►
From YouTube: Cloud Governance With Infrastructure As Code (IaC) With Kyverno And Crossplane - Dolis Sharma
Description
Don’t miss out! Join us at our upcoming event: KubeCon + CloudNativeCon Europe 2023 in Amsterdam, The Netherlands from April 17-21. Learn more at https://kubecon.io. The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects.
Cloud Governance With Infrastructure As Code (IaC) With Kyverno And Crossplane - Dolis Sharma, Nirmata
Speakers: Dolis Sharma
While self-service clusters are desirable, there are many cloud resources that need to be created for a cluster. In an enterprise, these may fall under a different team’s responsibilities. So, how does a cloud or infrastructure team provide the necessary guardrails to ensure that the Kubernetes environments created by developers are compliant with the organization’s security, governance, and cost management standards? In this talk, Dolis shares an approach where Crossplane and Kyverno, both CNCF projects, can be used to provide self-service Kubernetes environments on the cloud for developers with necessary checks and restrictions in place. While Crossplane, an increasingly popular IaC orchestrator running using Kubernetes, is used to provision different infrastructure resources, Kyverno can be utilized to provide governance on what type of resources can be created, by whom, and how the resources are configured. We can automate resource provisioning with governance using Crossplane and Kyverno. In addition to deploying and managing cloud resources, you can also create Kyerno policies to ensure that the generated resources are compliant with your company’s requirements.
A
I
am
a
CK
certified
CKD
I've
done
solution,
architect
and
right
now,
I'm
posting
my
masters
from
John
Airport,
University
and
I'm
based
out
of
Halifax,
which
is
in
Nova
Scotia
Canada.
So
yeah,
let's
talk,
so
what
is
IAC
IAC
is
nothing
but
infrastructure
as
code.
That
means
it
is
automating
your
creation
of
infrastructure
and
provisioning
and
managing
your
infrastructure
using
code.
In
a
nutshell,
it
means
codifying
your
infrastructure,
which
is
great,
but
why
we
need
IAC.
A
What
is
the
challenges
or
what
are
the
problems
with
the
current
system
with
Legacy
applications,
we
have
seen
that
administrators
have
to
manually
create
their
infrastructure.
They
have
to
manage
the
infrastructure
which
takes
a
lot
of
time,
which
takes
a
good
amount
of
cost,
and
also
there
is
a
huge
life
cycle
in
in
France
in
managing
all
the
infrastructure,
with
IAC
approach,
you
can
codify
everything
and
whatever
used
to
take
hours.
A
Now
just
takes
a
matter
of
minutes
or
maybe
even
if
it's,
if
it's
a
small
infrastructure,
maybe
couple
of
seconds
so
now
your
engineers
do
not
have
to
do
the
process
manually.
They
can
just
build
up
the
building
blocks
of
the
project
and
IAC
can
do
the
heavy
lifting
in
a
right
way
right
sizing
and
infrastructure
managing
provisioning,
doing
everything
in
an
automated
fashion.
This
makes
sure
that
the
time
for
production
or
time
to
get
the
product
in
the
market
is
reduced
tremendously.
A
It
increases
in
the
speed
of
deployment,
not
only
that
when
you're
doing
a
couple
of
things
manually,
you
see
that
there
are
human
errors
involved,
so
ISC
cancels
out
everything.
So
you
don't
have
to
worry
about
all
the
human
errors.
All
the
typos,
oh
I,
clicked
here
and
oh
in
a
different
region,
all
kind
of
stuff,
and
then
there
is
a
cost
reduction
to
that.
Now,
when
you
deploy
things
manually
or
when
you
start
managing
things,
what
happens?
Is
you
see
a
consistency?
A
drift
in
your
infrastructure.
A
There
is
a
Miss
in
the
consistency
there
is
configuration
drift
all
the
time
now
there
might
be,
because
there
is
a
change
that
is
ad
hoc.
That
makes
that
makes
that
configuration
drift
between
your
Dev
and
your
production.
