SS
Uploaded bySaim Safder
PPTX, PDF774 views

Securing and Automating Kubernetes with Kyverno

Kyverno is a Kubernetes-native policy management tool that simplifies the management of complex Kubernetes configurations through declarative policies. It allows for validation, mutation, and generation of configurations while supporting all Kubernetes resource types. The tool is designed for ease of use, making it accessible for users to adopt and implement best practices in Kubernetes environments.

Technology
In this document
Powered by AI

Introduction to Kyverno as a Kubernetes native policy management tool. Overview of presentation structure including topics like use cases and roadmap.

Kyverno is a policy engine for Kubernetes using native resources. Importance of policies in managing complex configurations in Kubernetes and the role of admission controllers.

Key advantages of using Kyverno: declarative policies, easy validation, mutation functions, support for all resource types, and alignment with Kubernetes best practices.

Comparison of Kyverno and OPA through a practical example. Outlining components of Kyverno policies, including kinds, names, selector options, and user roles.

How Kyverno operates: Mutate, Validate, and Generate features explained through methods such as JSON Patch and conditionals. Triggers and patterns for desired state matching.

Discussion of policy reports and advanced features of Kyverno like external lookups, deny rules, and automated generation for CI/CD.

Examples of Kyverno application: security validation, RBAC, multi-tenancy, auto-labeling, and sidecar injection.

Introduction to Pod Security Policies (PSP) and Kyverno's alignment with new pod security levels being developed.

Roadmap for Kyverno highlighting major upcoming features and community contribution avenues through GitHub and Slack.

Summary of the key takeaways regarding the usefulness of policies in Kubernetes, ease of use of Kyverno, and an invitation for users to install and provide feedback.

Embed presentation

Downloaded 28 times
Kyverno Kubernetes Native Policy Management nirmata
2 Kyverno - Kubernetes Native Policy Management • Why Kyverno • How it works • Use Cases • Roadmap • Q&A
3 What is Kyverno? • A policy engine designed for Kubernetes • Uses Kubernetes resources, patterns, idioms • Familiar to Kubernetes users
4 Why Policies? • Kubernetes configurations are complex to manage across developers and operations. • External configuration tools (Helm, Kustomize) etc. cannot ensure environment specific configurations. • Admission controllers provide a way to validate best practices and mutate configurations. • Policy management tools like Kyverno use admission control and provide a way to manage “policies” and “rules” without creating custom controllers.
Why Kyverno? 1. Declarative policies that are easy to write and manage 2. Policy results that are easy to view and process 3. Validate (audit or enforce), Mutate, and Generate 4. Support all Kubernetes resource types including CRs 5. Adopt Kubernetes patterns and practices e.g. labels and selectors, annotations, events, ownerReferences, pod controllers, etc. 5
6 OPA or Kyverno? By Example: Require read-only filesystem
A Kyverno Policy 7 • Kinds • Names (with wildcards) • Label Selectors (with wildcards) • Namespaces (with wildcards) • Namespace Selector • User Roles • User Groups • Usernames
Mutate Resources Events ✔ Policy Reports AdmissionReview request 8 Kyverno API Server AdmissionReview response Validate Policy Cache Validate Mutate Generate How Kyverno Works
9 A Kyverno Policy
10 Mutate ● JSON Patch (RFC 6902) ○ Use for precise updates ● StrategicMergePatch ○ Use for describing intent ○ Anchors for conditional logic • “If-then-else” • “if-not-defined”
11 Validate ● Overlays with patterns specify desired state ● Matches all defined fields ● Patterns ○ * : zero or more ○ ? : any one ● Operators ○ >, <, >=, <=, !, |(or)
12 Generate ● Triggers when a new resource is created ● Useful in creating defaults for a namespace ● Clones existing resources or copies in-line data ● Can optionally keep data in- sync across namespaces
13 Policy Reports
14 Advanced Features • Anchors and operators • Variables – Inline policy data – JMESPath • External data lookups – Config Maps – API Calls • Deny rules • Auto-generation of pod controller rules • Command Line for CI/CD and dev-test for policies
15 Use Cases • Security validation and enforcement • Fine-grained RBAC • Multi-tenancy • Auto-Labeling • Sidecar (including certificate) injection with mounts, etc. • IFTTT for Kubernetes
Pod Security 16
17 Pod Security • What is a Pod Security Policy (PSP)? o Cluster resource that controls security configuration of pods o Being marked for deprecation in v1.21 removal in v1.25 • A KEP is being developed to replace PSP with namespace based Pod Security Levels Privileged Baseline Restricted
18 Kyverno Policies for Pod Security • Also based on Pod Security Levels • Available at: https://kyverno.io/policies/pod-security/
Roadmap & Contributing 19
20 Roadmap: Major Features 1. Multiple replicas for scale and availability 2. Custom JMESPath functions 3. Javascript functions for complex validation
How you can contribute? - Kyverno Repo - https://github.com/kyverno/kyverno - Slack Channel - Kubernetes Slack channel #kyverno 21
Summary 22
23 Summary and Takeaways 1. Policies are useful in managing Kubernetes configurations at scale 2. Kyverno is built for Kubernetes 3. Kyverno can validate (audit or enforce), mutate, and generate configurations 4. Kyverno supports best practices for pod security and isolation 5. Kyverno is easy to use! Install Kyverno in your clusters, try the best practice policies, and give us feedback!
Thank-You! https://try.nirmata.io

