Securing and Automating Kubernetes with Kyverno
•Download as PPTX, PDF•
1 like•474 views
Kyverno is a CNCF Sandbox Project Created by Nirmata. Kyverno is a policy engine designed for Kubernetes. With Kyverno, policies are managed as Kubernetes resources and no new language is required to write policies. This allows using familiar tools such as kubectl, git, and kustomize to manage policies. Kyverno policies can validate, mutate, and generate Kubernetes resources. The Kyverno CLI can be used to test policies and validate resources as part of a CI/CD pipeline. In this session Shuting Zhao and Jim Bugwadia, both of whom are Kyverno maintainers will provide an overview of Kyverno and describe how you can get started with using it.
Report
Share
Report
Share
Recommended
Kubernetes
This document provides an overview of Kubernetes, a container orchestration system. It begins with background on Docker containers and orchestration tools prior to Kubernetes. It then covers key Kubernetes concepts including pods, labels, replication controllers, and services. Pods are the basic deployable unit in Kubernetes, while replication controllers ensure a specified number of pods are running. Services provide discovery and load balancing for pods. The document demonstrates how Kubernetes can be used to scale, upgrade, and rollback deployments through replication controllers and services.
Kubernetes Basics
This document provides an overview of Kubernetes including:
1) Kubernetes is an open-source platform for automating deployment, scaling, and operations of containerized applications. It provides container-centric infrastructure and allows for quickly deploying and scaling applications.
2) The main components of Kubernetes include Pods (groups of containers), Services (abstract access to pods), ReplicationControllers (maintain pod replicas), and a master node running key components like etcd, API server, scheduler, and controller manager.
3) The document demonstrates getting started with Kubernetes by enabling the master on one node and a worker on another node, then deploying and exposing a sample nginx application across the cluster.
Kubernetes Workshop
This document provides an overview of Kubernetes, an open-source system for automating deployment, scaling, and management of containerized applications. It describes basic Kubernetes components like pods, replication controllers, services, deployments, and replica sets. It explains how Kubernetes is used to group and schedule containers, maintain desired pod counts, update applications seamlessly with rolling updates, and more. The document also notes Kubernetes was inspired by Google's internal container systems and can manage applications across cloud and bare-metal environments.
Getting Started with Kubernetes
If you’re working with just a few containers, managing them isn't too complicated. But what if you have hundreds or thousands? Think about having to handle multiple upgrades for each container, keeping track of container and node state, available resources, and more. That’s where Kubernetes comes in. Kubernetes is an open source container management platform that helps you run containers at scale. This talk will cover Kubernetes components and show how to run applications on it.
GitOps 101 Presentation.pdf
This document provides an overview of GitOps and summarizes a training session on the topic. The session covered Kubernetes and Git basics, the motivation and model for GitOps, an example of GitOps in action using Flux on a training environment, progressive delivery techniques like Flagger, and challenges with GitOps adoption. The goals were to explain what GitOps is, understand benefits, gain hands-on experience, and decide if it's right for a team/project. GitOps aims to use Git as the single source of truth for infrastructure and automate deployments by reconciling production with the code repository.
Kubernetes: A Short Introduction (2019)
Kubernetes is an open-source system for automating deployment, scaling, and management of containerized applications. It groups containers that make up an application into logical units for easy management and discovery called pods. Kubernetes can manage pods across a cluster of machines, providing scheduling, deployment, scaling, load balancing, volume mounting and networking. It is widely used by companies like Google, CERN and in large projects like processing images and analyzing particle interactions. Kubernetes is portable, can span multiple cloud providers, and continues growing to support new workloads and use cases.
Kubernetes #1 intro
Kubernetes is an open-source container management platform. It has a master-node architecture with control plane components like the API server on the master and node components like kubelet and kube-proxy on nodes. Kubernetes uses pods as the basic building block, which can contain one or more containers. Services provide discovery and load balancing for pods. Deployments manage pods and replicasets and provide declarative updates. Key concepts include volumes for persistent storage, namespaces for tenant isolation, labels for object tagging, and selector matching.
Kubernetes Introduction
A basic introductory slide set on Kubernetes: What does Kubernetes do, what does Kubernetes not do, which terms are used (Containers, Pods, Services, Replica Sets, Deployments, etc...) and how basic interaction with a Kubernetes cluster is done.
Recommended
Kubernetes
This document provides an overview of Kubernetes, a container orchestration system. It begins with background on Docker containers and orchestration tools prior to Kubernetes. It then covers key Kubernetes concepts including pods, labels, replication controllers, and services. Pods are the basic deployable unit in Kubernetes, while replication controllers ensure a specified number of pods are running. Services provide discovery and load balancing for pods. The document demonstrates how Kubernetes can be used to scale, upgrade, and rollback deployments through replication controllers and services.
Kubernetes Basics
This document provides an overview of Kubernetes including:
1) Kubernetes is an open-source platform for automating deployment, scaling, and operations of containerized applications. It provides container-centric infrastructure and allows for quickly deploying and scaling applications.
2) The main components of Kubernetes include Pods (groups of containers), Services (abstract access to pods), ReplicationControllers (maintain pod replicas), and a master node running key components like etcd, API server, scheduler, and controller manager.
3) The document demonstrates getting started with Kubernetes by enabling the master on one node and a worker on another node, then deploying and exposing a sample nginx application across the cluster.
Kubernetes Workshop
This document provides an overview of Kubernetes, an open-source system for automating deployment, scaling, and management of containerized applications. It describes basic Kubernetes components like pods, replication controllers, services, deployments, and replica sets. It explains how Kubernetes is used to group and schedule containers, maintain desired pod counts, update applications seamlessly with rolling updates, and more. The document also notes Kubernetes was inspired by Google's internal container systems and can manage applications across cloud and bare-metal environments.
Getting Started with Kubernetes
If you’re working with just a few containers, managing them isn't too complicated. But what if you have hundreds or thousands? Think about having to handle multiple upgrades for each container, keeping track of container and node state, available resources, and more. That’s where Kubernetes comes in. Kubernetes is an open source container management platform that helps you run containers at scale. This talk will cover Kubernetes components and show how to run applications on it.
GitOps 101 Presentation.pdf
This document provides an overview of GitOps and summarizes a training session on the topic. The session covered Kubernetes and Git basics, the motivation and model for GitOps, an example of GitOps in action using Flux on a training environment, progressive delivery techniques like Flagger, and challenges with GitOps adoption. The goals were to explain what GitOps is, understand benefits, gain hands-on experience, and decide if it's right for a team/project. GitOps aims to use Git as the single source of truth for infrastructure and automate deployments by reconciling production with the code repository.
