►
Description
Don’t miss out! Join us at our upcoming events: EnvoyCon Virtual on October 15 and KubeCon + CloudNativeCon North America 2020 Virtual from November 17-20. Learn more at https://kubecon.io. The conferences feature presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects.
Cloud Native Policy Deep Dive - Zhipeng Huang, Huawei & Erica von Buelow, Red Hat
In this session we will discuss many open source initiatives that the Policy WG have been discussing, including policy formal verification, Policy Violation CRD, Runtime Policy Interface and so forth
https://sched.co/ZeuS
A
Okay,
welcome
to
the
kubecon
europe
virtual
summit.
This
is
the
policy
working
group
deep
dive
session,
I'm
from
huawei
and
america.
A
Okay,
we're
going
to
be
talking
about
all
the
development
happening
in
the
policy
working
group
in
kubernetes,
as
well
as
at
the
sincere
seek
security
level.
Okay,
we'll
be
just
basically
talking
through
all
the
interesting
things.
A
Okay,
this
is
who
we
are
from
the
markdown
files.
B
Join
us
regularly
on
wednesdays
or
every
other
wednesdays,
around
4
p.m.
We
should
update
that
yeah.
A
B
A
A
Okay,
I
think
yeah
this
lies
about,
so
I
think
we
we've
been
seeing
like
trends
like
tidal
waves,
so
kubernetes
like
envoy
no
doubt
is
the
first
wave
about
the
cognitive
platform.
Then
we
see
the
emphasis
on
prometheus
jaeger.
Open
tracing
people
are
starting
to
focusing
on
the
observability,
and
now
I
think
people
are
really
turning
attentions
to
policies
and
securities
right.
A
We
using
oppa
are
making
like
big
stages,
cloud
native
top
notary
from
the
miu
team,
and
we
see
falco
and
a
couple
other
really
interesting.
A
Projects
yep,
I
think
this
is
where
me
and
robert
getting
into
really
interesting
discussion
on
the
slide.
A
What
is
cloud
is
your
policy.
Well,
this
is,
I
think
that
the
bully
points
are
like
the
things
we
hope
the
client
policy
could
become.
So
I
think
it
goes
beyond
auditing
and
compliance
by
that
I
mean
like,
for
we
are
seeing
things
for
like
resource
management
and
probably
many
other
interesting
areas.
So
it's
a
all-encompassing.
A
A
And
I
think
robert
makes
a
good
point
like
it's
via
a
a
correct
tooling.
That
policy
could
help
automate
like
security
and
many
other
areas,
but
policy
itself
rarely
automates
security,
yeah
and
yeah
policies
are
usually
like
logics.
So
it's
definitely
it's
definitely
different
from
config.
A
I've
been
having
problems
about
like
just
having
a
yamo
based
config
system.
You
call
it
a
declarative
system,
it's
not.
A
Yeah
not
necessarily
so,
but
if
you
have
a
policy
based
system,
it's
it
will
be
a
really
nice
declarative
system,
meaning
you
could
talk
logic
like
human,
readable
logic
to
that
system.
Yeah.
That's
very
declarative,
okay,
end
to
end
abstraction
yeah.
We
are
not
there
yet,
but
hopefully
we
can
have
like
the
policy
descriptions
and
policy
driven
mechanism
on
each
layer.
A
Yeah
open
policy
agent,
we
have
like
psyllium
for
a
like
policy
toward
ebpf.
We
have
falco
doing
things
for
runtime
policy,
that's
pretty
low
level
right
and
hopefully,
in
the
near
future,
we
can
have
a
multi-layer.
A
Policy
mechanisms,
then
we
have
the
anterior
abstraction
like
every
year
at
every
layer.
We
have
a
way
to
talk
to
them,
using
logic,
to
talk
to
them
and
yeah
bring
libraries
to
a
cloud
right.
It's
it's
it's
human
toxin
logic,
not
config
files.
That's
that's
that's
machine
language,
but
yeah
that
that's
just
something
I
I
thought.
B
Yeah
it's
a
whereas
config
is
you're
about
it's,
not
the
policy
can
be
configured
and
configuration
can
yeah
they're
related,
but
not
the
same
yeah.
I
think
that's
interesting.
That
policy
is
the
dynamic
in
some
sense,
or
how
do
you
take
a
set
of
principles
and
make
decisions
based
on
dynamic
data
in
a.
A
A
Yep,
I
I
I
think
I
incorporate
a
lot
of
robert's
comments
already
here
yeah,
so
I
think
he
he
made
a
great
point.
Controls
are
needed
because
human
policies
defines
what
controls
and
what
implements
that
control.
A
A
A
A
A
B
Just
is
this
walking
on
your
screen:
nope
nope.
There
we
go.
B
A
A
A
Yeah,
I
think
this
is
robert's
guardian
proposal.
