssembly module (Wasm) Secure
Copyright © SUSE 2021 24 What is WebAssembly? Secure Sandbox Sandbox Sandbox Host process — Memory safety — Control-flow integrity — Runtime isolation More details here
Copyright © SUSE 2021 Copyright © SUSE 2021 25 Integrate with existing processes and tools Kubernetes Operators
Copyright © SUSE 2021 26 Policy distribution Kubernetes Cluster Kubernetes Cluster Kubewarden native policy OCI Registry Container image
Copyright © SUSE 2021 27 Observability: tracing
Copyright © SUSE 2021 28 Observability: metrics
Copyright © SUSE 2021 Copyright © SUSE 2021 29 Provide flexibility, not complexity Kubernetes Operators, Policy Authors
Copyright © SUSE 2021 — First Policy engine for Kubernetes — Policies written using Rego 30 OPA and Gatekeeper policy.rego opa build –t wasm policy.wasm
Copyright © SUSE 2021 31 Kubewarden: the Universal Policy Platform Kubewarden native policy OCI Registry policy #1 Wasm runtime policy #2 Wasm runtime policy #3 Wasm runtime Kubewarden Policy Server Kubewarden OPA policy Kubewarden Gatekeeper policy
Copyright © SUSE 2021 Copyright © SUSE 2021 32 Live Demo
Copyright © SUSE 2021 — Main website: https://kubewarden.io — Policy Hub: https://hub.kubewarden.io — GitHub: kubewarden organization — Slack: "kubewarden" channel on Kubernetes workspace — Twitter: @kubewarden 33 How to get involved
Copyright © SUSE 2021 Thank You S E P T E M BE R 2021 © 2020 SUSE LLC. All Rights Reserved. SUSE and the SUSE logo are registeredtrademarks of SUSE LLCin the UnitedStates and other countries. All third-party trademarks are the property of their respective owners. For more information, contact SUSE at: +1 800 796 3700 (U.S./Canada) Maxfeldstrasse 5 90409 Nuremberg www.suse.com

Recommended

Knative goes
 beyond serverless | Alexandre Roman
Knative goes
 beyond serverless | Alexandre RomanKnative goes
 beyond serverless | Alexandre Roman
Knative goes
 beyond serverless | Alexandre RomanKCDItaly
 
M.Montalbano/M.Colombo Speroni/S.Sala - Combining React and Websocket to buil...
M.Montalbano/M.Colombo Speroni/S.Sala - Combining React and Websocket to buil...M.Montalbano/M.Colombo Speroni/S.Sala - Combining React and Websocket to buil...
M.Montalbano/M.Colombo Speroni/S.Sala - Combining React and Websocket to buil...Codemotion
 
Multi-Clusters Made Easy with Liqo:
Getting Rid of Your Clusters Keeping Them...
Multi-Clusters Made Easy with Liqo:
Getting Rid of Your Clusters Keeping Them...Multi-Clusters Made Easy with Liqo:
Getting Rid of Your Clusters Keeping Them...
Multi-Clusters Made Easy with Liqo:
Getting Rid of Your Clusters Keeping Them...KCDItaly
 
Openstack days sv building highly available services using kubernetes (preso)
Openstack days sv building highly available services using kubernetes (preso)Openstack days sv building highly available services using kubernetes (preso)
Openstack days sv building highly available services using kubernetes (preso)Allan Naim
 
Securing and Automating Kubernetes with Kyverno
Securing and Automating Kubernetes with KyvernoSecuring and Automating Kubernetes with Kyverno
Securing and Automating Kubernetes with KyvernoSaim Safder
 
Kubernetes Security
Kubernetes SecurityKubernetes Security
Kubernetes SecurityKarthik Gaekwad
 
Kubescape single pane of glass
Kubescape single pane of glassKubescape single pane of glass
Kubescape single pane of glassLibbySchulze1
 
Kubernetes Networking 101
Kubernetes Networking 101Kubernetes Networking 101
Kubernetes Networking 101Kublr
 

Recommended

Knative goes
 beyond serverless | Alexandre Roman
Knative goes
 beyond serverless | Alexandre RomanKnative goes
 beyond serverless | Alexandre Roman
Knative goes
 beyond serverless | Alexandre RomanKCDItaly
 