Kubernetes: A Short Introduction (2019)
Kubernetes is an open-source system for automating deployment, scaling, and management of containerized applications. It groups containers that make up an application into logical units for easy management and discovery called pods. Kubernetes can manage pods across a cluster of machines, providing scheduling, deployment, scaling, load balancing, volume mounting and networking. It is widely used by companies like Google, CERN and in large projects like processing images and analyzing particle interactions. Kubernetes is portable, can span multiple cloud providers, and continues growing to support new workloads and use cases.
Kubernetes #1 intro
Kubernetes is an open-source container management platform. It has a master-node architecture with control plane components like the API server on the master and node components like kubelet and kube-proxy on nodes. Kubernetes uses pods as the basic building block, which can contain one or more containers. Services provide discovery and load balancing for pods. Deployments manage pods and replicasets and provide declarative updates. Key concepts include volumes for persistent storage, namespaces for tenant isolation, labels for object tagging, and selector matching.
Kubernetes Introduction
A basic introductory slide set on Kubernetes: What does Kubernetes do, what does Kubernetes not do, which terms are used (Containers, Pods, Services, Replica Sets, Deployments, etc...) and how basic interaction with a Kubernetes cluster is done.
Karpenter
This document provides an overview of Karpenter, an open-source node provisioning project for Kubernetes. It discusses how Karpenter watches for unschedulable pods and provisions nodes that meet pods' requirements, such as resource requests and node selectors. It also covers why Karpenter is useful compared to other autoscaling solutions like Cluster Autoscaler, and how Karpenter integrates with AWS Elastic Kubernetes Service (EKS) to dynamically provision EC2 instances on demand. The presentation includes a demonstration of Karpenter in action.
Hands-On Introduction to Kubernetes at LISA17
This document provides an agenda and instructions for a hands-on introduction to Kubernetes tutorial. The tutorial will cover Kubernetes basics like pods, services, deployments and replica sets. It includes steps for setting up a local Kubernetes environment using Minikube and demonstrates features like rolling updates, rollbacks and self-healing. Attendees will learn how to develop container-based applications locally with Kubernetes and deploy changes to preview them before promoting to production.
Rancher 2.0 Technical Deep Dive
西脇 雄基(LINE)/Rancher 2.0 Technical Deep Dive
2018/7/28 LINE Developer Meetup in Tokyo #40 -Kubernetes-
https://line.connpass.com/event/92049/
Helm 3
Helm version 3 was recently released with new features and a new architecture to support those features. The changes to Helm and charts were based on feedback, changes to Kubernetes, and lessons learned in the past couple years.
Kubernetes Docker Container Implementation Ppt PowerPoint Presentation Slide ...
SlideTeam presents Kubernetes Docker Container Implementation Ppt PowerPoint Presentation Slide Templates. This PPT slideshow is an ideal virtual expression of the fundamentals of Kubernetes. The smart data-visualizations make this PowerPoint presentation easy-to-understand and perfect to introduce your audience to the container orchestration system. Use our PPT theme to communicate the definition and need for containers or virtual private servers. Communicate the container, and microservices architecture using cutting-edge graphics. Explain the need for and benefits of Kubernetes for an organization. Elucidate the features, architecture, use cases, installation roadmap, and the 30-60-90 day plan in Kubernetes. Use the neat tabular format to compare Kubernetes with docker swarm based on various parameters. Familiarize your viewers with the various components of Kubernetes. Elaborate on what is Kubelet, Kubectl, and Kubeadm with the help of labeled diagrams. This presentation acquaints your audience with the significance of Kubernetes in management, scaling, automating, and deploying computer applications. Hit the download icon and start personalization. https://bit.ly/2L0Ojdu
Kubernetes for Beginners: An Introductory Guide
Kubernetes is an open-source tool for managing containerized workloads and services. It allows for deploying, maintaining, and scaling applications across clusters of servers. Kubernetes operates at the container level to automate tasks like deployment, availability, and load balancing. It uses a master-slave architecture with a master node controlling multiple worker nodes that host application pods, which are groups of containers that share resources. Kubernetes provides benefits like self-healing, high availability, simplified maintenance, and automatic scaling of containerized applications.
Kubernetes Concepts And Architecture Powerpoint Presentation Slides
The document provides an overview of Kubernetes concepts and architecture. It begins with an introduction to containers and microservices architecture. It then discusses what Kubernetes is and why organizations should use it. The remainder of the document outlines Kubernetes components, nodes, development processes, networking, and security measures. It provides descriptions and diagrams explaining key aspects of Kubernetes such as architecture, components like Kubelet and Kubectl, node types, and networking models.
Kubernetes Networking | Kubernetes Services, Pods & Ingress Networks | Kubern...
** Kubernetes Certification Training: https://www.edureka.co/kubernetes-cer... **
This Edureka tutorial on "Kubernetes Networking" will give you an introduction to popular DevOps tool - Kubernetes, and will deep dive into Kubernetes Networking concepts. The following topics are covered in this training session:
1. What is Kubernetes?
2. Kubernetes Cluster
3. Pods, Services & Ingress Networks
4. Case Study of Wealth Wizards
5. Hands-On
DevOps Tutorial Blog Series: https://goo.gl/P0zAfF
Introducing github.com/open-cluster-management – How to deliver apps across c...
Red Hat Advanced Cluster Management (RHACM) provides tools to manage the lifecycle of Kubernetes clusters at scale across multiple clouds and on-premises environments. It offers capabilities for provisioning, configuring, and governing clusters consistently using policies. It also allows deploying applications across clusters and provides observability into cluster and application health. RHACM addresses the challenges organizations face in deploying and managing many Kubernetes clusters distributed across complex environments.
Kubernetes extensibility: CRDs & Operators
This talk discusses the core concepts behind the Kubernetes extensibility model. We are going to see how to implement new CRDs, operators and when to use them to automate the most critical aspects of your Kubernetes clusters.
[GuideDoc] Deploy EKS thru eksctl - v1.22_v0.105.0.pdf
The document provides instructions for deploying and managing an EKS (Elastic Kubernetes Service) cluster on AWS using eksctl. It outlines the steps to install eksctl and kubectl, deploy an EKS cluster called "eks-122" using eksctl with default settings, verify the cluster is active with 2 nodes, and finally delete the cluster when it is no longer needed.
