Cloud Native Computing Foundation Kubernetes Community Days Bangalore 2022, 11 May 2022

Previous Meeting Next Meeting

⏯

youtube image

►

From YouTube: Workshop6 : Kyverno

Description

Kyverno (which means “govern” in Greek) is a policy engine designed for Kubernetes. With Kyverno, policies are managed as Kubernetes resources and no new language is required to write policies. This allows using familiar tools such as kubectl, git, and kustomize to manage policies. Kyverno policies can validate, mutate, and generate any configuration data or Kubernetes resources plus ensure OCI image supply chain security. The Kyverno CLI can be used to test policies and validate resources as part of a CI/CD pipeline.

While the declarative nature of Kubernetes makes it very powerful, and provides self-healing capabilities, it also greatly increases the amount of configuration that has to be managed. To properly declare and control state, Kubernetes provides a lot of configuration knobs – and these will keep growing over time as new capabilities are added. Another challenge is determining whose responsibility it is to configure the right settings, for security, best practices, and standardization.

The solution to this challenge is to use policies to validate configurations for best practices and security compliance, and also automatically modify and generate additional configurations when needed.

If you are operating Kubernetes environments, check out Kyverno to help address Kubernetes complexity and easily enforce security and best practice policies across clusters and workloads.

A

So hello, everybody welcome to the juvenile shop on the kubernetes community workday. So uh we're very excited to be able to speak here and uh just right before we start this workshop a little a quick introduction of the speakers. Today we have critique pandy, venkatesh and me myself here uh petiquentish. Would you like to introduce yourself a little bit more.

B

Yeah, that's the name so this my name is pratik pandey, I'm a senior software engineer at mata, uh I'm also called co-contributor to a covenant project and in the past I used to contribute and maintainer of a project called opening base and still I'm contributing to that and as part of my kubernetes journey uh started back in 2017, I started contributing kubernetes as well, and right now, member of copenhagen and active in sexual relations as well.

B

C

Thanks pratik, my name.

B

C

I'm working at the senior software engineer and I'm also the maintainer of the keyword know so this is my giveaway- is my first open source project so and.

D

This is also my.

C

First presentation for the qr code, so thank you.

D

A

Thank you pratik and blacktisch hello. Everyone uh again, this is my shooting. This is shooting down and uh I'm currently working on the mother as a senior software engineer, and uh so I'm leading the kubernetes project development as well as help manage the equivalent releases right. That's about me so a quick overview of today's topic. We're gonna start with kubernetes policies. What can the policy does do for you? What can they achieve and then we're going to talk about a little bit more about caverno and try to understand?

A

What's what are the operation modes of kubernetes and how that can help in your quantities? Cluster, with like the security and automating the configurations and then we're going to review the architecture of kubernetes together like what does it mean if you install kubernetes as an emission controller in the cluster and also uh what are the like available tools inside kevin, for example the cli and after that, we're going to look at the coveral policies?

A

What the policy looks like just you know quickly: go through the policy structures and then we're going to have demos for different types of policies covering like the major features in kiverno, and also how you can use coi, locally or integrated in ufci city pipeline to test and verify policies, statically right and then I'll pratik. One of folks today will demonstrate the sample policy library.

A

We have and also call out, uh like the twos from cloud yoga integrated for kevin and with that we're gonna submit uh summarize the today's workshop and save some time for the questions and answers.

A

And obviously, if you have any questions in between while we're presenting or demoing the the policies feel free to post it in chat or ask lively all right so to get started. uh We're gonna first understand what are kubernetes policies and how it can helps in your kubernetes cluster, managing uh all different configurations of resources right, so policies are really a contract that can be configured in the cluster across different rows that are sharing the class or, for example, the developers securities operations. It's it's. It is important that you have this.

A

This kind of best practice standards enforced at the cluster level whenever, like you, have different teams or the roles sharing the cluster and uh policies in kubernetes can do a lot of things for you in different aspects, for example uh like to manage the applications, especially the part and workloads in the cluster. It's really important to prove the security settings and even to automate that configurations using the policies and, as you know, kubernetes is extremely powerful and in its declarative configuration of resources, it can be. You know, trivial, but not easy, to manage those configurations.

A

So policies here can help you eliminate at least the misconfigurations, as well as reduce the complexity when you're configuring. Those resources right and there are also uh could be different types of rows- that sharing the cluster.

A

Like the the developers, the ops team, your security team- that, especially in the cases you want you're, sharing the same applications with multiple instances like as a sas provider. It's it's important that you can manage those configurations at scale and automate as much as possible of these configurations right and not just for the security settings. It is also important. You know to promote the best practices for the cluster and also have that sort of automation, of like the default configurations of your resources and constructs in the in the classroom.

A

Imagine if you don't have any policy configured for your cluster, especially when you have a shared cluster right uh like the production cluster, but the cluster could be easily destroyed and be messed up within a few minutes.

A

So with that being said, uh we're introducing kiberno as a kubernetes policy engine that can be installed in the kubernetes cluster, which helps in securing or like validating the configurations, as well as as well as automating the the resources.

A

uh Just a quick note, just like kubernetes what kubernetes means pilot in greek kiverno is another greek word means govern, and uh kyreno is really just a kubernetes native policy engine that helps you define the policies using a kubernetes compliant manifest that um you know basically restrict uh the constraints of your kubernetes resources and kubernetes leverages.