M.Montalbano/M.Colombo Speroni/S.Sala - Combining React and Websocket to buil...
M.Montalbano/M.Colombo Speroni/S.Sala - Combining React and Websocket to buil...M.Montalbano/M.Colombo Speroni/S.Sala - Combining React and Websocket to buil...
M.Montalbano/M.Colombo Speroni/S.Sala - Combining React and Websocket to buil...Codemotion
 
Multi-Clusters Made Easy with Liqo:
Getting Rid of Your Clusters Keeping Them...
Multi-Clusters Made Easy with Liqo:
Getting Rid of Your Clusters Keeping Them...Multi-Clusters Made Easy with Liqo:
Getting Rid of Your Clusters Keeping Them...
Multi-Clusters Made Easy with Liqo:
Getting Rid of Your Clusters Keeping Them...KCDItaly
 
Openstack days sv building highly available services using kubernetes (preso)
Openstack days sv building highly available services using kubernetes (preso)Openstack days sv building highly available services using kubernetes (preso)
Openstack days sv building highly available services using kubernetes (preso)Allan Naim
 
Securing and Automating Kubernetes with Kyverno
Securing and Automating Kubernetes with KyvernoSecuring and Automating Kubernetes with Kyverno
Securing and Automating Kubernetes with KyvernoSaim Safder
 
Kubernetes Security
Kubernetes SecurityKubernetes Security
Kubernetes SecurityKarthik Gaekwad
 
Kubescape single pane of glass
Kubescape single pane of glassKubescape single pane of glass
Kubescape single pane of glassLibbySchulze1
 
Kubernetes Networking 101
Kubernetes Networking 101Kubernetes Networking 101
Kubernetes Networking 101Kublr
 
Gatekeeper: API gateway
Gatekeeper: API gatewayGatekeeper: API gateway
Gatekeeper: API gatewayChengHui Weng
 
Load Balancing in the Cloud using Nginx & Kubernetes
Load Balancing in the Cloud using Nginx & KubernetesLoad Balancing in the Cloud using Nginx & Kubernetes
Load Balancing in the Cloud using Nginx & KubernetesLee Calcote
 
Metal³ – Metal Kubed, Bare Metal Provisioning for Kubernetes | Kim Bảo Long
Metal³ – Metal Kubed, Bare Metal Provisioning for Kubernetes | Kim Bảo LongMetal³ – Metal Kubed, Bare Metal Provisioning for Kubernetes | Kim Bảo Long
Metal³ – Metal Kubed, Bare Metal Provisioning for Kubernetes | Kim Bảo LongVietnam Open Infrastructure User Group
 
Kubernetes meetup geneva june 2021
Kubernetes meetup geneva june 2021Kubernetes meetup geneva june 2021
Kubernetes meetup geneva june 2021SebastienSEYMARC
 
Zero-downtime deployment of Micro-services with Kubernetes
Zero-downtime deployment of Micro-services with KubernetesZero-downtime deployment of Micro-services with Kubernetes
Zero-downtime deployment of Micro-services with KubernetesWojciech Barczyński
 
Kubernetes 1.21 release
Kubernetes 1.21 releaseKubernetes 1.21 release
Kubernetes 1.21 releaseLibbySchulze
 
Ultimate Guide to Microservice Architecture on Kubernetes
Ultimate Guide to Microservice Architecture on KubernetesUltimate Guide to Microservice Architecture on Kubernetes
Ultimate Guide to Microservice Architecture on Kuberneteskloia
 
Luca Relandini - Microservices and containers networking: Contiv, deep dive a...
Luca Relandini - Microservices and containers networking: Contiv, deep dive a...Luca Relandini - Microservices and containers networking: Contiv, deep dive a...
Luca Relandini - Microservices and containers networking: Contiv, deep dive a...Codemotion
 
Managing traffic routing with istio and envoy workshop
Managing traffic routing with istio and envoy workshopManaging traffic routing with istio and envoy workshop
Managing traffic routing with istio and envoy workshopOpsta
 
Breaking tradition the future of package management with kubernetes
Breaking tradition the future of package management with kubernetesBreaking tradition the future of package management with kubernetes
Breaking tradition the future of package management with kubernetesLibbySchulze
 
DCSF19 Kubernetes Security with OPA
DCSF19 Kubernetes Security with OPA DCSF19 Kubernetes Security with OPA
DCSF19 Kubernetes Security with OPA Docker, Inc.
 