More Related Content

PDF
Deploy Application on Kubernetes
byOpsta
 
PDF
Devops - Microservice and Kubernetes
byNodeXperts
 
PDF
Operator SDK for K8s using Go
byCloudOps2005
 
PDF
Helm - Package Manager for Kubernetes
byKnoldus Inc.
 
PDF
Kubernetes Architecture - beyond a black box - Part 1
byHao H. Zhang
 
PDF
Kubernetes extensibility: CRDs & Operators
bySIGHUP
 
PDF
Kubernetes Webinar - Using ConfigMaps & Secrets
byJanakiram MSV
 
PDF
Kubernetes Application Deployment with Helm - A beginner Guide!
byKrishna-Kumar
 
Deploy Application on Kubernetes
byOpsta
 
Devops - Microservice and Kubernetes
byNodeXperts
 
Operator SDK for K8s using Go
byCloudOps2005
 
Helm - Package Manager for Kubernetes
byKnoldus Inc.
 
Kubernetes Architecture - beyond a black box - Part 1
byHao H. Zhang
 
Kubernetes extensibility: CRDs & Operators
bySIGHUP
 
Kubernetes Webinar - Using ConfigMaps & Secrets
byJanakiram MSV
 
Kubernetes Application Deployment with Helm - A beginner Guide!
byKrishna-Kumar
 

What's hot

PDF
Getting Started with Kubernetes
byVMware Tanzu
 
PDF
CI:CD in Lightspeed with kubernetes and argo cd
byBilly Yuen
 
PDF
Introduction to Kubernetes Workshop
byBob Killen
 
PPTX
Introduction to kubernetes
byRishabh Indoria
 
PPTX
Kubernetes Introduction
byEric Gustafson
 
PPTX
Kubernetes Security
byKarthik Gaekwad
 
PPTX
Kubernetes PPT.pptx
byssuser0cc9131
 
PDF
GitOps and ArgoCD
byOmar Fathy
 
PDF
Kubernetes Introduction
byPeng Xiao
 
PDF
Kubernetes Architecture | Understanding Kubernetes Components | Kubernetes Tu...
byEdureka!
 
PDF
Kubernetes - introduction
bySparkbit
 
PDF
An Introduction to Kubernetes
byImesh Gunaratne
 
PPTX
Kubernetes Introduction
byMartin Danielsson
 
PDF
OpenShift 4, the smarter Kubernetes platform
byKangaroot
 
PDF
Open shift 4 infra deep dive
byWinton Winton
 
PPTX
Intro to Helm for Kubernetes
byCarlos E. Salazar
 
PDF
CNCF Meetup - OpenShift Overview
bySumit Shatwara
 
PDF
Kubernetes security
byThomas Fricke
 
PPTX
DevOps with Kubernetes
byEastBanc Tachnologies
 
PDF
Kubernetes Concepts And Architecture Powerpoint Presentation Slides
bySlideTeam
 
Getting Started with Kubernetes
byVMware Tanzu
 
CI:CD in Lightspeed with kubernetes and argo cd
byBilly Yuen
 
Introduction to Kubernetes Workshop
byBob Killen
 
Introduction to kubernetes
byRishabh Indoria
 
Kubernetes Introduction
byEric Gustafson
 
Kubernetes Security
byKarthik Gaekwad
 
Kubernetes PPT.pptx
byssuser0cc9131
 
GitOps and ArgoCD
byOmar Fathy
 
Kubernetes Introduction
byPeng Xiao
 
Kubernetes Architecture | Understanding Kubernetes Components | Kubernetes Tu...
byEdureka!
 