A

The the emission controller or the emission web bug in the kubernetes to validate mutate, generate resources, as well as verify images and, in addition to you know, operates as animation controller kivernal cli is also available for you to integrate in any of your ci cd pipelines like the github actions, gitlab circle, ca and other tools right to to help you analyze policy, statically or just test policies locally and uh using kubernetes policies.

A

It ensures the configurations and compliance with the security settings and best practices, standards for your applications and resources in kubernetes and like as one of the audience raised this question before what makes kiberno or why should we use kiverno? One important thing is that kiverno does not require any learning curve. You do not need to learn a new language in order to define policies.

A

Everything is native to kubernetes, so you can reuse your con. The concepts that you are already familiar with to define the policies and the declarative manner like just like what other kubernetes resource does and uh last, but not the least creating and managing to rental policies, is easy. It's really easy to use.

A

It's really to uh it's really easy use uh using existing tools and all we have this central policy library which pratik gonna showcase uh available on through our website, uh which provides up to 140 policies that you can. You know which are fun fundamental for you and easy for you to get started with.

A

All right uh with that being said, kiverno, like all different uh features. We've introduced in caverno, really helps simplify the kubernetes policy management like including its validate mutate generate ability, as well as verify the container images, and you know the policy results are stored and audit in this policy report. Custom resource, which was originated from the kubernetes work policy working group that can be easily accessed and processed using a group, cuddle command or other similar tubes right and since kverno is kubernetes native.

A

It supports all commodities type types, including custom resource, which means you can define policies in any of the resources that is naturally or registered in the kubernetes cluster, and with that, the labels, the annotations or those sort of concepts can be used uh in infernal policy. Definition to you know, select and filter the resources during the policy application.

A

All right, uh so here is just uh like a quick reference about the comparison of kubernetes policy engine between kiverno and opaque gatekeeper, as some of the folks may know this. This gatekeeper provided integrated in kubernetes and it leverages oppa as a policy engine, and you know it requires uh you to learn the rego in order to define the policy constraints and templates as such. And uh you know the this comparison is very detailed and compressed comprehensive.

A

um The recording is available on youtube, so feel free to uh use that as a reference of the comparison between different uh policy engines in kubernetes, and uh I think there are also k, rail and warden and other policy engines that are available in kubernetes, but if you're interested, we can uh check this offline like for the for the detailed comparison. So just for your interest. I attach this recording here.

A

All right, so, let's look at some of the common use cases we've seen from the kiverno users, as well as from the kirono community right. So, as you know, pod security policy is one of the fundamental steps in securing kubernetes and kubernetes by default, provides a set of out-of-box sample policies enforcing the pod security settings on the on the on the pod uh on the pod itself and workload as well. So beyond pod security.

A

It is also important to secure other resource configurations, like secrets, name spaces and setting up ingresses, and there are also we're also saying that not often but new cves and new vulnerabilities are reported, um which can be prevented by through the kubernetes configurations right so kiberno.

A

We, we also added a few uh sample policies for that to enforce the cve or to prevent the cves vulnerabilities in cavernal, sample libraries, and one of the interesting use cases we commonly see is from is on the automation side right to mutating the resources or to generate new resources in your cluster.

A

um The use case like multi-tenancy. When do you when you want to build a like a namespace-based, multi-tenancy environment? How do you automate that process as much as possible? How do you automate that configuration uh is is, is one of the use case for kubernetes right and even automating.

A

The labeling of the resource and injection of the sac car container, along with the months or the certificate, is another like an interesting use case that you can use to policy to address and last this image signing or to verify the image signatures and the test stations and securing the supply chain. Security is one other one. Other use cases that has been you know become the top priority from folks, and we provide out a box image, wi-fi rule for that, for you to verify the signatures and others.

A

All right, this, those concepts been all set, I'd like to pause here a little bit and see if there's any questions regarding uh like the kivernal policies, what can kaverno achieve and the use cases.

A

So I'm happy to answer any of them.

A

Okay looks like there's no questions here. All right. Let's continue with the architecture overview, so uh we've talked about what kirono can do like. How can you use kirono policy to enforce the the security settings as well, as do some other like uh mutate and automating, the the defaults we're gonna review the architecture of kubernetes? What does it mean if you install kubernetes in your cluster right so basically at high level? Kirino consisted of these three components.

A

uh The first one is the sweatbox server, which registers as an emission controller and leverages the kubernetes admission webpage to receive admission request and then mutate and validate configurations in those resources and return. The emission response responses, along with the emission response and the second component here, is the generator controller. As you know, kiberno has this ability to generate resources based on different triggers.

A

The generate controller here keeps watching for the generate request, which, by the way is another custom resource managed by kiverno and then applies generate policies uh and generate resources to the cluster and the last main component in kiberno. Is this policy controller, which is also called the background controller which periodically scans the existing resources in the kubernetes cluster and apply policies to generate policy reports and store it as a pulse report cr, as I mentioned earlier and in the cluster, so that you can view this historical data? The policy results through coop cuddle command.

A

All right and if the kiberno is installed in the cluster, these are the physical artifacts that that's going to be created in your cluster as well.