Kubernetes: від знайомства до використання у CI/CD
Kubernetes: від знайомства до використання у CI/CDKubernetes: від знайомства до використання у CI/CD
Kubernetes: від знайомства до використання у CI/CDStfalcon Meetups
 
Kubernetes Security
Kubernetes SecurityKubernetes Security
Kubernetes Securityinovex GmbH
 
MongoDB.local DC 2018: MongoDB Ops Manager + Kubernetes
MongoDB.local DC 2018: MongoDB Ops Manager + KubernetesMongoDB.local DC 2018: MongoDB Ops Manager + Kubernetes
MongoDB.local DC 2018: MongoDB Ops Manager + KubernetesMongoDB
 
From Code to Kubernetes
From Code to KubernetesFrom Code to Kubernetes
From Code to KubernetesDaniel Oliveira Filho
 
Operatorhub.io and your Kubernetes cluster | DevNation Tech Talk
Operatorhub.io and your Kubernetes cluster | DevNation Tech TalkOperatorhub.io and your Kubernetes cluster | DevNation Tech Talk
Operatorhub.io and your Kubernetes cluster | DevNation Tech TalkRed Hat Developers
 
MongoDB.local Austin 2018: MongoDB Ops Manager + Kubernetes
MongoDB.local Austin 2018: MongoDB Ops Manager + KubernetesMongoDB.local Austin 2018: MongoDB Ops Manager + Kubernetes
MongoDB.local Austin 2018: MongoDB Ops Manager + KubernetesMongoDB
 
Azure dev ops_demo
Azure dev ops_demoAzure dev ops_demo
Azure dev ops_demoAbhishek Sahu
 
Google Cloud Platform and Kubernetes
Google Cloud Platform and KubernetesGoogle Cloud Platform and Kubernetes
Google Cloud Platform and KubernetesKasper Nissen
 
KubeCon EU 2016: ITNW (If This Now What): Orchestrating an Enterprise
KubeCon EU 2016: ITNW (If This Now What): Orchestrating an EnterpriseKubeCon EU 2016: ITNW (If This Now What): Orchestrating an Enterprise
KubeCon EU 2016: ITNW (If This Now What): Orchestrating an EnterpriseKubeAcademy
 
Presentation de NeuVector 5.0
Presentation de NeuVector 5.0Presentation de NeuVector 5.0
Presentation de NeuVector 5.0SUSE
 
Rancher Rodeo 13 mai 2022
Rancher Rodeo 13 mai 2022Rancher Rodeo 13 mai 2022
Rancher Rodeo 13 mai 2022SUSE
 

More Related Content

What's hot

Gatekeeper: API gateway
Gatekeeper: API gatewayGatekeeper: API gateway
Gatekeeper: API gatewayChengHui Weng
 
Load Balancing in the Cloud using Nginx & Kubernetes
Load Balancing in the Cloud using Nginx & KubernetesLoad Balancing in the Cloud using Nginx & Kubernetes
Load Balancing in the Cloud using Nginx & KubernetesLee Calcote
 
Metal³ – Metal Kubed, Bare Metal Provisioning for Kubernetes | Kim Bảo Long
Metal³ – Metal Kubed, Bare Metal Provisioning for Kubernetes | Kim Bảo LongMetal³ – Metal Kubed, Bare Metal Provisioning for Kubernetes | Kim Bảo Long
Metal³ – Metal Kubed, Bare Metal Provisioning for Kubernetes | Kim Bảo LongVietnam Open Infrastructure User Group
 
Kubernetes meetup geneva june 2021
Kubernetes meetup geneva june 2021Kubernetes meetup geneva june 2021
Kubernetes meetup geneva june 2021SebastienSEYMARC
 
Zero-downtime deployment of Micro-services with Kubernetes
Zero-downtime deployment of Micro-services with KubernetesZero-downtime deployment of Micro-services with Kubernetes
Zero-downtime deployment of Micro-services with KubernetesWojciech Barczyński
 
Kubernetes 1.21 release
Kubernetes 1.21 releaseKubernetes 1.21 release
Kubernetes 1.21 releaseLibbySchulze
 
Ultimate Guide to Microservice Architecture on Kubernetes
Ultimate Guide to Microservice Architecture on KubernetesUltimate Guide to Microservice Architecture on Kubernetes
Ultimate Guide to Microservice Architecture on Kuberneteskloia
 