Introduction to Kubernetes Workshop
A Comprehensive Introduction to Kubernetes. This slide deck serves as the lecture portion of a full-day Workshop covering the architecture, concepts and components of Kubernetes. For the interactive portion, please see the tutorials here:
https://github.com/mrbobbytables/k8s-intro-tutorials
Amazon EKS - Elastic Container Service for Kubernetes
The document describes Amazon EKS (Elastic Container Service for Kubernetes), including an overview of EKS, its architecture, features, and integration with other AWS services. Key points include: EKS manages Kubernetes control planes and nodes are launched in the customer's VPC, EKS supports networking via the AWS VPC CNI plugin, and EKS provides security and access management using IAM roles and policies.
Understanding Kubernetes
This document provides an introduction to Kubernetes, including definitions of key concepts like pods, services, labels, replica sets, deployments, and horizontal pod autoscaling. It explains how Kubernetes abstracts and virtualizes resources to run and manage containers across a cluster. Examples and diagrams illustrate concepts like pod networking and canary deployments. The document recommends resources for learning more about Kubernetes and getting started, including Google Cloud Platform and a demo of Kubernetes capabilities.
Kubernetes a comprehensive overview
Kubernetes is an open-source system for automating deployment, scaling, and management of containerized applications. It groups containers that make up an application into logical units for easy management and discovery called pods. Its main components include a master node that manages the cluster and worker nodes that run the applications. It uses labels to identify pods and services and selectors to group related pods. Common concepts include deployments for updating apps, services for network access, persistent volumes for storage, and roles/bindings for access control. The deployment process involves the API server, controllers, scheduler and kubelet to reconcile the desired state and place pods on nodes from images while providing discovery and load balancing.
Introduction to kubernetes
This document provides an introduction to Kubernetes including:
- What Kubernetes is and what it does including abstracting infrastructure, providing self-healing capabilities, and providing a uniform interface across clouds.
- Key concepts including pods, services, labels, selectors, and namespaces. Pods are the atomic unit and services provide a unified access method. Labels and selectors are used to identify and group related objects.
- The Kubernetes architecture including control plane components like kube-apiserver, etcd, and kube-controller-manager. Node components include kubelet and kube-proxy. Optional services like cloud-controller-manager and cluster DNS are also described.
Introduction to kubernetes
This document provides an introduction to Kubernetes, an open-source system for automating deployment, scaling, and management of containerized applications. It first reviews what Docker is and its features like isolation and compatibility across platforms. It then explains that container orchestration is needed to manage thousands of containers across a cluster, ensure efficient resource use, and automate container lifecycles. Kubernetes is recommended because it is actively developed by major companies, makes scheduling and managing workloads easy through features like rolling updates, and has many extensions available.
Everything You Need To Know About Persistent Storage in Kubernetes
This document discusses Kubernetes persistent storage options for stateful applications. It covers common use cases that require persistence like databases, messaging systems, and content management systems. It then describes Kubernetes persistent volume (PV), persistent volume claim (PVC), and storage class objects that are used to provision and consume persistent storage. Finally, it compares deployments with statefulsets and covers other volume types like emptyDir, hostPath, daemonsets and their use cases.
CI:CD in Lightspeed with kubernetes and argo cd
Enterprises have benefited greatly from the elastic scalability and multi-region availability by moving to AWS, but the fundamental deployment model remains the same.
At Intuit, we have adopted k8s as our new saas platform and re-invented our CI/CD pipeline to take full advantage of k8s. In this presentation, we will discuss our journey from Spinnaker to Argo CD.
1. Reduce CI/CD time from 60 minutes to 10 minutes.
2. Reduce production release (or rollback) from 10 minutes to 2 minutes.
3. Enable concurrent deployment using spinnaker and argo cd as HA/DR to safely adopt the new platform with no downtime.
4. Be compatible with the existing application monitoring toolset.
Introduction to kubernetes
Kubernetes is an open-source system for automating deployment, scaling, and management of containerized applications. It groups containers that make up an application into logical units for easy management and discovery called Pods. ReplicaSets ensure that a specified number of pod replicas are running at any given time. Key components include Pods, Services for enabling network access to applications, and Deployments to update Pods and manage releases.
Securing Kubernetes Workloads
Kubernetes is the new cloud OS, and enterprises are rapidly migrating existing applications to Kubernetes as well as creating new Kubernetes-native applications. However, Kubernetes configuration management remains complex, and due to this complexity, most implementations do not leverage Kubernetes constructs for security.
In this session you will learn:
- Key Kubernetes constructs to use for properly securing application workloads in any cloud
- How to manage Kubernetes configurations across multiple clusters and cloud providers
- How to audit and enforce enterprise-wide Kubernetes best practices
Operationalizing Amazon EKS
Kubernetes can be complex to manage at enterprise scale! Cloud provider services like Amazon EKS solves the challenge of bringing up a Kubernetes control plane. However, production Kubernetes requires multi-layer security, access controls, load-balancing, monitoring, logging, governance, secrets management, policy management, and several other considerations. In this fast paced talk, we will cover how enterprises can address each of these areas and discuss best practices to fast track deployments.
More Related Content
What's hot
Karpenter
This document provides an overview of Karpenter, an open-source node provisioning project for Kubernetes. It discusses how Karpenter watches for unschedulable pods and provisions nodes that meet pods' requirements, such as resource requests and node selectors. It also covers why Karpenter is useful compared to other autoscaling solutions like Cluster Autoscaler, and how Karpenter integrates with AWS Elastic Kubernetes Service (EKS) to dynamically provision EC2 instances on demand. The presentation includes a demonstration of Karpenter in action.
Hands-On Introduction to Kubernetes at LISA17
This document provides an agenda and instructions for a hands-on introduction to Kubernetes tutorial. The tutorial will cover Kubernetes basics like pods, services, deployments and replica sets. It includes steps for setting up a local Kubernetes environment using Minikube and demonstrates features like rolling updates, rollbacks and self-healing. Attendees will learn how to develop container-based applications locally with Kubernetes and deploy changes to preview them before promoting to production.
Rancher 2.0 Technical Deep Dive
西脇 雄基(LINE)/Rancher 2.0 Technical Deep Dive
2018/7/28 LINE Developer Meetup in Tokyo #40 -Kubernetes-
https://line.connpass.com/event/92049/
Helm 3
Helm version 3 was recently released with new features and a new architecture to support those features. The changes to Helm and charts were based on feedback, changes to Kubernetes, and lessons learned in the past couple years.
Kubernetes Docker Container Implementation Ppt PowerPoint Presentation Slide ...