Kubernetes - introduction
bySparkbit
 
An Introduction to Kubernetes
byImesh Gunaratne
 
Kubernetes Introduction
byMartin Danielsson
 
OpenShift 4, the smarter Kubernetes platform
byKangaroot
 
Open shift 4 infra deep dive
byWinton Winton
 
Intro to Helm for Kubernetes
byCarlos E. Salazar
 
CNCF Meetup - OpenShift Overview
bySumit Shatwara
 
Kubernetes security
byThomas Fricke
 
DevOps with Kubernetes
byEastBanc Tachnologies
 
Kubernetes Concepts And Architecture Powerpoint Presentation Slides
bySlideTeam
 

Similar to Securing and Automating Kubernetes with Kyverno

PPTX
How To Build Kubernetes Policies To Ensure Compliance for Databases.pptx
byLibbySchulze
 
PDF
DevOpsDays Istanbul '24 - Kyverno Chronicles.pdf
byKoray Oksay
 
PDF
Securing Kubernetes Workloads
byJim Bugwadia
 
PDF
From Gatekeeper to Kyverno : Kubernetes Policy Management with Performance by...
byScyllaDB
 
PDF
Operationalizing Amazon EKS
byJim Bugwadia
 
PPTX
Kubernetes policies 101 - apolicy.io
byjoanwlevin
 
PDF
Data protection in a kubernetes-native world
byLibbySchulze
 
PDF
Admission controllers - PSP, OPA, Kyverno and more!
bySebastienSEYMARC
 
PDF
An Introduction to Kubernetes Network Policies for Security People.pdf
bynawrami
 
PDF
fwd:cloudsec 2022: Shifting right with policy-as-code
byGabriel Schuyler
 
PDF
Goodbye Pod Security Policy - Hello alternatives
byMario Fahlandt
 
PDF
Kubernetes Security with Calico and Open Policy Agent
byCloudOps2005
 
PDF
Container Security Deep Dive & Kubernetes
byAqua Security
 
PDF
Evolution of security strategies in K8s environments- All day devops
byJose Manuel Ortega Candel
 
PDF
Developer Secure Containers for the Cyberspace Battlefield
byVMware Tanzu
 
PDF
Stanislav Kolenkin & Igor Khoroshchenko - Knock Knock: Security threats with ...
byNoNameCon
 
PPTX
Kubernetes Security Act Now Before It’s Too Late
byMichael Furman
 
PDF
Virtual Kubernetes Clusters on Amazon EKS
byJim Bugwadia
 
PDF
CloudNativeTurkey - Lines of Defence.pdf
byKoray Oksay
 
How To Build Kubernetes Policies To Ensure Compliance for Databases.pptx
byLibbySchulze
 
DevOpsDays Istanbul '24 - Kyverno Chronicles.pdf
byKoray Oksay
 
Securing Kubernetes Workloads
byJim Bugwadia
 
From Gatekeeper to Kyverno : Kubernetes Policy Management with Performance by...
byScyllaDB
 
Operationalizing Amazon EKS
byJim Bugwadia
 
Kubernetes policies 101 - apolicy.io
byjoanwlevin
 
Data protection in a kubernetes-native world
byLibbySchulze
 
Admission controllers - PSP, OPA, Kyverno and more!
bySebastienSEYMARC
 
An Introduction to Kubernetes Network Policies for Security People.pdf
bynawrami
 
fwd:cloudsec 2022: Shifting right with policy-as-code
byGabriel Schuyler
 
Goodbye Pod Security Policy - Hello alternatives
byMario Fahlandt
 
Kubernetes Security with Calico and Open Policy Agent
byCloudOps2005
 
Container Security Deep Dive & Kubernetes
byAqua Security
 
Evolution of security strategies in K8s environments- All day devops
byJose Manuel Ortega Candel
 