Luca Relandini - Microservices and containers networking: Contiv, deep dive a...
Luca Relandini - Microservices and containers networking: Contiv, deep dive a...Luca Relandini - Microservices and containers networking: Contiv, deep dive a...
Luca Relandini - Microservices and containers networking: Contiv, deep dive a...Codemotion
 
Managing traffic routing with istio and envoy workshop
Managing traffic routing with istio and envoy workshopManaging traffic routing with istio and envoy workshop
Managing traffic routing with istio and envoy workshopOpsta
 
Breaking tradition the future of package management with kubernetes
Breaking tradition the future of package management with kubernetesBreaking tradition the future of package management with kubernetes
Breaking tradition the future of package management with kubernetesLibbySchulze
 
DCSF19 Kubernetes Security with OPA
DCSF19 Kubernetes Security with OPA DCSF19 Kubernetes Security with OPA
DCSF19 Kubernetes Security with OPA Docker, Inc.
 
Kubernetes: від знайомства до використання у CI/CD
Kubernetes: від знайомства до використання у CI/CDKubernetes: від знайомства до використання у CI/CD
Kubernetes: від знайомства до використання у CI/CDStfalcon Meetups
 
Kubernetes Security
Kubernetes SecurityKubernetes Security
Kubernetes Securityinovex GmbH
 
MongoDB.local DC 2018: MongoDB Ops Manager + Kubernetes
MongoDB.local DC 2018: MongoDB Ops Manager + KubernetesMongoDB.local DC 2018: MongoDB Ops Manager + Kubernetes
MongoDB.local DC 2018: MongoDB Ops Manager + KubernetesMongoDB
 
Operatorhub.io and your Kubernetes cluster | DevNation Tech Talk
Operatorhub.io and your Kubernetes cluster | DevNation Tech TalkOperatorhub.io and your Kubernetes cluster | DevNation Tech Talk
Operatorhub.io and your Kubernetes cluster | DevNation Tech TalkRed Hat Developers
 
MongoDB.local Austin 2018: MongoDB Ops Manager + Kubernetes
MongoDB.local Austin 2018: MongoDB Ops Manager + KubernetesMongoDB.local Austin 2018: MongoDB Ops Manager + Kubernetes
MongoDB.local Austin 2018: MongoDB Ops Manager + KubernetesMongoDB
 
Google Cloud Platform and Kubernetes
Google Cloud Platform and KubernetesGoogle Cloud Platform and Kubernetes
Google Cloud Platform and KubernetesKasper Nissen
 
KubeCon EU 2016: ITNW (If This Now What): Orchestrating an Enterprise
KubeCon EU 2016: ITNW (If This Now What): Orchestrating an EnterpriseKubeCon EU 2016: ITNW (If This Now What): Orchestrating an Enterprise
KubeCon EU 2016: ITNW (If This Now What): Orchestrating an EnterpriseKubeAcademy
 

What's hot (20)

Gatekeeper: API gateway
Gatekeeper: API gatewayGatekeeper: API gateway
Gatekeeper: API gateway
 
Load Balancing in the Cloud using Nginx & Kubernetes
Load Balancing in the Cloud using Nginx & KubernetesLoad Balancing in the Cloud using Nginx & Kubernetes
Load Balancing in the Cloud using Nginx & Kubernetes
 
Metal³ – Metal Kubed, Bare Metal Provisioning for Kubernetes | Kim Bảo Long
Metal³ – Metal Kubed, Bare Metal Provisioning for Kubernetes | Kim Bảo LongMetal³ – Metal Kubed, Bare Metal Provisioning for Kubernetes | Kim Bảo Long
Metal³ – Metal Kubed, Bare Metal Provisioning for Kubernetes | Kim Bảo Long
 
Kubernetes meetup geneva june 2021
Kubernetes meetup geneva june 2021Kubernetes meetup geneva june 2021
Kubernetes meetup geneva june 2021
 
Zero-downtime deployment of Micro-services with Kubernetes
Zero-downtime deployment of Micro-services with KubernetesZero-downtime deployment of Micro-services with Kubernetes
Zero-downtime deployment of Micro-services with Kubernetes
 
Kubernetes 1.21 release
Kubernetes 1.21 releaseKubernetes 1.21 release
Kubernetes 1.21 release
 
Ultimate Guide to Microservice Architecture on Kubernetes
Ultimate Guide to Microservice Architecture on KubernetesUltimate Guide to Microservice Architecture on Kubernetes
Ultimate Guide to Microservice Architecture on Kubernetes
 
Luca Relandini - Microservices and containers networking: Contiv, deep dive a...
Luca Relandini - Microservices and containers networking: Contiv, deep dive a...Luca Relandini - Microservices and containers networking: Contiv, deep dive a...
Luca Relandini - Microservices and containers networking: Contiv, deep dive a...
 