SlideTeam presents Kubernetes Docker Container Implementation Ppt PowerPoint Presentation Slide Templates. This PPT slideshow is an ideal virtual expression of the fundamentals of Kubernetes. The smart data-visualizations make this PowerPoint presentation easy-to-understand and perfect to introduce your audience to the container orchestration system. Use our PPT theme to communicate the definition and need for containers or virtual private servers. Communicate the container, and microservices architecture using cutting-edge graphics. Explain the need for and benefits of Kubernetes for an organization. Elucidate the features, architecture, use cases, installation roadmap, and the 30-60-90 day plan in Kubernetes. Use the neat tabular format to compare Kubernetes with docker swarm based on various parameters. Familiarize your viewers with the various components of Kubernetes. Elaborate on what is Kubelet, Kubectl, and Kubeadm with the help of labeled diagrams. This presentation acquaints your audience with the significance of Kubernetes in management, scaling, automating, and deploying computer applications. Hit the download icon and start personalization. https://bit.ly/2L0Ojdu
Kubernetes for Beginners: An Introductory Guide
Kubernetes is an open-source tool for managing containerized workloads and services. It allows for deploying, maintaining, and scaling applications across clusters of servers. Kubernetes operates at the container level to automate tasks like deployment, availability, and load balancing. It uses a master-slave architecture with a master node controlling multiple worker nodes that host application pods, which are groups of containers that share resources. Kubernetes provides benefits like self-healing, high availability, simplified maintenance, and automatic scaling of containerized applications.
Kubernetes Concepts And Architecture Powerpoint Presentation Slides
The document provides an overview of Kubernetes concepts and architecture. It begins with an introduction to containers and microservices architecture. It then discusses what Kubernetes is and why organizations should use it. The remainder of the document outlines Kubernetes components, nodes, development processes, networking, and security measures. It provides descriptions and diagrams explaining key aspects of Kubernetes such as architecture, components like Kubelet and Kubectl, node types, and networking models.
Kubernetes Networking | Kubernetes Services, Pods & Ingress Networks | Kubern...
** Kubernetes Certification Training: https://www.edureka.co/kubernetes-cer... **
This Edureka tutorial on "Kubernetes Networking" will give you an introduction to popular DevOps tool - Kubernetes, and will deep dive into Kubernetes Networking concepts. The following topics are covered in this training session:
1. What is Kubernetes?
2. Kubernetes Cluster
3. Pods, Services & Ingress Networks
4. Case Study of Wealth Wizards
5. Hands-On
DevOps Tutorial Blog Series: https://goo.gl/P0zAfF
Introducing github.com/open-cluster-management – How to deliver apps across c...
Red Hat Advanced Cluster Management (RHACM) provides tools to manage the lifecycle of Kubernetes clusters at scale across multiple clouds and on-premises environments. It offers capabilities for provisioning, configuring, and governing clusters consistently using policies. It also allows deploying applications across clusters and provides observability into cluster and application health. RHACM addresses the challenges organizations face in deploying and managing many Kubernetes clusters distributed across complex environments.
Kubernetes extensibility: CRDs & Operators
This talk discusses the core concepts behind the Kubernetes extensibility model. We are going to see how to implement new CRDs, operators and when to use them to automate the most critical aspects of your Kubernetes clusters.
[GuideDoc] Deploy EKS thru eksctl - v1.22_v0.105.0.pdf
The document provides instructions for deploying and managing an EKS (Elastic Kubernetes Service) cluster on AWS using eksctl. It outlines the steps to install eksctl and kubectl, deploy an EKS cluster called "eks-122" using eksctl with default settings, verify the cluster is active with 2 nodes, and finally delete the cluster when it is no longer needed.
Introduction to Kubernetes Workshop
A Comprehensive Introduction to Kubernetes. This slide deck serves as the lecture portion of a full-day Workshop covering the architecture, concepts and components of Kubernetes. For the interactive portion, please see the tutorials here:
https://github.com/mrbobbytables/k8s-intro-tutorials
Amazon EKS - Elastic Container Service for Kubernetes
The document describes Amazon EKS (Elastic Container Service for Kubernetes), including an overview of EKS, its architecture, features, and integration with other AWS services. Key points include: EKS manages Kubernetes control planes and nodes are launched in the customer's VPC, EKS supports networking via the AWS VPC CNI plugin, and EKS provides security and access management using IAM roles and policies.
Understanding Kubernetes
This document provides an introduction to Kubernetes, including definitions of key concepts like pods, services, labels, replica sets, deployments, and horizontal pod autoscaling. It explains how Kubernetes abstracts and virtualizes resources to run and manage containers across a cluster. Examples and diagrams illustrate concepts like pod networking and canary deployments. The document recommends resources for learning more about Kubernetes and getting started, including Google Cloud Platform and a demo of Kubernetes capabilities.
Kubernetes a comprehensive overview
Kubernetes is an open-source system for automating deployment, scaling, and management of containerized applications. It groups containers that make up an application into logical units for easy management and discovery called pods. Its main components include a master node that manages the cluster and worker nodes that run the applications. It uses labels to identify pods and services and selectors to group related pods. Common concepts include deployments for updating apps, services for network access, persistent volumes for storage, and roles/bindings for access control. The deployment process involves the API server, controllers, scheduler and kubelet to reconcile the desired state and place pods on nodes from images while providing discovery and load balancing.
Introduction to kubernetes
This document provides an introduction to Kubernetes including:
- What Kubernetes is and what it does including abstracting infrastructure, providing self-healing capabilities, and providing a uniform interface across clouds.
- Key concepts including pods, services, labels, selectors, and namespaces. Pods are the atomic unit and services provide a unified access method. Labels and selectors are used to identify and group related objects.
- The Kubernetes architecture including control plane components like kube-apiserver, etcd, and kube-controller-manager. Node components include kubelet and kube-proxy. Optional services like cloud-controller-manager and cluster DNS are also described.
Introduction to kubernetes
This document provides an introduction to Kubernetes, an open-source system for automating deployment, scaling, and management of containerized applications. It first reviews what Docker is and its features like isolation and compatibility across platforms. It then explains that container orchestration is needed to manage thousands of containers across a cluster, ensure efficient resource use, and automate container lifecycles. Kubernetes is recommended because it is actively developed by major companies, makes scheduling and managing workloads easy through features like rolling updates, and has many extensions available.
Everything You Need To Know About Persistent Storage in Kubernetes
This document discusses Kubernetes persistent storage options for stateful applications. It covers common use cases that require persistence like databases, messaging systems, and content management systems. It then describes Kubernetes persistent volume (PV), persistent volume claim (PVC), and storage class objects that are used to provision and consume persistent storage. Finally, it compares deployments with statefulsets and covers other volume types like emptyDir, hostPath, daemonsets and their use cases.