A

So kubernetes runs as a deployment and you can spin up multiple instances or the parts of this deployment based on the configuration and it also installs a service to distribute, uh like the admission request, evaluate through different instances across different instances of kernel pod, and then uh there will be a config map service account and secret being created inside the caverno namespace, and this namespace can be customized based on your needs, and these are the resources like on the second half of this diagram.

A

These are the cluster resources that kiverno registered and created uh in order to serve as a mission controller.

A

Okay, so now, let's look at uh what a covernal policy looks like and you know just to quickly go through or to explain the policy structure, and then we will have uh demos, multiple demos, prepared for policies and see how that can be applied in action, so keep running policy.

A

It really is a set of rules, and in each rule there will be a match and exclude block for you to select and filter the resources.

A

And you know if caverno operates as an emission controller, you can match and exclude resources based on all different kinds of informations. In the admission request, and once that's that's been done once that's completed, you can filter, you know you have. You will have a filtered rules set of rules to be applied to the resources uh in order to mutate, inject defaults, validate configurations generate new resources, as well as verify container images for signatures and attestations right and a few things to know.

A

That is when, when you, when the parental policies are applied, there is really no dependencies across all the policies or the rules. So each rule is applied. Dependently- and uh you know, the response will be returned along with the initial response and you can reel that response using the command. So if you send the request using cuddle command, you'll see the result immediately and um if you have like the validate policy defined in the audit mode and then you will see the policy result in the format of the policy report.

A

Okay, so here's a quick example of a validate policy. If you look at this partial fragment here, it's just the validate policy that looking for metadata in your kubernetes pod and it says it and it checks that this label has to be present and matched in any of your kubernetes pod right. So this is just an a basic example that is nice to for demo, but uh actually in the real world there are like more complex use cases which can be addressed using kverno.

A

So we're going to talk about different features to support that to allow you to define policies in flexible manner to achieve those complex.

A

Logic, all right, so, let's take a closer look at a validate policy right, so here this policy, you can define a validate policy using the overlay style, with patents to specify the desired state, and this central policy is another type of valid policy which is just to deny the resources based on the configured or the given groups, resources and kinds. So this policy can be used to check the deprecated resources and potentially reject the resource creation and within a validate policy.

A

The wildcard magic match is supported and you can use different operators for the comparison in order to make the policy decision- and uh you know for a cuberno mutate policy, you can either define the policy in the json patch format, which allows you you can use for precise updates and also you can define a mutate policy using this strategic, merge patch overlay style, which is also leveraged, leveraged and customized.

A

So with that, you can inject like the defaults or automation, automate some label uh labels in your resources and do other stuff, like the container injection.

A

And uh cabrino generate policy, so basically, there are two resources involved in this generate policy. We call it the source resource, which is basically the trigger of the generate policy and the target resource which can be defined in the policy itself. To you know just to specify the configuration of the resources you want kubernetes to be created to the cluster and uh as an example. Here it is a like. A january policy contains the data data block it'll, you know physically generates this new network policy inside the namespace.

A

uh With all these configurations and another type of generate policy is the ability to clone existing resources from a different namespace and copy inline data, and and generate that resource into a different name, space and optionally. You can keep those data in sync across namespaces, or you just want to. You know initially copy those data over and leave it there.

A

Okay, so let the last type of policy that is available in kubernetes is the so-called image verification rule. So uh you can use that to verify the container images for attestations for image signatures and also you know, query the data from the uh image information configuration that can be leveraged further in the in some other keyword.

A

Policies like mutate and validate so with support and kiverno verify image. Verification rule supports uh like uh looking up from the private registry as well as you can look up from multiple registries as well.

A

Okay, so now we're going to have demos for different types of policies covering like the major features that are supported in caverno with that being said, let me hand off to linktesh uh to demonstrate this cavernous security policies.

A

Let me stop sharing and like search, is all yours.

C

Thank you hi everyone. So now I am going to present the demo for uh the pod security policies so before we start uh them for the pod security purposes. First, uh let's install the qr no in the uh cluster, so we'll go to the documentation, part uh of the qr node.

C

So there are two ways we can install the keyword. Now one is the henshaw in char installation. uh If anyone is preferring hem chart, we can install keyword pro using the hemi chart, your norepo or artifact hub, and the second one is using the yaml manifest. So for this demo, what I am going to do, I am going to use the drama manifest to install the keyword note. So just we need to copy this online and lets first check what my.

E

C

Has so I have already installed the time cluster, let me check the name spaces which we I have so, as you can see, I have uh just basic name spaces or storage in the cluster. Now, what I'm going to do is I'm going to install the keyword number once the uh once we hit this command. What it does is pull bunch of uh the crds.

C

uh It will configure a few cluster cluster role binding and also it will uh create a way book uh which tells api server to connect to the qrno on the certain settings. Then, uh if the giveaway has some security models uh which get configured okay, so let's check you will not get installed or not.

C

You can do cpl gate, power, minus and keyword, and you can see the qr node installed in this device within three seconds. Let's start with the demo. So what I'm going to do is uh I'm going to demo for the pod security policies, see the pod security is the basic and the requirement of the kubernetes cluster, because uh if any user get access uh to run the pod, he can the pod uh manifest allows to run a container which can give access to the uh the root user of the cluster.

C

So for that I have one command. So let me pull up that command.

C

What this command does uh it will give me access as a root user for this cluster. I will do another center for that, and also it will elect the privilege of all uh it will eliminate all the privileges. So if I hit enter so, as you can see, I will get access to all the uh file system of this cluster and if you have not running any policy engine, uh then it will. This scenario can happen, so it will will just run one single image.