Managing traffic routing with istio and envoy workshop
Managing traffic routing with istio and envoy workshopManaging traffic routing with istio and envoy workshop
Managing traffic routing with istio and envoy workshop
 
Breaking tradition the future of package management with kubernetes
Breaking tradition the future of package management with kubernetesBreaking tradition the future of package management with kubernetes
Breaking tradition the future of package management with kubernetes
 
DCSF19 Kubernetes Security with OPA
DCSF19 Kubernetes Security with OPA DCSF19 Kubernetes Security with OPA
DCSF19 Kubernetes Security with OPA
 
Kubernetes: від знайомства до використання у CI/CD
Kubernetes: від знайомства до використання у CI/CDKubernetes: від знайомства до використання у CI/CD
Kubernetes: від знайомства до використання у CI/CD
 
Kubernetes Security
Kubernetes SecurityKubernetes Security
Kubernetes Security
 
MongoDB.local DC 2018: MongoDB Ops Manager + Kubernetes
MongoDB.local DC 2018: MongoDB Ops Manager + KubernetesMongoDB.local DC 2018: MongoDB Ops Manager + Kubernetes
MongoDB.local DC 2018: MongoDB Ops Manager + Kubernetes
 
From Code to Kubernetes
From Code to KubernetesFrom Code to Kubernetes
From Code to Kubernetes
 
Operatorhub.io and your Kubernetes cluster | DevNation Tech Talk
Operatorhub.io and your Kubernetes cluster | DevNation Tech TalkOperatorhub.io and your Kubernetes cluster | DevNation Tech Talk
Operatorhub.io and your Kubernetes cluster | DevNation Tech Talk
 
MongoDB.local Austin 2018: MongoDB Ops Manager + Kubernetes
MongoDB.local Austin 2018: MongoDB Ops Manager + KubernetesMongoDB.local Austin 2018: MongoDB Ops Manager + Kubernetes
MongoDB.local Austin 2018: MongoDB Ops Manager + Kubernetes
 
Azure dev ops_demo
Azure dev ops_demoAzure dev ops_demo
Azure dev ops_demo
 
Google Cloud Platform and Kubernetes
Google Cloud Platform and KubernetesGoogle Cloud Platform and Kubernetes
Google Cloud Platform and Kubernetes
 
KubeCon EU 2016: ITNW (If This Now What): Orchestrating an Enterprise
KubeCon EU 2016: ITNW (If This Now What): Orchestrating an EnterpriseKubeCon EU 2016: ITNW (If This Now What): Orchestrating an Enterprise
KubeCon EU 2016: ITNW (If This Now What): Orchestrating an Enterprise
 

Similar to Kubernetes Policy As Code usando WebAssembly | Flavio Castelli

Presentation de NeuVector 5.0
Presentation de NeuVector 5.0Presentation de NeuVector 5.0
Presentation de NeuVector 5.0SUSE
 
Rancher Rodeo 13 mai 2022
Rancher Rodeo 13 mai 2022Rancher Rodeo 13 mai 2022
Rancher Rodeo 13 mai 2022SUSE
 
Rancher Rodeo
Rancher RodeoRancher Rodeo
Rancher RodeoSUSE
 
Rancher Rodéo France
Rancher Rodéo FranceRancher Rodéo France
Rancher Rodéo FranceSUSE
 
Lancement Harvester
Lancement HarvesterLancement Harvester
Lancement HarvesterSUSE
 
Enabling Production Grade Containerized Applications through Policy Based Inf...
Enabling Production Grade Containerized Applications through Policy Based Inf...Enabling Production Grade Containerized Applications through Policy Based Inf...
Enabling Production Grade Containerized Applications through Policy Based Inf...Docker, Inc.
 
