Unleashing the Power of Kyverno: A Deep Dive into Kubernetes Policy Management

Transcript

1. Abstract & bio

2. Unleashing the Power of Kyverno: A Deep Dive into Kubernetes

   Policy Management

3. Agenda Who What & why Demo

4. None
5. None
6. None

7. Is it easy to run Kubernetes platform securely?

8. Not secure by default

9. Security Policies

10. Security Policies

11. OPA vs Kyverno vs VAP

12. VAP vs OPA vs Kyverno

13. OPA vs Kyverno

14. None
15. None
16. None
17. None

18. Where & How

19. Utilize out-of-the- box policies

20. Disallow “latest”

21. Require run as non root user

22. Resource management

23. Sync image pull secret

24. Multi-tenancy

25. Generate Flux Multi-Tenant Resources

26. Clean up

27. Clean up bare pod

28. Clean up bare pod - Grant Kyverno permission

29. Image Signature Verification

30. Verify Image GCP KMS

31. Verify Image Public Key

32. Demo

33. KubeCon Learnings

34. Performance Improve

35. Notary Support

36. GET/POST Support rules: - name: call-extension match: # .... context:

    - name: result apiCall: service: requestType: POST urlPath: http://sample.kyverno- extension/check-namespace data: - key: namespace value: "{{request.namespace}}" validate: message: "namespace {{request.namespace}} is not allowed" deny: conditions: all: - key: "{{ result.allowed }}" operator: EQUALS value: false

37. VAP Adoption Evaluation

38. Wrap up - Why security policy - Other options -

    What’s Kyverno - Where to use it - How to get started - New features to come

39. Thank You