C

If this is the single liner command, we are running a single image as a pod, and I, if I see if I do ls as you can see, if I have blocks.

C

C

Sick, so, as you can see, we I have access to the uh root user and if I did uh cd, uh if I want to see all the proc and if I dls, I can see all the uh procedures running uh in that, and so this is not the best thing we want uh for our cluster so to uh so how we can cover with this scenario.

C

So the uh uh the qr now provides uh the pod security policies, uh which uh we can avoid all these type of scenarios. So for that uh we have to go to the uh q1 documentation and then we'll go to the policy section in the policy sections. We have a depart security section so from the port security section, we have this uh customized command, which will pull all the uh port security default policies and it will apply to that cluster.

C

C

Apply all these policies as we can, once all the policies get applied um it applied so yeah we can see all the policies get applied. Let's verify all this.

C

Policy, currently all the policies are in the audit mode and the pure noise processing, all the policies and, depending on all the processes and the validation, the policy will come into the ready state. So but right now we have to uh near all the policies in the enforce mode.

C

So what I will do, I will use the customize on to convert all the policies into the enforce mode.

C

Let's verify with oops yeah.

C

Yeah, so all the policies are in the registered and all the policies are in the enforce mode and by by the way the sepal is the short form of the cluster policy. So if I run that same command again, as you can see immediately, we get the policy violations for that the command line we don't have. uh We have to drop all the capabilities. uh Then this command will uh escalate the privileges.

C

Then uh we can't run this image as a uh non-root as a user, then there are some uh segment configuration needed and the other uh this allowed. So it's disallow the privilege for this uh container so like this uh in the few second, uh we can secure our cluster from the uh accessing from this type of scenario.

C

uh So this all about the pod security policy. So next thing which I am going to do is I am going to show uh the next feature of pure know, which is about the policy.

E

C

So, uh for some reason, if you don't want to enforce all the policies in the uh block all the resources, then we can uh set all the policies in the audit.

D

C

So for that demo I am going to use the same command and what I am going to do. I am going to apply all these policies uh in audit mode, so we can see uh the the policy report for that previously we have in the enforce mode. So that's why the uh creation get blocks immediately, but in the audit mode we will allow to create the resource, but we'll create the policy report for that.

C

So I have uh set up all the policies in the uh audit mode. What now I'm going to do, I'm going to create one simple part which should be a run?

C

I will do dna port, minus minus image is equal to so max and the part get created, but now we can see if cpl gate our policy report, as you can see immediately after creating the part uh we get the policy report for that. And if you want more detail about the policy report, we can do minus oem.

C

We gave so there are four four test cases for the cases where it fails, so we'll do great and we'll just take the failed result and the.

C

So, as we can see, uh we created pod called demo which violate the rule, called uh the disallow capabilities. Then uh the register is a restriction. Then we can run that part as a non-view user and the privilege escalation.

C

So so this way we can create the policy report for the audit mode for the resources, and this will bring me to the third third demo, uh third type of feature which I'm gonna highlight. So when we create write the policy at the bot level, you are now automatically generate uh generate autogen rule for the all the pod controllers. So, for example, if I write a policy for a pod and then if I create the deployment- and if that is violate that rule, then automatically it will get blocked.

C

So for that I want to show a policy called require labels, uh which should be just explained there. So what I'm gonna do is uh here's the policy structure, so we are matching kind pod here and what I'm doing uh so, whenever pod get created, that part should have labeled kubernetes dot, io, slash name and the any value for that.

C

So what I'm going to do is I'm going to apply this policy.

D

Apply my stuff.

C

D

Now the policy.

A

C

And what I'm going to do now, I'm going to create one deployment format.

C

Box and we can see immediately uh uh the the creation get blocked. As of with the good error like uh the label, we should require the label, so in this way the keyboard has a feature. uh So if we created, if you write the policy for the poll label, it will automatically create the rule for the all the power controllers. So if we go into the yaml of that policy, we can see here.

C

You can see we have just written policy for the part, but you are automatically written policy for the payment set requirement, job stateful set and according to that pattern we have created the pattern for that uh all the kinds and the same for the crown job, so anyone uh any kind which creates the pod internally, the qr, will block that resource.

C

So this is all about the validate and the power security demo. So I want to pause here, and I want to ask any questions regarding to that.

D

Okay, I I got a question yeah, you showed two more sites, one is audit and another on the same force.

D

What is the difference between them and when to use enforce.

C

So if you want to block creation of resource immediately that time, we can use the enforce and if we want to allow to create, uh create the resource, but we want a violation, so audit mode will create the violation for that. So it will create the report for that that this resource is violating this rule and in the enforce mode uh the direct resource creation will be blocked depending on the uh user requirement. uh We can specify that.

D

Okay, so if there is any uh uh no any deployment order, so that is already something. No some it's violating some policy.

C

What will happen to them? So what will happen that time? If we have written policy for that and it will and the background scan is true for that policy. It will immediately it will uh create the policy report for that. So you can see uh the policy report in the policy report. You will see that this deployment is already violating the rule, so so uh so, as I showed here, as you can see, uh first, I have a few policies.