Innovate everywhere - SUSE edge
Innovate everywhere - SUSE edgeInnovate everywhere - SUSE edge
Innovate everywhere - SUSE edgeSUSE
 
Microservices and containers networking: Contiv, an industry leading open sou...
Microservices and containers networking: Contiv, an industry leading open sou...Microservices and containers networking: Contiv, an industry leading open sou...
Microservices and containers networking: Contiv, an industry leading open sou...Codemotion
 
Code Factory avec GitLab CI et Rancher
Code Factory avec GitLab CI et RancherCode Factory avec GitLab CI et Rancher
Code Factory avec GitLab CI et RancherSUSE
 
Code Factory avec GitLab CI et Rancher
Code Factory avec GitLab CI et RancherCode Factory avec GitLab CI et Rancher
Code Factory avec GitLab CI et RancherSUSE
 
So you think you know SUSE?
So you think you know SUSE?So you think you know SUSE?
So you think you know SUSE?Kangaroot
 
Aquarium introduction-asia-summit-2021
Aquarium introduction-asia-summit-2021Aquarium introduction-asia-summit-2021
Aquarium introduction-asia-summit-2021Alex Lau
 
Microservices and containers networking: Contiv, an industry leading open sou...
Microservices and containers networking: Contiv, an industry leading open sou...Microservices and containers networking: Contiv, an industry leading open sou...
Microservices and containers networking: Contiv, an industry leading open sou...Codemotion
 
Intro to kubernetes
Intro to kubernetesIntro to kubernetes
Intro to kubernetesElad Hirsch
 
Kubernetes for the VI Admin
Kubernetes for the VI AdminKubernetes for the VI Admin
Kubernetes for the VI AdminKendrick Coleman
 
Igalia and WebKit: Status update and plans
Igalia and WebKit: Status update and plansIgalia and WebKit: Status update and plans
Igalia and WebKit: Status update and plansIgalia
 
Episode 2: Deploying Kubernetes at Scale
Episode 2: Deploying Kubernetes at ScaleEpisode 2: Deploying Kubernetes at Scale
Episode 2: Deploying Kubernetes at ScaleMesosphere Inc.
 
컨테이너 및 서버리스를 위한 효율적인 CI/CD 아키텍처 구성하기 - 현창훈 데브옵스 엔지니어, Flex / 송주영 데브옵스 엔지니어, W...
컨테이너 및 서버리스를 위한 효율적인 CI/CD 아키텍처 구성하기 - 현창훈 데브옵스 엔지니어, Flex / 송주영 데브옵스 엔지니어, W...컨테이너 및 서버리스를 위한 효율적인 CI/CD 아키텍처 구성하기 - 현창훈 데브옵스 엔지니어, Flex / 송주영 데브옵스 엔지니어, W...
컨테이너 및 서버리스를 위한 효율적인 CI/CD 아키텍처 구성하기 - 현창훈 데브옵스 엔지니어, Flex / 송주영 데브옵스 엔지니어, W...Amazon Web Services Korea
 
PKS: The What and How of Enterprise-Grade Kubernetes
PKS: The What and How of Enterprise-Grade KubernetesPKS: The What and How of Enterprise-Grade Kubernetes
PKS: The What and How of Enterprise-Grade KubernetesVMware Tanzu
 
Security for cloud native workloads
Security for cloud native workloadsSecurity for cloud native workloads
Security for cloud native workloadsRuncy Oommen
 

Similar to Kubernetes Policy As Code usando WebAssembly | Flavio Castelli (20)

Presentation de NeuVector 5.0
Presentation de NeuVector 5.0Presentation de NeuVector 5.0
Presentation de NeuVector 5.0
 
Rancher Rodeo 13 mai 2022
Rancher Rodeo 13 mai 2022Rancher Rodeo 13 mai 2022
Rancher Rodeo 13 mai 2022
 
Rancher Rodeo
Rancher RodeoRancher Rodeo
Rancher Rodeo
 
Rancher Rodéo France
Rancher Rodéo FranceRancher Rodéo France
Rancher Rodéo France
 
Lancement Harvester
Lancement HarvesterLancement Harvester
Lancement Harvester
 
Enabling Production Grade Containerized Applications through Policy Based Inf...
Enabling Production Grade Containerized Applications through Policy Based Inf...Enabling Production Grade Containerized Applications through Policy Based Inf...
Enabling Production Grade Containerized Applications through Policy Based Inf...
 