This
can
actually
jeopardize
your
deployment
cycle
in
the
long
run
and
also
it
can
increases
or
it
can
make
your
project
vulnerable
in
the
long
run
so
across
so
IAC
nullifies
that
there
is
no
configuration
drift,
because
you
are
automating
everything
you
have
the
single
source
of
Truth.
A
So
it's
auditable
you,
you
just
automate
it
with
single
click.
You
deploy
everything.
So
there
is
no
configuration
drift
and
it
aligns
developers
and
operations
because
developers
can
actually
use
the
same.
Yaml
and
operations
can
also
use
the
same
yaml.
So
it's
more
towards
a
devops
approach.
You
have
this
yaml,
which
is
in
your
source
code.
Storing
it
it's
it's
a
single
truth,
single
source
of
truth.
It's
auditable,
it's
repeatable,
which
is
required
today
to
scale
your
platform
and
scaling
the
platform.
A
A
But
what
are
the
others
that
you
see
in
IAC?
So
when
you
have
the
code
and
when
you
have
it
it
build
up,
it
is
in
the
source
code.
There
might
be
possibilities
if
you
do
not
scan
it.
If
you
do
not
have
the
proper
check,
there
can
be
possibility
that
there
are
security
risks
associated
with
IAC,
as
developers
are
trying
to
bring
their
development
cycles
and
they
are
trying
to
make
sure
the
product
is
released
as
soon
as
possible
on
the
site.
A
On
the
on
the
counter
side,
the
security
team
doesn't
have
a
lot
of
visibility
in
the
code.
They
don't
know
what
has
been
pushed.
What
are
the?
What
does
the
code
look
like?
What
is
the
security
posture
of
that
and
having
that
visibility
applying
those
guard
rails,
applying
those
rules
without
Bridging,
the
Gap
between
devops
and
secops,
becomes
a
real
big
Challenge
and
with
the
current
tools
that
they
are
there
in
the
market.
There
are
a
lot
of
tools
that
are
evolving
in
the
market,
which
has
a
coding
dependency.
So
now
there
are
different
tools.
A
There
are
different
languages
out
there,
so
you
need
to
get
the
right
set
of
people.
You
need
to
build
a
team,
so
it's
not
something
that
everybody
can
do.
It's
not
something
that
your
developer
can
do.
You
have
to
make
sure
there
are
certain
skill
set
of
people
that
are
hired
and
they
are
doing
that.
So
there
is
a
coding
language
dependency
for
that
and
when
you
are,
and
in
the
long
run
there
might
be
some
configuration
drift
as
well.
A
So
when
you're
reconciling
it
manually,
you
need
to
take
a
change
window
or
a
try
and
mine
for
that,
and
if
it
is
not
done
in
the
way
it
should
be,
it
can
create
some
Noble
deadlogs.
So
these
are
some
current
challenges
and
how
cost
cross
plane
can
address
this
challenges.
So
crossbane
uses
kubernetes
API
to
provision
and
manage
your
infrastructure.
A
That
means
with
the
same
Cube
cuddle
command
today,
as
you're
deploying
your
deployments,
you
can
use
you,
can
you
can
create
infrastructure,
you
can
manage
it
using
the
same
command
line,
cross
plane
can
be
deployed
and
your
kubernetes
as
an
add-on.
So
now
think
of
it
like
in
the
cluster
that
you
are
using
to
deploy
your
application,
the
same
cluster
can
be
used.
You
are
actually
extending
the
functionality
of
the
cluster
where
the
same
cluster
can
be
used
to
in
to
provision
infrastructure
and
manage
your
infrastructure.
Cross
plane
uses
the
same
declarative
approach
of
kubernetes.
A
That
means
you
just
have
to
tell
cross
plane
what
is
the
desired
State
and
it
automatically
reconcile
it.
So
all
the
Mana
reconciliation
process,
all
the
debt
law
kind
of
situation.
You
don't
have
to
deal
with
that
and
then
Crossville
has
Version
Control
configuration
it.
Does
it
in
a
Version
Control
deployment
fashion.
That
means
you
have
Version
Control.