C

Then I create this deployment called demo and after that, this policy report get created and showed me like. uh The policy which we have installed will show like uh it deserves it already. This rule for called uh digital operators, installation and the non-truth.

A

Yeah, just one thing add to that: um if, if, if you have the like the resource resources already scheduled in your cluster and uh with the enforced policy configured for them, caverno would essentially blocks any updates of the resources. But if they're, you know some the existing resources there will be violations reported and the policy report.

A

All right- and uh you know, as meditation introduced, we have this violations audited in the policy report. uh We have.

A

We also have this policy reporter, which has a nice ui that uh is donated uh by one of our kiron contributor, that you can us install this policy report as a standalone application and to build the results generated from either key vernal, falco bench or any other policy engines, because the polish report is just a simple custom resource that is from the policy working group, so any policy engine in kubernetes can generate or audit the violations in the format of policy report, and this policy reporter is also integrated with different targets like loki elasticsearch teams, discord and slack to send out notifications of those violations.

A

You know just to get uh developers notified this with all the constraints that combined of the level of your applications.

A

Okay and kevin also exposes explosives and prometheus endpoint, which publish all the matrix data to prometheus that uh you know to let the developers or the users to later uh see or view this this this matrix right.

A

So the data this matrix data include the policy information like the rule, counts policy, counts, the execution of each policy, uh peru and uh the execution latency uh for uh each of the uh cuban policy, and also uh the review latency right so admission when you send the machine request and get the response of that emission uh request, you have to review latency on, like how long does kevin take to process that policy or a set of policies during this review process, and then you'll have the uh admission request.

A

Cons that you know basically gives you the number of how many of your requests that are uh filtered by kuvernel and uh that are applied with the with the cover policies and those informations is are all available through prometheus matrix.

A

And uh if you look at this, this slide kiberno by default, provides this default grandfather dashboard that you can configure in your prometheus application, which you know you can observe the violations and the policy informations in the in the single dashboard.

A

Okay and uh let's, let's talk about another important feature, called variables that are available in kivernal policies, definition, so the variables really make the policy data driving and they are replaced or substituted during the policy application at the run time, and you can also define those variables uh provided to the current cli for the static analysis, but um like basically, there are two types of different variables during this substitution.

A

So first one you can use it to reference data in the current resource of your admission, request and another way to use the variables are, uh you know, define them in the james pass expressions.

A

So if you look at the james expressions variables physically, we provide uh like two different types of variables. One is the built-in data that uh you can access and query any data from the admission review request and also the user information along inside the mission request. That is being said. You know, just when you send the request.

A

This information can uh get. You can access the information like who sent the request. What are the rows? The cluster rows defined in that user information, as well as the image properties as the butane variable and another type of james pass variables, is that you can do the external lookup um through any of the existing kubernetes resources or from the external oci registries right.

A

So this is extremely helpful if you run keyboard noise and an emission controller- and you know you can substitute those variables or those data dynamically from the given or existing uh source data source right. So if you take a close look at the different source of this data, the config map is something built in caverno by default. So if you go to next slide, there will be a policy sample policy here.

A

If you look at the spec rules context here, the config map block is provided by kiverno by default, which you can specify in the information of that config map and add it to the policy contacts with the name dictionary and later in the mutate pattern. You can, you know, query any of the data in that complete inside that config map and use it to either mutate as a label or use it in the validator or any other type of policies for later consumption, and uh you know another type of external data.

A

Lookup is it's a similar thing that um you know provides you a flexible way to define the resource.

A

You want to look up through the api server on which you can specify this url passed and combined with the james pass expression or the filters you can manipulate those uh like the private results and then store that variable result in the context again for this uh policy for later consumption, and a quick note on that is, you can use scoop cuddle command with the jp plugin to test this uh like a low capability locally and caverno also provides the jp command through its coi, which, when katasha, I think he's going to demo that later today and the last part of the external data is that you can look it up from the ocr registry and you can use it to.

A

You know verify the image signatures and the test stations, and, if you have like any of the configurations of the inside container images, you want to use or verify or validate, uh this can be used in the image, verify rule or any type of uh other keyboard policies all right. So uh next I think when tishi we're gonna have a demo on the music policy, combined with the variable substitution uh ability.

C

Yeah, so let me start with the demo so first I will explain what uh I'm going to demo for this, so what my policies look like, uh so I am going to inject this sidecut container for my deployment.

C

So what I am going to do is uh I am going to insert one container called volt agent and the unit container for that deployment and at shooting the explain. I am going to get data from the config map, so I have config map there. So in the config map I have data in the environment.

C

uh You know as uh storing as a variable value as a production and that value I am going to use as the external data source uh in in to set the environment variable for this uh policy and when it is waiting to note so how I am going to use that context is- and I defined context here- the name of the context- dictionary uh the config map and the name of the config map.

C

So this is the some complete map name and from that uh from this dictionary I'm going to get dictionary.data.environment uh env, which is there. So, let's go to the demo.

C

So I'm going to apply this first, I'm going to create. First, I will I'm going to create the conflict map.

C

So my conflict map get created now, I'm going to apply the policy.

C

Okay, the policy got created, and now I'm going. What I'm going to do is I'm going to notate the resource, I'm going to create a deployment and uh because we have deployed the policy, so it will going to mutate the sidecar, static containers and the, and it will take the you know, the environment variable which we define in the configmar. So let's create another deployment tip ctl here right here,.