Innovate everywhere - SUSE edge
Innovate everywhere - SUSE edgeInnovate everywhere - SUSE edge
Innovate everywhere - SUSE edge
 
Microservices and containers networking: Contiv, an industry leading open sou...
Microservices and containers networking: Contiv, an industry leading open sou...Microservices and containers networking: Contiv, an industry leading open sou...
Microservices and containers networking: Contiv, an industry leading open sou...
 
Code Factory avec GitLab CI et Rancher
Code Factory avec GitLab CI et RancherCode Factory avec GitLab CI et Rancher
Code Factory avec GitLab CI et Rancher
 
Code Factory avec GitLab CI et Rancher
Code Factory avec GitLab CI et RancherCode Factory avec GitLab CI et Rancher
Code Factory avec GitLab CI et Rancher
 
So you think you know SUSE?
So you think you know SUSE?So you think you know SUSE?
So you think you know SUSE?
 
Aquarium introduction-asia-summit-2021
Aquarium introduction-asia-summit-2021Aquarium introduction-asia-summit-2021
Aquarium introduction-asia-summit-2021
 
Microservices and containers networking: Contiv, an industry leading open sou...
Microservices and containers networking: Contiv, an industry leading open sou...Microservices and containers networking: Contiv, an industry leading open sou...
Microservices and containers networking: Contiv, an industry leading open sou...
 
Intro to kubernetes
Intro to kubernetesIntro to kubernetes
Intro to kubernetes
 
Kubernetes for the VI Admin
Kubernetes for the VI AdminKubernetes for the VI Admin
Kubernetes for the VI Admin
 
Igalia and WebKit: Status update and plans
Igalia and WebKit: Status update and plansIgalia and WebKit: Status update and plans
Igalia and WebKit: Status update and plans
 
Episode 2: Deploying Kubernetes at Scale
Episode 2: Deploying Kubernetes at ScaleEpisode 2: Deploying Kubernetes at Scale
Episode 2: Deploying Kubernetes at Scale
 
컨테이너 및 서버리스를 위한 효율적인 CI/CD 아키텍처 구성하기 - 현창훈 데브옵스 엔지니어, Flex / 송주영 데브옵스 엔지니어, W...
컨테이너 및 서버리스를 위한 효율적인 CI/CD 아키텍처 구성하기 - 현창훈 데브옵스 엔지니어, Flex / 송주영 데브옵스 엔지니어, W...컨테이너 및 서버리스를 위한 효율적인 CI/CD 아키텍처 구성하기 - 현창훈 데브옵스 엔지니어, Flex / 송주영 데브옵스 엔지니어, W...
컨테이너 및 서버리스를 위한 효율적인 CI/CD 아키텍처 구성하기 - 현창훈 데브옵스 엔지니어, Flex / 송주영 데브옵스 엔지니어, W...
 
PKS: The What and How of Enterprise-Grade Kubernetes
PKS: The What and How of Enterprise-Grade KubernetesPKS: The What and How of Enterprise-Grade Kubernetes
PKS: The What and How of Enterprise-Grade Kubernetes
 
Security for cloud native workloads
Security for cloud native workloadsSecurity for cloud native workloads
Security for cloud native workloads
 

Recently uploaded

Artificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraArtificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraDeakin University
 
costume and set research powerpoint presentation
costume and set research powerpoint presentationcostume and set research powerpoint presentation
costume and set research powerpoint presentationphoebematthew05
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024BookNet Canada
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr LapshynFwdays
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 

Recently uploaded (20)

Artificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraArtificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning era
 
costume and set research powerpoint presentation
costume and set research powerpoint presentationcostume and set research powerpoint presentation
costume and set research powerpoint presentation
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 