CI:CD in Lightspeed with kubernetes and argo cd
Enterprises have benefited greatly from the elastic scalability and multi-region availability by moving to AWS, but the fundamental deployment model remains the same.
At Intuit, we have adopted k8s as our new saas platform and re-invented our CI/CD pipeline to take full advantage of k8s. In this presentation, we will discuss our journey from Spinnaker to Argo CD.
1. Reduce CI/CD time from 60 minutes to 10 minutes.
2. Reduce production release (or rollback) from 10 minutes to 2 minutes.
3. Enable concurrent deployment using spinnaker and argo cd as HA/DR to safely adopt the new platform with no downtime.
4. Be compatible with the existing application monitoring toolset.
Introduction to kubernetes
Kubernetes is an open-source system for automating deployment, scaling, and management of containerized applications. It groups containers that make up an application into logical units for easy management and discovery called Pods. ReplicaSets ensure that a specified number of pod replicas are running at any given time. Key components include Pods, Services for enabling network access to applications, and Deployments to update Pods and manage releases.
What's hot (20)
Kubernetes Docker Container Implementation Ppt PowerPoint Presentation Slide ...
Kubernetes Docker Container Implementation Ppt PowerPoint Presentation Slide ...
Kubernetes Concepts And Architecture Powerpoint Presentation Slides
Kubernetes Concepts And Architecture Powerpoint Presentation Slides
Kubernetes Networking | Kubernetes Services, Pods & Ingress Networks | Kubern...
Kubernetes Networking | Kubernetes Services, Pods & Ingress Networks | Kubern...
Introducing github.com/open-cluster-management – How to deliver apps across c...
Introducing github.com/open-cluster-management – How to deliver apps across c...
[GuideDoc] Deploy EKS thru eksctl - v1.22_v0.105.0.pdf
[GuideDoc] Deploy EKS thru eksctl - v1.22_v0.105.0.pdf
Amazon EKS - Elastic Container Service for Kubernetes
Amazon EKS - Elastic Container Service for Kubernetes
Everything You Need To Know About Persistent Storage in Kubernetes
Everything You Need To Know About Persistent Storage in Kubernetes
Similar to Securing and Automating Kubernetes with Kyverno
Securing Kubernetes Workloads
Kubernetes is the new cloud OS, and enterprises are rapidly migrating existing applications to Kubernetes as well as creating new Kubernetes-native applications. However, Kubernetes configuration management remains complex, and due to this complexity, most implementations do not leverage Kubernetes constructs for security.
In this session you will learn:
- Key Kubernetes constructs to use for properly securing application workloads in any cloud
- How to manage Kubernetes configurations across multiple clusters and cloud providers
- How to audit and enforce enterprise-wide Kubernetes best practices
Operationalizing Amazon EKS
Kubernetes can be complex to manage at enterprise scale! Cloud provider services like Amazon EKS solves the challenge of bringing up a Kubernetes control plane. However, production Kubernetes requires multi-layer security, access controls, load-balancing, monitoring, logging, governance, secrets management, policy management, and several other considerations. In this fast paced talk, we will cover how enterprises can address each of these areas and discuss best practices to fast track deployments.
How To Build Kubernetes Policies To Ensure Compliance for Databases.pptx
This document discusses how to build Kubernetes policies to ensure database compliance. It covers running databases in Kubernetes, using policy-as-code with Kyverno to validate Kubernetes manifests, and enforcing compliance in GitOps pipelines. The presenter then demonstrates creating a Flux source and Kustomization and using an admission controller to validate and mutate non-conforming resources. Key takeaways are that Kubernetes can support databases at scale using GitOps and policy-as-code for security, collaboration and faster innovation.
kubernetes_largescale_system_design_optimization
The document discusses optimizations and design considerations for running Kubernetes clusters at large scale. It outlines Kubernetes system components like the API server, etcd, and controller manager and discusses tuning parameters for high availability and performance. It also covers capacity allocation, auto-scaling, monitoring, lessons learned, and answers to questions.
From Containerized Application to Secure and Scaling With Kubernetes
Discuss following:
What does it really take to make sure your application is production ready?
With new privacy regulations being added, many aspects need to be taken into account when deciding when to deliver your final application is ready for production.
Can your application handle multiple users with different levels of access?
Can you extend your application to use existing authentication and authorization platforms?
Have you invested in using Mutual TLS for communication between components?
How do you manage the certificates and passwords used within your product?
Is CICD your friend or your enemy when it comes to delivering your product?
Have you considered the availability and scalability of the application?
Kubernetes policies 101 - apolicy.io
The document discusses Kubernetes policies and admission controllers. It provides an overview of different types of admission controllers like mutating and validating controllers and examples like Pod Security Policy (PSP) and ImagePolicyWebhook. It notes that while admission controllers help enforce policies, managing complex policies and all their exceptions remains challenging. Labels and annotations are also highlighted as important tools for classifying and documenting Kubernetes objects. Overall, the document aims to help readers understand how Kubernetes uses admission controllers to implement and enforce various policies and configurations.
Admission controllers - PSP, OPA, Kyverno and more!
This document discusses Kubernetes admission controllers and options for replacing the deprecated PodSecurityPolicy feature. It provides an overview of admission control and some of the built-in controllers. It notes that PodSecurityPolicy is being deprecated and discusses potential in-built and third-party replacements like OPA Gatekeeper, Kyverno, K-rail, and jsPolicy. The document includes demonstrations of OPA and Kyverno. It concludes that admission control is important for Kubernetes security and administrators will need to choose an option to replace PodSecurityPolicy.
Building an Enterprise CaaS with Kubernetes and Rancher 2.0
Slides from the May 2018 Rancher Online Meetup
Rancher 2.0 was released to general availability this month, and one of the key use cases we developed this platform for was to help organizations build a Container-as-a-Service platform using Kubernetes. In our May online meetup, we covered the possibility of running an enterprise container platform built on Rancher 2.0.
Topics covered included:
Approaches to workload isolation in Kubernetes
Multi-cluster management approaches
User privileges and Delegated administration
Defining centralized security policies
Optimizing infrastructure utilization
You can find a recording of the meetup here: https://youtu.be/7cqP-VzCP3M
Managing add-ons across clusters
This document discusses managing add-ons across Kubernetes clusters. It defines add-ons as standardized services like monitoring, logging, and security that need to be available in every cluster. While GitOps is useful for cluster operations, it has limitations for add-on management across multiple clusters. The document proposes using Kustomize along with a central secrets store like Vault to fully automate add-on deployment and updates. It suggests GitOps controllers can further streamline add-on management by applying configurations per target cluster. A demo is provided to illustrate how Kustomization files can be used to reproduce YAML configurations for add-on deployment on any cluster.