E

D

C

We have already installed the validate policy uh uh which don't have the uh label on my uh this deployment. That's why this policy get blocked, so the resource get box. What I'm going to say, I have the resource or not.

C

Okay. What I'm going to do is I'm going to create another deployment which I have already labeled that so the resource get created now we'll see the uh the resource get mutated or not, so we're going to do ctl gate requirement.

C

Name of the deployment and we'll see.

D

C

As you can see, uh we have uh notated, so we have created uh uh created the deployment with the nginx and we can see the uh the container the volt container get injected uh with which take environment, variable value, also the api value from the config map, and also we have uh in the policy we have mentioned the unit container so that also get mutated as expected.

C

uh So this is all about the moderate policy demo, so I just want to show some extra policies uh which we can use uh in the day-to-day uh kubernetes world. So if we go uh into the policy section, we have uh list out all the policies and if you click on the muted, we'll get the multiple policies defined here.

C

So if we want to add the default resources uh for a deployment or pod, so we can use uh this kind of this kind of policy where uh here we are adding the memory and cpu to the pod. So if any part uh which don't uh don't mention the uh the cpu one memory, then it will automatically that you know will add the cpu and memory uh for that part.

C

So, as also we can add the image full secrets uh for the port.

C

So if the image start with the registry called uh bob.rake.com and the any tag, so if that match with the incoming part of the resource, then it will create the image secret for that policy and also same uh for the validate policy which I have already demoed. So there are multiple policies defined uh there. So if we want, uh we can use it from there.

C

So uh you have a question about the muted policy.

A

Yeah, maybe it's good to show that uh validate of the use of the latest image tag to uh you know just to look at what that policy looks like.

C

Okay, so I have that policy already there, so the policy will look like this, so here uh here we can mention. Also uh the first rule we are taking. The uh the image should have the tag. So if we don't have tag, this resource will get blocked and in the second rule, validate image stack. uh If this resource has the latest stack, uh this policy will get blocked.

C

So this, uh the latest type policy will look like this.

C

Yeah so let's get back to the slides.

C

Okay, so now uh hypothetic is going to demo all the generate policy and the image or do you predict.

B

My screen is visible yeah, uh so uh we uh we talked about various features of uh governor or we talked about the uh uh varied policies, mutated policy. So the third policy, which is like a very powerful feature of uh no, uh is to generate the resources using a uh register policies or either clone this clone the data. So there are three type of two types of generate: policies can be done based on the different rules, so one of the role is clone.

B

The clone is basically to clone the existing resources uh or copy inline data to the different resources, different namespaces right, based on the policies or matching resource type. You have another one is to donate the data itself. So, instead of instead of cloning, the data you can generate those those resources as part of policy creation.

B

So, basically, if you have a policy which matches a name space and- and you want to create a network policy whenever there's any space got created, so you can have those kind of examples uh I will present after this after some time, which will which will which will basically show how we can use this policies, how we can use these policies and automate all the.

D

Generation and everything.

B

So let me go into the demo hope my screen is visible, uh so, first of all, uh as an example, I'm going to show the uh secret getting created which we're going to create it and then, uh whenever there is a policy, uh so let me uh start the just just to automate. I just uh create a script uh just to automate everything and show the demo, so, for example, so uh what we are going to do is uh we are going to create a basic secret.

B

uh This is a basic secret called princess credentials uh which is going to be created uh whenever the spacecraft. This can be used as a in the form of like whenever a new space got created uh and you're going to deploy a pod or something or powder deployment, or something right uh this. uh This can be used as an image, full secrets and the private images or some uh images which require credentials to be used to pull the polar images. This can be used for that.

B

uh So uh just let me show that how the policy looks like. So, if you see the policy, uh it's a business, it's a cluster policy uh which name called as a sync secret right. uh It has uh rules which basically says sync image full secret right, so this is on the this is looking for a nice. This is looking from a matching kind, called namespace right and then there's a generate rule right.

B

What generator tool says is I'm going to clone the data uh from the resource which, uh which is in a default namespace called grid, recreate the thing, but what secret? I just showed you a similar name right, uh which is having a simple username and password data just to show the basic potentials and it's going to generate this. uh It's and it's going to generate the secret. It's going to generate a clone, or, I would say, sync the secret whenever, whenever.

E

The new namespace got created so.

B

You can see the namespace field has been provided. This is the variables we just talked about so this is. uh This will get the namespace from the resources which is going to uh which is getting going to be triggered resource right, which is here our namespace. So it will basically populate those fields and hit the secrets just to show the demo. Let's, uh uh first of all, let's apply a secret, I'm going to create a secret secret got created, which is a default name space right.

B

uh Our next step is to create a policy, uh so policy will uh look up, those secrets has been uh has been and the namespace has been created and it uh and it will uh become ready once the controller. Look for the look for the look for the policies and look for the uh manifest to be generated right.

B

So so, if you see uh the policy got created uh and the next step I I'll go and just create a new space, any dominant space, for example, I just go and create an alpha name, space right, uh so name space got created and if I uh now next step is to verify that same secret got created or not right. So uh I'll just go and get a secret that exceeded on alpha namespace. I just do hyphenamel of that. I can see.