So
it's
it's!
You
can
track
it.
You
can.
A
It
becomes
easy
when
you
want
to
roll
back
and
when
you
want
to
troubleshoot
you,
you
know
what
exactly
is
is
being
running
in
that
in
that
platform,
so
that
really
helps
White's
kubernetes
native,
so
it
can
be
easily
integrated
in
kubernetes.
You
don't
have
to
learn
any
coding
language.
That
means
it's
a
simple
yaml,
so
anybody,
if
you're
using
kubernetes
today
your
developer,
might
already
know
that
what
a
communities
looks
like
what
is
a
yaml,
so
they
can
create
their
they
can
they
can.
They
can
read
through
the
yaml.
A
You
don't
require
any
special
skills
or
any
coding
dependency
and
using
this
approach,
what
you
can
do
is
you
can
provide
your
developer
self-service,
so
you
can
provide
them
yaml
and
using
the
CML.
They
can
create
their
own,
maybe
easy,
to
instance,
their
own
infrastructure
before
testing
that
application.
So
you
can
provide
that
self-service
to
the
development
that
they
can
create
their
own
infrastructure.
There
is
no
dependency
between
operations
so
which,
which
leads
towards
a
more
devops
approach,
but
the
challenge
over
here
is
that:
how
do
you
make
sure
that
you
provide
self-service?
A
But
you
also
have
you're
also
making
sure
that
you
have
control
on
that
yaml
in
terms
of
security?
How
do
you
make
sure
that
the
proper
guard
rails
proper
rules,
I
and
compliance
wise
whatever
they
are?
They
are
provisioning.
That's
that's
kosher,
that's
good!
So
that's
where
it
keeps
you
in
a
little
bit
about
keyword
now
so
qrno
means
govern
in
Greek
language.
It's
a
cncf,
intubated
project.
A
It's
a
policy
run
engine
which
runs
as
a
kubernetes
admission
control,
it's
most
popular
stars
as
a
policy
engine,
and
we
have
the
largest
policy
library
of
any
policy
engine.
So
if
you
go
to
kibano.io
and
if
you
see
the
policies
over
there,
we
have
a
huge
set
of
policies
there
and
what
it
can
do
is
it
can
verify
mutate
and
generate
your
kubernetes
resources.
That
means
you
can
add
the
rules
in
a
verify
policy
and
whatever
request
it's
getting.
A
It
just
validates
that,
and
if
it's
good
it
will
allow
it
or
else
it
will
block
it
the
same
way.
If
you
want
it,
if
you
want
keyword
to
mutate
couple
of
things
with
some
kind
of
Trigger
or
generate
something,
kibano
can
do
all
those
ad
automations
for
you
by
the
help
of
policies
so
q1
with
cross
plane.
Why
should
we
use
it?
So
keyword
addresses
IAC
security
risk
which
involves
excessive
privilege
and
compliance
violation.
A
So
some
of
the
security
risks
that
we
were
discussing
that
a
developer
can
do
is
how
do
you
make
sure
that
whatever
Security
Group
a
developer
is
creating
the
ports
are
not
open,
or
how
do
you
make
sure
that
they
are
restricted
to
a
particular
region
or
how
do
you
make
sure
that
they
don't
have
all
the
Privileges
and
they
are
just
restricted
to
what
they
are
supposed
to
create?
So
those
kind
of
checks
is
something
you
were
not
applies.
A
It
enforces
guard
rails
by
deploying
policy,
so
you
can
have
validate
policy,
you
can
have
couple
of
policies
and
you
can
make
sure
that
they
have
the
right
set
of
privilege.
You
have
the
control
where,
as
you
are,
giving
the
ability
for
self-service
as
well,
it
not
only
do
does
verify
mutate
and
generate,
but
it
also
scans
your
deployment
with
errors,
vulnerability
and
insecure
deployment.
So
whatever
deployments
are
running
today,
it's
canceled
and
it
generates
a
report
for
that.
So
you'll
get
a
report
which
will
tell
you
okay,
this
is
failing.