Developer Secure Containers for the Cyberspace Battlefield
byVMware Tanzu
 
Stanislav Kolenkin & Igor Khoroshchenko - Knock Knock: Security threats with ...
byNoNameCon
 
Kubernetes Security Act Now Before It’s Too Late
byMichael Furman
 
Virtual Kubernetes Clusters on Amazon EKS
byJim Bugwadia
 
CloudNativeTurkey - Lines of Defence.pdf
byKoray Oksay
 

Recently uploaded

PDF
Knowing and Doing: Knowledge graphs, AI, and work
bymarainglezakis1
 
PPTX
Basics of Identity Access Management In mordern Infrastructure
byPrinceXavier18
 
PDF
Empowering Productivity with Clever Prompts and Intelligent Agents
byUni Systems S.M.S.A.
 
PPTX
RISE with SAP for Automotive - S4 HANA Value.pptx
byAmira Jemi
 
PDF
API206-S: Transforming Supply Chains with Amazon Bedrock AgentCore - AWS re:I...
byChris Bingham
 
PDF
The year in review - MarvelClient in 2025
bypanagenda
 
PDF
Security Technologys: Access Control, Firewall, VPN
byShielaLasala
 
PDF
The Ultimate Guide to Problem Management Dashboards for IT Teams.pdf
byomnex systems
 
PDF
Making Sense of Raster: From Bit Depth to Better Workflows
bySafe Software
 
PDF
eResource Scheduler Enterprise Resource Management and Scheduling Software.pdf
byeResource Scheduler
 
PDF
Safeguarding AI-Based Financial Infrastructure
byYasir Naveed Riaz
 
PDF
The major tech developments for 2026 by Pluralsight, a research and training ...
byChris Skinner
 
PPTX
Combining Induction and Transduction for Abstract Reasoning.pptx
byallen578468
 
PDF
Generative AI in 2026: Hype, Bubble, Winter or The Real Deal?
byDr. Tathagat Varma
 
PPTX
The Landscape of Computer Software Development Companies
byYash Singh
 
PDF
Generative AI in UiPath: Mastering the Generative Extractor for Intelligent D...
byDianaGray10
 
PPTX
THIS IS CYBER SECURITY NOTES USED IN CLASS ON VARIOUS TOPICS USED IN CYBERSEC...
byMelissaGblinwon
 
PDF
Session 1 - Solving Semi-Structured Documents with Document Understanding
byDianaGray10
 
PDF
Incident Response Planning with a Foundation Model
byKim Hammar
 
PPTX
The Future of IT Service Management AI Automation & Beyond.pptx
byChetu
 
Knowing and Doing: Knowledge graphs, AI, and work
bymarainglezakis1
 
Basics of Identity Access Management In mordern Infrastructure
byPrinceXavier18
 
Empowering Productivity with Clever Prompts and Intelligent Agents
byUni Systems S.M.S.A.
 
RISE with SAP for Automotive - S4 HANA Value.pptx
byAmira Jemi
 
API206-S: Transforming Supply Chains with Amazon Bedrock AgentCore - AWS re:I...
byChris Bingham
 
The year in review - MarvelClient in 2025
bypanagenda
 
Security Technologys: Access Control, Firewall, VPN
byShielaLasala
 
The Ultimate Guide to Problem Management Dashboards for IT Teams.pdf
byomnex systems
 
Making Sense of Raster: From Bit Depth to Better Workflows
bySafe Software
 
eResource Scheduler Enterprise Resource Management and Scheduling Software.pdf
byeResource Scheduler
 
Safeguarding AI-Based Financial Infrastructure
byYasir Naveed Riaz
 
The major tech developments for 2026 by Pluralsight, a research and training ...
byChris Skinner
 
Combining Induction and Transduction for Abstract Reasoning.pptx
byallen578468
 
Generative AI in 2026: Hype, Bubble, Winter or The Real Deal?
byDr. Tathagat Varma
 
The Landscape of Computer Software Development Companies
byYash Singh
 
Generative AI in UiPath: Mastering the Generative Extractor for Intelligent D...
byDianaGray10
 