Kubernetes Policy As Code usando WebAssembly | Flavio Castelli

  • 1. Copyright © SUSE 2021 Kubernetes Policy As Code usando WebAssembly N OVE M BE R 2021 Flavio Castelli Distinguished Engineer SUSE
  • 2. Copyright © SUSE 2021 2 Kubernetes security: biggest concerns 1% 8% 12% 17% 19% 21% 23% Other Secrets management Unpatched CVE in Kubernetes distribution Control access to the cluster Securing container images inside CI/CD pipelines Securing workload at runtime Applying policies consistently Source: “The State of Kubernetes 2021” - VMware, June 2021
  • 3. Copyright © SUSE 2021 — Role Based Access Control (RBAC) — Pod Security Policy (PSP) — Network Policy — Admission Controller 3 Kubernetes Policy As Code
  • 4. Copyright © SUSE 2021 4 Admission Controller: overview JSON object Business logic Accept Reject Mutate
  • 5. Copyright © SUSE 2021 5 Who is responsible for Kubernetes’ security? 27% 21% 18% 18% 15% DevOps Ops DevSecOps Security Developer Source: “State of Kubernetes Security” – Red Hat, June 2021
  • 6. Copyright © SUSE 2021 6 Introducing Kubewarden A policy engine for Kubernetes. Its mission is to simplify the adoption of Policy As Code.
  • 7. Copyright © SUSE 2021 Copyright © SUSE 2021 7 Feel immediately productive Policy Authors
  • 8. Copyright © SUSE 2021 8 Validation
  • 9. Copyright © SUSE 2021 9 Validation
  • 10. Copyright © SUSE 2021 10 Validation
  • 11. Copyright © SUSE 2021 Copyright © SUSE 2021 11 Leverage SDKs Policy Authors
  • 12. Copyright © SUSE 2021 12 Mutation
  • 13. Copyright © SUSE 2021 13 Policy configuration
  • 14. Copyright © SUSE 2021 14 Validation of Policy configuration
  • 15. Copyright © SUSE 2021 Copyright © SUSE 2021 15 Treat policies as regular code Policy Authors
  • 16. Copyright © SUSE 2021 16 Reuse known tools
  • 17. Copyright © SUSE 2021 17 Integrate into CI/CD systems
  • 18. Copyright © SUSE 2021 Copyright © SUSE 2021 18 How is that done?
  • 19. Copyright © SUSE 2021 19 What is WebAssembly? WebAssembly module (Wasm)
  • 20. Copyright © SUSE 2021 20 What is WebAssembly? WebAssembly module (Wasm) Polyglot C Cpp Rust Javascript Go Swift … … … … Build
  • 21. Copyright © SUSE 2021 21 What is WebAssembly? WebAssembly module (Wasm) Small Go 300 Kb Rust 1.5 Mb
  • 22. Copyright © SUSE 2021 22 What is WebAssembly? WebAssembly module (Wasm) Portable x86_64 ARM64 ... Linux Windows macOS Browser Wasm runtime Run
  • 23. Copyright © SUSE 2021 23 What is WebAssembly? WebAssembly module (Wasm) Secure
  • 24. Copyright © SUSE 2021 24 What is WebAssembly? Secure Sandbox Sandbox Sandbox Host process — Memory safety — Control-flow integrity — Runtime isolation More details here
  • 25. Copyright © SUSE 2021 Copyright © SUSE 2021 25 Integrate with existing processes and tools Kubernetes Operators
  • 26. Copyright © SUSE 2021 26 Policy distribution Kubernetes Cluster Kubernetes Cluster Kubewarden native policy OCI Registry Container image
  • 27. Copyright © SUSE 2021 27 Observability: tracing
  • 28. Copyright © SUSE 2021 28 Observability: metrics
  • 29. Copyright © SUSE 2021 Copyright © SUSE 2021 29 Provide flexibility, not complexity Kubernetes Operators, Policy Authors
  • 30. Copyright © SUSE 2021 — First Policy engine for Kubernetes — Policies written using Rego 30 OPA and Gatekeeper policy.rego opa build –t wasm policy.wasm
  • 31. Copyright © SUSE 2021 31 Kubewarden: the Universal Policy Platform Kubewarden native policy OCI Registry policy #1 Wasm runtime policy #2 Wasm runtime policy #3 Wasm runtime Kubewarden Policy Server Kubewarden OPA policy Kubewarden Gatekeeper policy
  • 32. Copyright © SUSE 2021 Copyright © SUSE 2021 32 Live Demo
  • 33. Copyright © SUSE 2021 — Main website: https://kubewarden.io — Policy Hub: https://hub.kubewarden.io — GitHub: kubewarden organization — Slack: "kubewarden" channel on Kubernetes workspace — Twitter: @kubewarden 33 How to get involved
  • 34. Copyright © SUSE 2021 Thank You S E P T E M BE R 2021 © 2020 SUSE LLC. All Rights Reserved. SUSE and the SUSE logo are registeredtrademarks of SUSE LLCin the UnitedStates and other countries. All third-party trademarks are the property of their respective owners. For more information, contact SUSE at: +1 800 796 3700 (U.S./Canada) Maxfeldstrasse 5 90409 Nuremberg www.suse.com