A
This
is
passing
and
you
you'll
get
an
entire
report
of
what
violation
it's
creating.
So
this
way
you'll
get
an
entire
visibility
of
your
cluster
that
what's
going
wrong
and
what
you
have
to
do.
What
is
the
security
posture
of
your
cluster
when
a
keyword
when
keyword
blocks
a
request
in
a
kubernetes
cluster?
It
actually
throws
a
message
to
the
developer
so
that
developers
get
proper
guidance.
A
So
when
I'm
as
a
user,
when,
if
I'm,
deploying
a
yaml
and
that
that
is
blocked,
I
get
a
message
saying
that
okay
you're
not
supposed
to
do
rules
you're
supposed
to
do
this
so
now,
I
get
an
idea
of
what
I
have
to
go
back.
What
I
have
to
work
on
my
ML
and
what
works,
and
this
is
something
that
it
doesn't
like.
It's
not
allowing
me,
so
it
provides
guidance
to
the
developers
and
Engineers
on
remediation
and
deployment
security
and
last
but
not
the
least
riding
policy
is
easy.
So
it's
simple
yaml
file.
A
If
you're
good
with
kubernetes,
you
know
something
about
yaml.
How
does
it
work?
You
can
not
only
deploy
keyword?
No,
and
you
can
not
only
start
writing
deploying
policy,
but
you
can
start
writing
your
own
policy
from
day
one.
So
you
don't
have,
there
is
no
complexity.
There
is
no
coding
in
dependency
and
nothing
over
there.
A
Perfect
so
I
have
a
kubernetes
cluster
over
here
and
let
me
see
if
it's
still
up
because
I
had
created
it
yesterday.
So
this
is
basically
a
kind
cluster
which
has
one
node,
okay.
So
it's
here,
so
it
is
basically
a
kind
cluster
with
one
node
and
I
have
done
some
of
the
configuration
configuration
like
I
have
deployed
cross
plane
over
here.
So
if
I
have
to
quickly
show
you
what
it
looks
like
for
stash
yeah.
So
this
is
the
cross
plane
setup.
A
My
pods
are
running,
so
it
looks
good
I've
done
it
using
a
Helm
command.
So
it's
it's
available
out
there.
You
can
check
it
out
and
then
there
are
some
providers
that
it
requires
so
that
it
can
talk
to
your
AWS,
and
this
is
my
provider
that
I've
used
I'm
using
I'm,
selecting,
AWS
and
I
have
set
up
my
credentials
and
everything.
It's
it's
referring
the
secret
which
has
the
credential.
That's
how
CrossFit
actually
integrates
to
AWS
so
I
have
the
setup
ready
over
here
and
I
also
have
Cubano,
but
I
can
quickly
check
it.
A
So
I
have
my
kivano
pod
running
and
you
don't
need
anything
to
do.
You
just
have
a
cube
cuddle
or
you
can
use
help
and
you
can
deploy
keyword.
No,
that's
it
so
I
have
keyword
running
here
as
well.
So
let's
dive
deeper
into
how
you
can
create
infrastructure
and
with
policies
so
I
have
a
couple
of
them
and
I'll
quickly
bring
up
one
of
one
of
it.
A
A
That's
that's
an
instance
in
in
that's
that's
an
instance
kind
and
then
it's
creating
it's
taking
a
provider
which
is
which
is
default
configurations
and
you
will
see
for
providers
it's
it's
taking
my
Subnet
ID
image,
ID
and
all
the
standard
configuration.
So
whatever
you
do
when
you
go
to
AWS
and
you
launch
an
ec2
instance
and
fill
in
all
the
steps
that
that
you
do
manually,
you
can
put
it
in
the
same
yaml,
the
subnet,
the
security
group,
the
roles.
A
A
A
So
this
is
an
instance
that
is
coming
over
here:
one
zero:
six,
let
me
verify
that
there
you
go
so
this
is
how
it
is.
It
is
created,
it's
it's
very
simple
and
it's
initializing
right
now,
so
cross
print
will
do
its
check
and
it
will,
in
your
cluster
you'll,
see
it
ready
once
those
checks
are
performed.