AWS Well-Architected Framework
The document provides an overview of the AWS Well-Architected Framework. It discusses the six advantages of moving to the cloud, including trading capital expense for flexible expense. It then outlines the topics that will be covered, including design principles, pillars of security, reliability, performance efficiency, cost optimization, and operational excellence. Finally, it gives examples of questions that can be asked within each pillar to evaluate architectures.
Kubernetes for Enterprise DevOps
This document provides an overview of Kubernetes and how Nirmata can help enterprises manage Kubernetes clusters and workloads. It begins with basic Kubernetes concepts like pods, deployments, services, and networking. It then discusses how Nirmata provides centralized management of Kubernetes infrastructure and applications across public and private clouds through its policy engine and integration with DevOps tools. The document concludes by stating that Kubernetes enables enterprise agility when managed with solutions like Nirmata.
Secure your K8s cluster from multi-layers
The document discusses securing a Kubernetes cluster from multiple layers of risk. It covers securing the infrastructure layer by limiting access and exposure, the control plane layer by enabling TLS and RBAC, the workload layer using pod security policies and network policies, the container runtime layer with tools like Kata Containers, the user misconfiguration layer by avoiding defaults and validating configurations, and useful security tools. The presenter then provides contact information for potential job opportunities.
Simplify Your Way To Expert Kubernetes Management
Kubernetes is a deep and complex technology that is evolving fast with new functionality and a growing ecosystem of cloud-native solutions. While the public cloud delivers an almost frictionless user experience, configuring and managing a production Kubernetes environment is an enormous technical challenge for the majority of enterprises that choose to do so on premises. Without the right approach, operationalizing Kubernetes in the data center can take upwards of 6 months, jeopardizing developer productivity and speed-to-market.
In this webinar, you’ll learn from Nutanix cloud native experts on how to fast-track your way to operationalizing a production-ready Kubernetes environment on-prem.
Specifically, we’ll talk about:
How containerized applications use IT resources (and why legacy infrastructure isn’t built for Kubernetes);
The main advantages of running Kubernetes on prem (as part of a multi-cloud strategy);
Key aspects of Kubernetes lifecycle management that greatly benefit from automation.
Building an Enterprise-Grade Azure Governance Model
This document summarizes Karl Ots's presentation on building an enterprise-grade Azure governance model. The presentation covers key decisions for an Azure governance model including subscription structure, organization-wide controls, user access management, and the Azure provisioning process. It also discusses the roles of governance and cloud strategy. Specific technical implementations of governance controls like Azure Policy, role-based access control, and shared networking services are described.
Moving 150 TB of data resiliently on Kafka With Quorum Controller on Kubernet...
At Wells-Fargo, we move 150 TB of logs data from our syslogs to Splunk forwarders that get indexed and organized for analytic queries. As we modernize and migrate our applications to our hybrid cloud the performance expectations for this infrastructure will proportionately increase. Those improvements include the resilience of the end to end infrastructure. First, we decoupled the applications from their logging interface through a loglibrary which split the streams of logs from their sources to KAFKA which routed them to two separate destinations Splunk and ELK respectively. We also used prometheus and grafana for monitoring the metrics. We also deployed KAFKA, Splunk, ELK, Prometheus and Grafana on the Kubernetes clusters. Confluent had released a version of KAFKA without Zookeeper and replaced its functionality with Quorum Controller. The Quorum-Controller version exhibited better disposability one of the 12factors that's important for Cloud-Nativeness. We packaged this version into a Kubernetes operator called Keda and deployed this for auto-scaling. We tested this to simulate the amount of logdata that we typically generate in production. Based on the above we have also implemented distributed tracing and help make it just as resilient. We will share our lessons learnt, the patterns and practices to modernize both our underlying runtime platforms and our applications with highly performing and resilient event-driven architectures.
Centralizing Kubernetes and Container Operations
While developers see and realize the benefits of Kubernetes, how it improves efficiencies, saves time, and enables focus on the unique business requirements of each project; InfoSec, infrastructure, and software operations teams still face challenges when managing a new set of tools and technologies, and integrating them into an existing enterprise infrastructure.
These meetup slides go over what’s needed for a general architecture of a centralized Kubernetes operations layer based on open source components such as Prometheus, Grafana, ELK Stack, Keycloak, etc., and how to set up reliable clusters and multi-master configuration without a load balancer. It also outlines how these components should be combined into an operations-friendly enterprise Kubernetes management platform with centralized monitoring and log collection, identity and access management, backup and disaster recovery, and infrastructure management capabilities. This presentation will show real-world open source projects use cases to implement an ops-friendly environment.
Check out this and more webinars in our BrightTalk channel: https://goo.gl/QPE5rZ
Meetup elastic centralised security monitoring with decentralized clusters
It is common to choose a decentralisation approach when different departments in a company have different IT needs. Each business unit can maintain a separate server and choose hardware and licenses based on individual strategy. The question we are then faced with is how to monitor and safeguard the decentralised environment in a cost-effective way.
In this webinar, Lakshmi Srinivas Bodepu from Skilledfield will talk about the central management of security detections with separate site-wide Elasticsearch clusters. Join this session to learn why using cross-cluster search can improve efficiency when retrieving security data from remote sites.
The webinar will cover:
-Introduction to Elastics stack and XDR
-Cross-cluster search
-Demo on the central management UI
Kubernetes Security with Calico and Open Policy Agent
Ray Kao and Kevin Harris from Microsoft presenting ‘Kubernetes Security with Calico and Open Policy Agent’ at the spring 2019 Kubernetes and Cloud Native meetup in Toronto.
Evolving for Kubernetes
This document provides an overview of Kubernetes concepts and best practices for evolving applications to run on Kubernetes. It discusses initial "lift and shift" approaches as well as principles for container and application design that are well-suited for Kubernetes. These include having containers do one thing, making images immutable, ensuring self-containment and runtime confinement, and designing for process disposability and observability. The document also covers how people and processes need to change, such as adopting new deployment strategies, defining interaction contracts, and being comfortable with change and new approaches to debugging.
Virtual Kubernetes Clusters on Amazon EKS
From AWS Community Day 2019!
Learn how to use Kubernetes native constructs to build Virtual Clusters, so that your teams can focus on delivering business value.