B

uh I can see the namespace got created uh uh with the same name and in alphanamespace right, and it has all the information, uh uh for example, password and username, which is like in a decoded form uh right by default and as part of that uh as part of that, the applied configuration which is uh handled uh which is applied by the actual secret, which is in a default namespace clone or basically right. So we can see. The password uh name is top secret. Username is admin new right.

B

So if I go back and show the secret to data actually, so it says administrative right, so you can see that same secret has been cloned to the new namespace whenever it's got created right.

B

So if you, for example, if you go and create some other namespace all right, so this secret will be cloned to all of the namespaces right, uh so as part of validation. Now uh so, if you can see in the policy, we have a field called synchronized too right here. So what this basically does? It tries to sync the secret uh for any new changes which is done on a generated resource right for for here, for example.

B

Here we have a next thread, so any new changes which done on this resources done on this particular secret resource. It will be populated or broadcasted or will be closed uh to the other namespace which has been generated using this policy right. So uh just to demonstrate that uh I have a new. uh I I've just created a new secret uh with some slightly change, uh uh basically in the name username, so I just added admin in the end uh early.

B

It used to be admin, new right and then admin new, and then I just added admin, admin, new, slash, dash admin just to change something, and this should be uh cloned across the namespaces.

B

So I'm just going to apply this secret new, updated secret right. So I just updated so same secret got updated with a new username value as part of just verifying.

E

B

Just again trying to get the secret and alpha name space right. So, let's see if chat the new data or not, so you can see uh uh if you see the annotation part it can it's showing here that admin new admin got updated. It used to be admin new earlier uh right, but it's now updated to admin, new admin right uh uh and also uh it's part of the decoding. The everything got decoded as part of secret right. So you can see the password you username will be decoded to.

C

Some other value.

B

Because we have changed it, so you can see the string uh here looks different here, but it's uh changed to something else right.

B

Similarly, I just tried to violate everything. Everything is syncing properly right, uh I'll look into the source secret, which is in a default namespace with the same name right. So if you see here, I'm just looking into the get trying to get the secret in our default namespace right, which is our source secret right. uh If you can see here, this has the whole similar data, because I was applying this applying the changes. So you can see the appliance notation has been up last of that conservation.

B

You can see as an annotation, so you can see the same thing at my new admin uh and that's the same password and uh just to validate uh username string, which is a decoded form, uh looks uh very similar just to validate this thing, so uh this is already so what we have seen is uh this is kind of automation. uh So, whenever a new namespace got created, we want to uh as part of admin. We want to have a certain policies to be uh enforced right. uh It could be a generate.

B

It could divide it, it could be uh mutate right, so as part of that uh he can uh configure some secrets. uh So whenever a tenant wants to create an own namespace, this secret will be cloned and cloned, and then this will help them to a bad date and uh as a part of image, full secrets- or there is a very many use cases right. So this is one of the examples. uh Similarly, uh this is another example to clone the secrets uh of a clone generate rule.

B

Basically, and similarly, we have uh la talked about the data right, uh where you can just simply.

B

B

Right, so, if you look into this policy, this policy is all about. uh Basically, it's add a network policy whenever uh it's looking for the namespace uh watching a namespace right main space kind of resource. So whenever namespace got created, it has to do some operations right, so what operation it has to do is it has to generate something uh generate and in the form of data. So, basically you can see the same kind. It's an inline data. Basically, uh if you uh look into this pack is a core kubernetes way of writing aspect right.

B

So uh it's like uh fragmentation of the same resource. uh So here it will go and generate the network policy uh uh with an a space and, uh and it will populate all the fields you know chat and then create create the object. Similarly, right so we'll come to this one, I will just try to uh try to add this in an actual demo uh which, as part of multi-tenancy, which is like how to how we can achieve the multi-tenancy using a given a policy right.

B

uh So as part of the uh as part of that demo, I will cover this how to how how the generate generate the network policy of whenever the name space got traded. So, as part of next step, uh let me go and uh show the how we can achieve the multitenancy right. This is one of the good example of uh amalgamation of various policies uh or various rules.

B

What uh kavina has so uh I just clubbed all them all of them uh that take mutated, validate and generate truths to achieve something which, like uh can, which is very good, to have a multi-tenancy network right multiplayer is the cluster, so you have for many users. You want to use a namespace as a service. You can do those things as well. So us again, I will start a demo.

D

B

Till now any questions.

B

Okay, so uh uh we'll look into some certain resources, uh like uh uh you know, a generate controller has certain rules and permission required to generate some resources right because it's like uh it's like very pinpoint uh cluster rules and permission given to generate generate controller or coming off to be precise, to generate certain resources. So if, if you want to give certain permissions, then only domino will work so, for example, uh I'm here going to play with uh certain cluster uh cluster cluster roles and cluster bindings and network policies and other resources.

B

So, for example, I just added those resources which is required to be given permission right so, for example, cluster bindings and uh cluster rules, permission has been able to generate a service account right. So these are the resources. uh So, as part of that, I will just create this resource right and the next step, I'm just going to apply the policies uh which I'm going to explain uh when I go through the demo, uh how these policies are getting used and how we can understand about them right.

B

So I just apply those policies so, as part of flying is there will be certain policies uh which will be creating his cluster roles. uh Network policy and name space access control at kota right. These are certain uses of generate and mutate and validate together.