So
this
is
how
you
can
easily
create
an
instance
using
a
yaml
file.
A
You
don't
have
to
do
all
the
10
different
steps
that
you're
doing
today
manually
and
if
I
have
to
show
you
a
bucket
example
as
well
that
I
have
over
here,
and
this
is
a
standard
standard
infrastructure
that
a
developer
actually
requires
from
time
to
time.
So
this
is
a
bucket
example
and
you'll
see
it's
the
same
kind
of
yaml.
Maybe
I
can
put
it
in
a
code
so
that
it
purifies
it
yeah.
So
this
is
a
bucket
over
here
and
you'll
see
the
ACLS
the
locations.
A
If
you
want
to
have
server-side
encryption,
all
those
settings
that
you're
using
today
to
to
create
an
S3
bucket,
you
can
throw
it
in
the
yaml
and
you
can
deploy
it
and
you
deploy
it
in
the
same
way.
You
just
do
the
same
thing
and
it's
created
and
if
I
have
to
look
and
that's
that's
there,
you
go
so
it's
it's
true.
A
So
it
tells
you
the
event,
so
it's
not
that
whenever
it's
not
created
you,
don't
you
don't
know
you
have
to
log
into
AWS.
That's
that's
not
right,
you
can.
You
can
actually
get
all
the
details
over
here
and,
oh,
maybe
I'll
just
refresh
and
it
will.
It
will
go
in
so
here
I
should
see
an
S3
bucket
created
in
the
back
end
and
there
should
be
one
there
you
go.
This
is
the
one.
A
So
that
was
about
Institute,
of
instance,
creation
and
S3
bucket.
Now
the
Crosman
also
have
some
more
use
cases,
some
more
complicated
use
cases
like
creating
an
eks
clusters,
so
they
have
Composites.
They
have
something
called
composite
resources,
so
you
can
create
a
yaml
where
you
have
an
entire
e
case
cluster,
not
only
that,
along
with
the
eks
cluster,
it
creates
all
the
dependencies
like
VPC
subnet,
all
those
prerequises
that
you
have.
You
have
to
do
to
create
an
eks
cluster.
A
You
can
put
it
in
a
yaml
and
with
just
Cube
CDL
apply
you
can
you
can
bring
up
your
eks
cluster
and
you
can
provide
this
self-service
to
your
developers
now.
This
is
this
looks
good,
but
how
do
you
make
sure,
for
example,
when
I
have
when
I,
when
I
bought
up
the
ec2
instance
or
even
a
bucket
for
for
to
start
with
now?
How
do
you
make
sure
that
this
bucket
is
private?
You
have
a
private
section
over
there.
A
How
do
you
make
sure
that
a
developer
is
not
making
it
public
or
maybe
doing
some
some
some
typo?
And
maybe
it's
not
public?
How
do
you
make
sure
that
the
proper
guard
rails
and
rules
are
applied
and
you
are
providing
just
the
amount
of
control
a
developer
required?
So
that's
where
QR
note
comes
in
and
that's
how
we
can
we
work?
That's
what
we
can
do
using
policies.
I
can
quickly
show
you.
What
does
a
policy
look
like
before
I
apply
that
and
before
I
show
that
how
it's
going
to
deny
those
so.
A
This
is
an
easy
to
restrict
policy
here
and
you'll
see
that
this
is
a
kibana
policy.
Again,
it's
a
yaml
file.
So
if
you
go
through
that,
even
if
having
no
knowledge
about
kuberno
having
no
knowledge
about
cross
pane,
you'll
be
you'll,
you'll
easily
understand
have
a
little
bit
of
idea
of
what
it
is
doing.
So
this
policy
is
a
cluster
policy.
It's
a
kubernet
Polish
policy.
A
There
are
a
couple
of
annotations
over
here
and
just
just
so
it
becomes
easy
to
describe
that
policy,
and
you
can
you
can
you
know
you
provide
some
description
just
so
that
you
can
identify
that
policy,
so
there
are
particular
specs
over
here
and
then
there
is
a
rule,
so
this
rule
is
going
to
match
the
resource
with
instance.