Similar to Securing and Automating Kubernetes with Kyverno (20)
How To Build Kubernetes Policies To Ensure Compliance for Databases.pptx
How To Build Kubernetes Policies To Ensure Compliance for Databases.pptx
From Containerized Application to Secure and Scaling With Kubernetes
From Containerized Application to Secure and Scaling With Kubernetes
Admission controllers - PSP, OPA, Kyverno and more!
Admission controllers - PSP, OPA, Kyverno and more!
Building an Enterprise CaaS with Kubernetes and Rancher 2.0
Building an Enterprise CaaS with Kubernetes and Rancher 2.0
Building an Enterprise-Grade Azure Governance Model
Building an Enterprise-Grade Azure Governance Model
Moving 150 TB of data resiliently on Kafka With Quorum Controller on Kubernet...
Moving 150 TB of data resiliently on Kafka With Quorum Controller on Kubernet...
Meetup elastic centralised security monitoring with decentralized clusters
Meetup elastic centralised security monitoring with decentralized clusters
Kubernetes Security with Calico and Open Policy Agent
Kubernetes Security with Calico and Open Policy Agent
Recently uploaded
UiPath Test Automation using UiPath Test Suite series, part 6
Welcome to UiPath Test Automation using UiPath Test Suite series part 6. In this session, we will cover Test Automation with generative AI and Open AI.
UiPath Test Automation with generative AI and Open AI webinar offers an in-depth exploration of leveraging cutting-edge technologies for test automation within the UiPath platform. Attendees will delve into the integration of generative AI, a test automation solution, with Open AI advanced natural language processing capabilities.
Throughout the session, participants will discover how this synergy empowers testers to automate repetitive tasks, enhance testing accuracy, and expedite the software testing life cycle. Topics covered include the seamless integration process, practical use cases, and the benefits of harnessing AI-driven automation for UiPath testing initiatives. By attending this webinar, testers, and automation professionals can gain valuable insights into harnessing the power of AI to optimize their test automation workflows within the UiPath ecosystem, ultimately driving efficiency and quality in software development processes.
What will you get from this session?
1. Insights into integrating generative AI.
2. Understanding how this integration enhances test automation within the UiPath platform
3. Practical demonstrations
4. Exploration of real-world use cases illustrating the benefits of AI-driven test automation for UiPath
Topics covered:
What is generative AI
Test Automation with generative AI and Open AI.
UiPath integration with generative AI
Speaker:
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
Mind map of terminologies used in context of Generative AI
Mind map of common terms used in context of Generative AI.
20240605 QFM017 Machine Intelligence Reading List May 2024
Everything I found interesting about machines behaving intelligently during May 2024
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
Neha Bajwa, Vice President of Product Marketing, Neo4j
Join us as we explore breakthrough innovations enabled by interconnected data and AI. Discover firsthand how organizations use relationships in data to uncover contextual insights and solve our most pressing challenges – from optimizing supply chains, detecting fraud, and improving customer experiences to accelerating drug discoveries.
Essentials of Automations: The Art of Triggers and Actions in FME
In this second installment of our Essentials of Automations webinar series, we’ll explore the landscape of triggers and actions, guiding you through the nuances of authoring and adapting workspaces for seamless automations. Gain an understanding of the full spectrum of triggers and actions available in FME, empowering you to enhance your workspaces for efficient automation.
We’ll kick things off by showcasing the most commonly used event-based triggers, introducing you to various automation workflows like manual triggers, schedules, directory watchers, and more. Plus, see how these elements play out in real scenarios.
Whether you’re tweaking your current setup or building from the ground up, this session will arm you with the tools and insights needed to transform your FME usage into a powerhouse of productivity. Join us to discover effective strategies that simplify complex processes, enhancing your productivity and transforming your data management practices with FME. Let’s turn complexity into clarity and make your workspaces work wonders!
20240607 QFM018 Elixir Reading List May 2024
Everything I found interesting about the Elixir programming ecosystem in May 2024
National Security Agency - NSA mobile device best practices
Threats to mobile devices are more prevalent and increasing in scope and complexity. Users of mobile devices desire to take full advantage of the features
available on those devices, but many of the features provide convenience and capability but sacrifice security. This best practices guide outlines steps the users can take to better protect personal devices and information.
Full-RAG: A modern architecture for hyper-personalization
Mike Del Balso, CEO & Co-Founder at Tecton, presents "Full RAG," a novel approach to AI recommendation systems, aiming to push beyond the limitations of traditional models through a deep integration of contextual insights and real-time data, leveraging the Retrieval-Augmented Generation architecture. This talk will outline Full RAG's potential to significantly enhance personalization, address engineering challenges such as data management and model training, and introduce data enrichment with reranking as a key solution. Attendees will gain crucial insights into the importance of hyperpersonalization in AI, the capabilities of Full RAG for advanced personalization, and strategies for managing complex data integrations for deploying cutting-edge AI solutions.
GraphRAG for Life Science to increase LLM accuracy
GraphRAG for life science domain, where you retriever information from biomedical knowledge graphs using LLMs to increase the accuracy and performance of generated answers
Video Streaming: Then, Now, and in the Future
In his public lecture, Christian Timmerer provides insights into the fascinating history of video streaming, starting from its humble beginnings before YouTube to the groundbreaking technologies that now dominate platforms like Netflix and ORF ON. Timmerer also presents provocative contributions of his own that have significantly influenced the industry. He concludes by looking at future challenges and invites the audience to join in a discussion.
Climate Impact of Software Testing at Nordic Testing Days
My slides at Nordic Testing Days 6.6.2024
Climate impact / sustainability of software testing discussed on the talk. ICT and testing must carry their part of global responsibility to help with the climat warming. We can minimize the carbon footprint but we can also have a carbon handprint, a positive impact on the climate. Quality characteristics can be added with sustainability, and then measured continuously. Test environments can be used less, and in smaller scale and on demand. Test techniques can be used in optimizing or minimizing number of tests. Test automation can be used to speed up testing.
20240609 QFM020 Irresponsible AI Reading List May 2024
Everything I found interesting about the irresponsible use of machine intelligence in May 2024
Pushing the limits of ePRTC: 100ns holdover for 100 days
At WSTS 2024, Alon Stern explored the topic of parametric holdover and explained how recent research findings can be implemented in real-world PNT networks to achieve 100 nanoseconds of accuracy for up to 100 days.
“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...