THIS IS CYBER SECURITY NOTES USED IN CLASS ON VARIOUS TOPICS USED IN CYBERSEC...
byMelissaGblinwon
 
Session 1 - Solving Semi-Structured Documents with Document Understanding
byDianaGray10
 
Incident Response Planning with a Foundation Model
byKim Hammar
 
The Future of IT Service Management AI Automation & Beyond.pptx
byChetu
 

Securing and Automating Kubernetes with Kyverno

  • 1.
  • 2.
    2 Kyverno - KubernetesNative Policy Management • Why Kyverno • How it works • Use Cases • Roadmap • Q&A
  • 3.
    3 What is Kyverno? •A policy engine designed for Kubernetes • Uses Kubernetes resources, patterns, idioms • Familiar to Kubernetes users
  • 4.
    4 Why Policies? • Kubernetesconfigurations are complex to manage across developers and operations. • External configuration tools (Helm, Kustomize) etc. cannot ensure environment specific configurations. • Admission controllers provide a way to validate best practices and mutate configurations. • Policy management tools like Kyverno use admission control and provide a way to manage “policies” and “rules” without creating custom controllers.
  • 5.
    Why Kyverno? 1. Declarativepolicies that are easy to write and manage 2. Policy results that are easy to view and process 3. Validate (audit or enforce), Mutate, and Generate 4. Support all Kubernetes resource types including CRs 5. Adopt Kubernetes patterns and practices e.g. labels and selectors, annotations, events, ownerReferences, pod controllers, etc. 5
  • 6.
    6 OPA or Kyverno?By Example: Require read-only filesystem
  • 7.
    A Kyverno Policy 7 •Kinds • Names (with wildcards) • Label Selectors (with wildcards) • Namespaces (with wildcards) • Namespace Selector • User Roles • User Groups • Usernames
  • 8.
  • 9.
  • 10.
    10 Mutate ● JSON Patch(RFC 6902) ○ Use for precise updates ● StrategicMergePatch ○ Use for describing intent ○ Anchors for conditional logic • “If-then-else” • “if-not-defined”
  • 11.
    11 Validate ● Overlays withpatterns specify desired state ● Matches all defined fields ● Patterns ○ * : zero or more ○ ? : any one ● Operators ○ >, <, >=, <=, !, |(or)
  • 12.
    12 Generate ● Triggers whena new resource is created ● Useful in creating defaults for a namespace ● Clones existing resources or copies in-line data ● Can optionally keep data in- sync across namespaces
  • 13.
  • 14.
    14 Advanced Features • Anchorsand operators • Variables – Inline policy data – JMESPath • External data lookups – Config Maps – API Calls • Deny rules • Auto-generation of pod controller rules • Command Line for CI/CD and dev-test for policies
  • 15.
    15 Use Cases • Securityvalidation and enforcement • Fine-grained RBAC • Multi-tenancy • Auto-Labeling • Sidecar (including certificate) injection with mounts, etc. • IFTTT for Kubernetes
  • 16.
  • 17.
    17 Pod Security • Whatis a Pod Security Policy (PSP)? o Cluster resource that controls security configuration of pods o Being marked for deprecation in v1.21 removal in v1.25 • A KEP is being developed to replace PSP with namespace based Pod Security Levels Privileged Baseline Restricted
  • 18.
    18 Kyverno Policies forPod Security • Also based on Pod Security Levels • Available at: https://kyverno.io/policies/pod-security/
  • 19.
  • 20.
    20 Roadmap: Major Features 1.Multiple replicas for scale and availability 2. Custom JMESPath functions 3. Javascript functions for complex validation
  • 21.
    How you cancontribute? - Kyverno Repo - https://github.com/kyverno/kyverno - Slack Channel - Kubernetes Slack channel #kyverno 21
  • 22.
  • 23.
    23 Summary and Takeaways 1.Policies are useful in managing Kubernetes configurations at scale 2. Kyverno is built for Kubernetes 3. Kyverno can validate (audit or enforce), mutate, and generate configurations 4. Kyverno supports best practices for pod security and isolation 5. Kyverno is easy to use! Install Kyverno in your clusters, try the best practice policies, and give us feedback!
  • 24.