So
it's
going
to
be
just
applied
to
your
instance
and
you
are
validating
it
with
instance
type.
A
So
this
policy
tells
you
that
you
cannot
create
any
other
instance
apart
for
T3
medium,
and
you
see
this
use
cases
all
the
time
for
cost
optimization.
You
don't
want
any
big
instance
running
out
there
and
just
you
know
we
are
spending
a
lot
of
bugs
out
there
because
of
a
big
instance
for
a
small
application.
So
you
want
to
put
guardrails.
A
So
this
policy
is
easy,
so
this
is
ready,
it
says,
enforce
so
policy
is
kubernet.
Policy
basically
has
two
more
it
has
enforce
and
it
has
audit
audit
mode
is
not
going
to
block
any
kind
of
request.
Is
General
one
create
a
report
for
you
and
it's
not
going
to
block
it's
it's
a
soft
limit
kind
of
thing
where
you
do
not
block
anything,
but
you
still
get
the
visibility
of
seeing.
What
is
the
cluster
security
posture
and
enforce
is
going
to
block
it
as
well
as
create
a
report
for
you.
A
A
A
So
once
my
cluster
instance
is
cleaned
up,
you'll
see
that
I
applied
it
again,
and
it
tells
me
that
error
from
the
server
this
is
this
validation
keyword,
no
fail
denied
the
request.
It
also
tells
you
what
is
the
error
message
so
over
here?
It
tells
you
that,
and
you
can
customize
this
message.
Actually
this
message
was
there
in
my
policy,
if
you,
if
you
see
in
the
message
section
so
you
can
customize
it,
it
tells
you
that
using
an
instance,
type
other
than
T3
medium
is
not
allowed.
A
So
me,
being
a
developer
actually
understands
that.
Okay,
they
don't
like
T3
medium.
They
only
allow
that
they
don't
like
M1
small.
So
let
me
go
back
and
change
it
and
come
back,
so
it
gives
you
guidance
for
the
developers
to
remediate
their
their
yamls,
and
we
also
have
one
more
I
also
have
one
more
policy
that
is
an
S3
policy.
I
can
bring
that
up
as
well.
A
And
this
is
an
S3
restrict
policy,
and
this
is
again
a
cluster
policy.
There
are
a
couple
of
descriptions.
It's
it's
again
in
enforce
mode.
You
can
change
it
in
audit
mode,
and
this
is
a
validate
policy,
so
it's
gonna
get.
It
will
be
applied
just
on
buckets
and
there
is
a
validate
rule
over
here
which
says
that
your
location
constraint
should
only
be
us
West
one.
A
So
there
you
want
your
users
or
you
want
your
developers
to
be
sticking
to
only
one
region
just
to
just
to
maintain
hygiene
and
just
to
make
sure
that
there
are
no
still
resources
in
any
other
regions.
So
you
can.
You
can
do
this
by
that.
Using
this
policy,
a
developer
can
only
create
an
instance
in
US
West
one.
A
Any
other
resources
created
in
any
other
region
will
be
blocked
so
yeah,
that's
one
and
I'm
not
gonna
apply
this
and
it's
the
same
kind
of
thing
it's
going
to
do
which
it
did
for
ec2
instance,
District
policy,
but
I
can
show
you
one
more.
That
is
a
mutate
policy.
I
can
I
can
show
you.
How
does
the
structure
looks
like?
A
So?
This
is
an
auto,
create
S3,
bucket
policy
and
it's
an
interesting
policy
you'll
see
that
this
is
a
generate
policy.
So
what
over
here
kuberno
is
doing
is
there
is
a
rule
and
it's
again
applied
on
instance,
and
it's
going
to
generate
this
resource
for
you.
That
means
it's
going
to
generate
an
sc
bucket
for
you.
So
whenever
an
instance
is
created,
it
gets
a
trigger
and
then
it
generates
a
bucket
for
you.