“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...Edge AI and Vision Alliance
For the full video of this presentation, please visit: https://www.edge-ai-vision.com/2024/06/building-and-scaling-ai-applications-with-the-nx-ai-manager-a-presentation-from-network-optix/
Robin van Emden, Senior Director of Data Science at Network Optix, presents the “Building and Scaling AI Applications with the Nx AI Manager,” tutorial at the May 2024 Embedded Vision Summit.
In this presentation, van Emden covers the basics of scaling edge AI solutions using the Nx tool kit. He emphasizes the process of developing AI models and deploying them globally. He also showcases the conversion of AI models and the creation of effective edge AI pipelines, with a focus on pre-processing, model conversion, selecting the appropriate inference engine for the target hardware and post-processing.
van Emden shows how Nx can simplify the developer’s life and facilitate a rapid transition from concept to production-ready applications.He provides valuable insights into developing scalable and efficient edge AI solutions, with a strong focus on practical implementation.Programming Foundation Models with DSPy - Meetup Slides
Prompting language models is hard, while programming language models is easy. In this talk, I will discuss the state-of-the-art framework DSPy for programming foundation models with its powerful optimizers and runtime constraint system.
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
Leonard Jayamohan, Partner & Generative AI Lead, Deloitte
This keynote will reveal how Deloitte leverages Neo4j’s graph power for groundbreaking digital twin solutions, achieving a staggering 100x performance boost. Discover the essential role knowledge graphs play in successful generative AI implementations. Plus, get an exclusive look at an innovative Neo4j + Generative AI solution Deloitte is developing in-house.
Infrastructure Challenges in Scaling RAG with Custom AI models
Building Retrieval-Augmented Generation (RAG) systems with open-source and custom AI models is a complex task. This talk explores the challenges in productionizing RAG systems, including retrieval performance, response synthesis, and evaluation. We’ll discuss how to leverage open-source models like text embeddings, language models, and custom fine-tuned models to enhance RAG performance. Additionally, we’ll cover how BentoML can help orchestrate and scale these AI components efficiently, ensuring seamless deployment and management of RAG systems in the cloud.
Recently uploaded (20)
UiPath Test Automation using UiPath Test Suite series, part 6
UiPath Test Automation using UiPath Test Suite series, part 6
Mind map of terminologies used in context of Generative AI
Mind map of terminologies used in context of Generative AI
20240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 2024
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
Essentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FME
National Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practices
Full-RAG: A modern architecture for hyper-personalization
Full-RAG: A modern architecture for hyper-personalization
GraphRAG for Life Science to increase LLM accuracy
GraphRAG for Life Science to increase LLM accuracy
Climate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing Days
20240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 2024
Pushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 days
“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...
“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...
Programming Foundation Models with DSPy - Meetup Slides
Programming Foundation Models with DSPy - Meetup Slides
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
Infrastructure Challenges in Scaling RAG with Custom AI models
Infrastructure Challenges in Scaling RAG with Custom AI models
Securing and Automating Kubernetes with Kyverno
- 1. Kyverno Kubernetes Native Policy Management nirmata
- 2. 2 Kyverno - Kubernetes Native Policy Management • Why Kyverno • How it works • Use Cases • Roadmap • Q&A
- 3. 3 What is Kyverno? • A policy engine designed for Kubernetes • Uses Kubernetes resources, patterns, idioms • Familiar to Kubernetes users
- 4. 4 Why Policies? • Kubernetes configurations are complex to manage across developers and operations. • External configuration tools (Helm, Kustomize) etc. cannot ensure environment specific configurations. • Admission controllers provide a way to validate best practices and mutate configurations. • Policy management tools like Kyverno use admission control and provide a way to manage “policies” and “rules” without creating custom controllers.
- 5. Why Kyverno? 1. Declarative policies that are easy to write and manage 2. Policy results that are easy to view and process 3. Validate (audit or enforce), Mutate, and Generate 4. Support all Kubernetes resource types including CRs 5. Adopt Kubernetes patterns and practices e.g. labels and selectors, annotations, events, ownerReferences, pod controllers, etc. 5
- 6. 6 OPA or Kyverno? By Example: Require read-only filesystem
- 7. A Kyverno Policy 7 • Kinds • Names (with wildcards) • Label Selectors (with wildcards) • Namespaces (with wildcards) • Namespace Selector • User Roles • User Groups • Usernames
- 8. Mutate Resources Events ✔ Policy Reports AdmissionReview request 8 Kyverno API Server AdmissionReview response Validate Policy Cache Validate Mutate Generate How Kyverno Works
- 10. 10 Mutate ● JSON Patch (RFC 6902) ○ Use for precise updates ● StrategicMergePatch ○ Use for describing intent ○ Anchors for conditional logic • “If-then-else” • “if-not-defined”
- 11. 11 Validate ● Overlays with patterns specify desired state ● Matches all defined fields ● Patterns ○ * : zero or more ○ ? : any one ● Operators ○ >, <, >=, <=, !, |(or)
- 12. 12 Generate ● Triggers when a new resource is created ● Useful in creating defaults for a namespace ● Clones existing resources or copies in-line data ● Can optionally keep data in- sync across namespaces
- 14. 14 Advanced Features • Anchors and operators • Variables – Inline policy data – JMESPath • External data lookups – Config Maps – API Calls • Deny rules • Auto-generation of pod controller rules • Command Line for CI/CD and dev-test for policies
- 15. 15 Use Cases • Security validation and enforcement • Fine-grained RBAC • Multi-tenancy • Auto-Labeling • Sidecar (including certificate) injection with mounts, etc. • IFTTT for Kubernetes
- 16. Pod Security 16
- 17. 17 Pod Security • What is a Pod Security Policy (PSP)? o Cluster resource that controls security configuration of pods o Being marked for deprecation in v1.21 removal in v1.25 • A KEP is being developed to replace PSP with namespace based Pod Security Levels Privileged Baseline Restricted
- 18. 18 Kyverno Policies for Pod Security • Also based on Pod Security Levels • Available at: https://kyverno.io/policies/pod-security/
- 20. 20 Roadmap: Major Features 1. Multiple replicas for scale and availability 2. Custom JMESPath functions 3. Javascript functions for complex validation
- 21. How you can contribute? - Kyverno Repo - https://github.com/kyverno/kyverno - Slack Channel - Kubernetes Slack channel #kyverno 21
- 22. Summary 22
- 23. 23 Summary and Takeaways 1. Policies are useful in managing Kubernetes configurations at scale 2. Kyverno is built for Kubernetes 3. Kyverno can validate (audit or enforce), mutate, and generate configurations 4. Kyverno supports best practices for pod security and isolation 5. Kyverno is easy to use! Install Kyverno in your clusters, try the best practice policies, and give us feedback!