A
A
B
A
A
Yeah
yeah,
we
we
haven't
done
a
lot
in
this
year,
but
in
the
past
the
white
paper
yeah,
the
really
interesting
part
is
we
did
a
lot
of
case
studies
in
like
interesting
project
and
that
the
team
came
over
to
talk
about
what
what
they
are
using
policy
for
and
what
they
are
hoping
policy
could
could
achieve.
B
A
B
Also,
we
get
to
geek
out
and
ask
questions
to
all
of
the
really
cool
projects.
So
if
these
are
interesting,
you
can
check
on
youtube
and
for
the
presentations.
A
B
Istio,
of
course,
the
cl
surface
mesh
helium
is
also.
Is
it
considered
a
service
mesh
at
all.
B
The
with
the.
B
Yeah,
though,
using
bpf,
we
yeah.
B
B
A
A
Yeah
yeah,
so
I
I
think
jim
especially
gene
has
done
a
lot
of
work.
Really
great
work
and
yeah
kiberno
is
a.
Can
we
see
another
policy
engine
in
addition
to
oppa.
B
But
oprah
as
a
whole
system
right
that
contains
a
a
link
policy,
specific
language
to
implement
a
database
to
store
the
policies.
The
you
know,
certain
plugins,
the
agents
to
help
you
enforce
the
policy.
B
A
B
Running
so
that's
where
caverno
comes
coming
in,
where
upon
creating
a
namespace,
what
kind
of
certain
resources
automatically
need
to
be
created,
for
instance,
role,
bindings
and
other
controls
block
those
who
shouldn't
be
able
to
do
something
and
more
specific
validation
or
mutation
control,
markings
resources
automatically
with
certain
labels,
or
you
know,
directing
pods
in
their
scheduling
automatically
based
on
the
namespace
or
validating
that
only
certain
labels
are
used.
A
B
A
A
A
Yeah,
I
I
still
remember
they.
They
had
a
great
presentation,
I
think
they
mentioned
they.
They
actually
use
google
groups
for
for
their
like
tendencies,
system,
which
is
really
really
interesting.
B
Thinking
from
their
base
from
like
the
employee
level,
all
the
way
down.
A
Yeah
dimension,
they
are
running
a
really
big
workload
on
kubernetes
and,
like
each
department,
has
to
be
isolated
from
each
other
for
for
whatever
reason,
and
then
they
have
the
k
rail
developed
to
deal
with
their
specific
situations.
A
B
B
B
B
B
B
B
A
A
Yeah,
I
only
remember
we
did
we
did.
We
did
couple
sessions
with
the
falco
team,
but.
B
A
Lost
track
on
how
how
how
things,
how
things.
B
A
Yeah,
but
this
is,
I
think
this
is
one
really
interesting
thing
for
policy
to
to
happen
on
low
level,
a
really
low
level.
B
B
So
one
thing
we
want
to
do
is
standardize
what
that
looks
like,
so
that
tools
can
be
more
easily
interchanged
and
that
you
know
truly
built
on
top
of
these
can
interact
together.
That
brings
us
to
our
first
policy
project
custom
resource,
the
policy
report,
a
project
sure
yeah.
B
B
B
A
A
B
B
Yeah,
you
know
make
sure
that
you
know
you're
not
running
malicious
containers,
this
one's
from
aqua
security.
A
B
Yeah
making
a
presentation
it,
you
know,
make
sure
that
you're
running
only
validated
images
vulnerabilities
with
it.
It
comes
with
a
pretty
nice
dashboard
interface
as
well.
I
think
it's
yeah,
mostly
not
some
a
direct
image
as
a
scanner
on
to
show
it
right
now
and
I
think
there's
some
future
plans.
B
A
B
I
believe
cube
bench
is
like.
Are
you
following
best
practices.
B
B
Cis
benchmarks.
B
B
B
B
Our
interface,
we
have
a
couple
few
things
the
place.
The
policy
report
is
meant
to
capture
a
higher
level,
not
necessarily
a
my
like,
second
by
second
report,
that
you
know
at
a
report
at
the
level
that
makes
sense
for
to
be
stored
as
a
customer
resource
in
kubernetes
at
cd
want
it
to
be
flexible
enough
to
show
for
what
all
these
different
tools
and
compliance
needs.
B
B
We
have
some
examples
within
the
policy
prototypes,
github
repo,
I
think
caverno
and
the
multi-cluster
project
from
red
hat,
have
some
examples
submitted
of
what
the
kind
of
policy
reports
that
they
would
be
creating
with
their
tools.
A
Okay,
we
have
scope,
summary
results,
hey.
This
is
pretty
nice.
B
Yeah,
I
think
it's
one
of
those
things
where
it
turns
out
having
more
input.
You
get
better
things
and
learn
things
you
didn't
know.
Maybe
I
should
go.
We
have
the
alpha
sort
of
merged
into
that
repo.
B
A
All
right,
this
is
our
like
our
four
deliverables.
So
far
I
fit
into
the
big
picture.
I
think
so
we
have
crds,
we
have
form
of
education
very
interesting.
We
have
the
try
to
have
a
standard
way
to
interact
and
the
rpi
is
for
the
data
plane.