So
this
is
using
such
kind
of
policies
using
generate
policy.
A
A
So
yeah,
this
is
the
couple
of
policies
that
we
have
seen.
So
these
are
some
yaml
files
that
I
have
taken.
Screenshots
of-
and
let's
talk
about
the
summary.
So
what
did
we
discuss
in
today's
session?
Was
that
IAC
is
necessary?
We
want
to
automate
couple
of
things.
We
want
to
codify
automatic
automate
everything
you
want
to
have
Version
Control,
all
of
that
stuff,
so
IAC
is
necessary,
but
there
are
a
couple
of
challenges.
There
are
challenges
like
security
risk.
A
There
are
challenges
like
declarative
style
approach
when
you're,
when
you're
using
IAC
in
kubernetes,
so
Cross
Pin
helps
you
to
address
couple
of
challenges.
Crossland
runs
on
a
kubernetes
use
the
same
API,
so
it's
kubernetes
native
easily
integrated
through
kubernetes.
But
what
about
the
security
risk?
That's
where
kiwano
helps
you
so
kuberno
addresses
all
the
security
risk.
It
provides
proper
rules
and
guard
rails,
so
you
can
use
cross
plane
to
provide
self-service
and
you
can
use
Cuba
to
make
sure
that
your
those
those
self-services
you
have
proper
control
over
those
self-service
cool,
so
yeah.
A
C
So
when
policy
started
to
find
and
as
people
started
using
cross
playing
to
provision
their
infrastructure,
is
there
a
way
or
is
there
already
a
solution
for
reporting
on?
What
are
the
violations
that
people
are
bumping
into?
Some
sort
of
like
people
are
trying
to
create
S3
buckets
this
way
and
do
we
have
100
violations
for
this.
A
Yeah,
so
yes,
there
are
I'm,
I
can
just
I
can
get
a
command
real
quickly.
So
yes,
there
are.
There
are
ways
that
you
can
get
the
policy
report.
In
fact
people
know,
has
some
integration
from
for
grafana
and
Prometheus.
So
you
can
get
all
the
policies
that
you
can
put
it
in
a
more
structured,
dashboard
or
you'll
see
the
policies
over
here.
So
you
can
get
the
policy
report
using
the
sub
command
and
if
you
describe
this
right
now
there
is
no
violations.
E
A
Platform-
that's
that's
a
very
good
question
so
when
you're
using
composition
in
Cross
plane,
so
the
the
complicated
use
cases
that
I
was
talking
about
is
you
create
a
yaml
and
you
create
an
eks
cluster,
but
you
might
know
that
AWS
provides
some
best
practices
for
eks
cluster,
so
they
have
some
best
practices
that
your
eks
cluster
should
be
private.
Your
Eclipse
cluster
should
have
this
many
Security
Group
support
open.
So
how
do
you
make
sure
that
that
yaml
doesn't
have
public
by
chance?
A
F
A
Talk
through
that,
so
this
is
what
the
policy
structure
looks
like,
so
policy
structure
have
a
rule
and
then
it
has
a
match
and
an
exclude
condition
so
in
match.
I
had
this
instance
match
it
with
instance,
but
if
you
have
some
exceptions
like
okay,
this
user
can
is
an
admin
user
it
can
he
or
she
can
do
some
couple
of
things
you
can
put
it
in
the
exclude
section.
So,
yes,
that's
that's
doable
you
can
you
can
use
the
match
and
exclude
section
and
you
can
you
can
create
your
own
policy.
G
A
Yeah,
so
what
you
can
do
is
you
can?
Whatever
the
standard
compliances
of
your
organization
has,
you
can
have
have
the
have
the
rules
defined
in
kuberno
and
they'll
just
get
blocked
with
that
cube
in
in
keyword
knows
application.
So
your
keyword,
no
and
your
policies
will
be
used
by
your
secop
team.
There
is
you,
can
you
you
will
be
administrating
or
you
will
be
managing
the
policies,
whereas
developers
will
just
have
crosslane
yaml.
So
if
they
don't
have
the
yaml
right
way,
that
is
going
to
be
get
blocked
with
them.
A
Okay,
so
what
you
can
do
is
policy.
There
is
something
called
messages,
so
there
is
a
section
here,
so
you
were
seeing
when
there
was
certain
requests
if
I
have,
if
I
can
go
up-
and
you
see
there
is
this
request
that
came
up
right,
so
it
tells
me
that
is
not
allowed
through
this.
This
is
what
your
developer
is
gonna
see,
and
this
is
coming
from
this
message
over
here,
so
you
can
customize
it
you
can,
you
can
put
it,
you
can
communicate
it
that
way.
A
I'm
gonna,
just
repeat
what
I
understand
your
question
is
that
can
we
use
Cubano
for
any
kubernetes
resource
or
is
just
for
cross
plane?
Yes,
yeah,
so
you
can
use
Kevin
for
any
of
the
resources.
If
you
go
in
kiberno
dot
IO
over
here
and
if
you
go
to
policy
section,
we
have
232
policies
which
is
for
for
everything
you
can.
You
can
have
a
policy
for
any
use
case,
and
this
is
a
simple
policy.
B
D
So
I'm
trying
to
create
like
a
bucket,
that's
public
and
in
the
wrong
region.
How
so
I'm,
failing
because
I'm,
making
it
public
and
I'm
also
failing
because
I'm
putting
it
in
the
wrong
region,
will
I
get
two
messages
or
will
I
get?
You
can't
put
it
in
the
region,
then
you
fix
the
region
and
then
you
try
again
and
now
you're
getting
it
can't
be
public
and.
A
Yeah
yeah,
so
you'll
get
only
the
message
that
you're
applying
for
your
yaml,
so
whatever
violation
your
yaml
has
you're
gonna
get
message
only
for
that,
and
only
that
you
will
see.
I
don't
have
the
you
will.
You
will
have
this
described
policy
report
so
using
this
command.
You
can
actually
describe
the
results,
so
this
command
will
give
you
this
Command
right
now.
A
I,
don't
have
any
policy
audit
over
here,
but
because
I'm
not
using
a
lot
of
resource
on
this
cluster,
but
using
this
command
you'll
get
all
the
policies
and
using
this
described
command
specifically
results
on
what
is
failing,
or
what
is
that
policy
that
you
want
it?
You
can
most
dig
deeper
and
segregate
in
what
exactly
the
description
is.
I
Okay,
you
know
my
yaml
is
not
adhering
to
the
policy
right.
So
what
is
like?
What
is
the
best
way?
I
think
someone
asked
here
the
question.
So
what
is
the
best
way?
I
can
know
that
you
know
whatever
whatever
I'm
entering
the
is
it
like.
You
know,
adhering
to
the
policy
or
not
like
what
what
are
the
so,
if
I
want
to
choose
between,
like
the
composition
versus
cure,
no
like
what
are
the
basically
the
pros
and
cons
for
both
of
these.
A
Of
course,
the
messaging
as
I
said
earlier,
that
messaging
actually
helps
for
you
to
communicate
to
your
developers
that
why
the
reason
the
policy
is
failing
and
you
see
that
they
don't
have
to
debug
or
troubleshoot-
why
it's
failing?
The
message
is
very
clear
that
there
is
something
wrong
in
your
yaml
right.
You
can.
You
can
use
that
and
when
we
talk
about
whatever
the
yaml
you
are
applying
and
whatever
it's
getting
violated,
you
will
have
the
the
exact
message
over
there.
A
So
there
might
be
other
policies
that
might
be
applicable
for
other
yamls,
but
you'll
not
see
that
you'll
only
see
the
Restriction.
According
to
your
rules
applied
for
only
that
yaml
for
more
visibility.
You
can
integrate
that
reports
to
grafana
Prometheus
and
you
can
have
a
more
visualizing,
but
if
you
want
to
communicate
it's
it's,
if
the
question
is,
how
do
I
communicate
messages
is
the
best
best
option.
You
can
do
that.