B

Okay, so as a part of next stress, uh I'm just going to going to have a policy which basically, uh which basically validates all right uh when it reads a name space uh when so, whenever a namespace got created, uh it has to validate that that name, space has a label, uh matching a kind, a matching key called type, and it has to be a value as small, medium or large right. So let's go and create a new space.

B

So, for example, I'm just going to create a namespace without a label right, so that type types key label is not there so uh and using any user called nancy, which is has given some permission uh to create the name space in this particular cluster right. So uh you can see uh it has been blocked, saying that your space doesn't have a label matching label which is a type and the value fields are small, medium and target right.

B

Large sorry, so uh let's have an example of a simple namespace which has all these all this label populated. Already, for example, you can see I'm going to create a namespace called test which has a label type and medium. So once you apply this one, it will be simply go through and create a namespace right.

B

So you can see it's not successfully created uh as part of so going through the further stuff thing uh and which is going to create access control or what we had already created so as part of access control and uh how the space label policies will work.

B

So uh these two we have two policies, two crystal policies here right uh so uh first cluster policy. What it does is it uh it's again have a certain generator rules right. uh So what this generate rule does. Is it create a cluster role right for this? For the user, uh which is going to create a namespace and it will have an annotation called the winner, dot io, slash user, with a matching username? Who is going to data and a space for example? Nancy?

B

We just did it right and it has certain uh permissions, given certain permissions like she can get the name space and delete the namespace once she's done with her usage or her task right. So uh certain permissions has been given here and then uh what is a next generation is uh so uh yeah. It's matching for the namespace call, which I explained earlier, and the screen generator.

B

We have a nested general generated rules here, so next generation rule is nothing but it creates a cluster binding so same cluster will what we have skated on the top right. It's uh we're getting a binding for that and we're providing a username to access uh using those service accounts.

B

And the third policy is to create a role binding uh uh to give certain permission or admin permissions, basically right to the particular cluster role, which we just created on the top uh to give permission to the particular user right here. So- and this is a this is generate rule, and then we have a mutate policy as well uh uh as part of adding an a space label right.

B

So, as I explained earlier, uh this policy will basically wash the name space and it will mutate the name space with the key uh with a label matching a key called kevin dot is flash created by uh which will have the user information who the user, who has created the namespace just to inform other. This will be a basically a much more required metadata if you have a bigger cluster and you want to uh maintain the uh namespace as a service. So you know okay.

B

This user has created this particular namespace, so yeah moving further uh I'll just go and create a namespace test right uh using uh I'll just try to get the same namespace. What we created earlier uh using using a user called uh nancy right. So if you see we are successfully able to get the resource uh and we can see that certain uh required labels. We just talked about it's uh already set here, so it says it's killed by an end right uh and similarly, uh just to validate that uh we can.

B

We can take example of any other third party user or anything which which uh uh which just which doesn't have certain permissions to get, uh uh get or get or delete of particular namespace right. uh So, if we uh use instead of nancy, we can use third party user or any uh user which is doesn't have certain permissions right uh you'll see that uh it will fail to produce that right. So it says uh uh net the user. It doesn't have the permission so to get a name space or delete any space right.

B

So basically, this is the one of the example uh you can achieve a certain, uh so uh certain cluster rules and binding, so that, but certain users can only access or do some particular operations on a particular name space or matching resources uh moving further.

B

uh So as part of that, we created some role bindings as well on our namespace in his test name space. So this was the cluster rule. Bindings has been created, which is uh again club to the cluster like cluster role, to get some admin permission site, which I explained earlier uh so here uh uh next step.

B

uh We are going to create a certain network policies and uh uh going to uh some going to put some uh how to uh you, can configure the data or configure the quotas and limit range on the name spaces right. So if I open uh show this one, so we have three policies here.

B

uh Let me go up yeah. So first, uh first is a network policy. So again it's uh uh based on um it's looking for a namespace watching a namespace right and then again you generate a.

B

They need a network policy to deny deny certain uh requests right uh which we had, which I talked about earlier and similarly our second policy is again a cluster policy which, uh which adds a limited range right uh again, it's watching the namespace and then it's uh here are different selected values or match labels here, uh which is called a type small or based on a certain cluster requirement in the resource requirement cluster.

B

So if you have a small recommend requirement, uh uh you know once you create a namespace right and it's matching with the small and then it will try to create certain limit ranges based on the different cpu and memory requirements right. So you can see here uh we have certain uh certain requirements. Certain memory is if you limit and uh limit requests has been set uh for the type called small. uh uh Similarly for type called medium.

B

uh We have certain memory in cpu uh limits and requirements right uh and the third is again a large large requirement. So we can get certain uh more requirement and sorry more of a requirement as a workload which uh high performance pathways right.

B

Our next policy is to add quota, uh so as part of different labels. We want to add some certain quotas right, uh so these are similarly, we are going to add certain quotas based on the labels and uh requirements right. So these are the uh these are about that.

B

uh So let's apply these policies uh as part of that. Okay, we already applied this policy, so just try. We just go and try to get the network policy what we created earlier right. So you can see that the default denial of policy has been created already.

B

So uh as part of validating that uh uh will be handling and validating all the operations right so uh because nancy has certain permission uh to uh basically to get a delete right, and it has an information to that particular name. Space called test right. So, as a user nancy, I can go and delete the network policy, but uh as a as a as a policy right, but as a uh because uh given or has a generated controller uh running running as a process looking for the watching for all the events right.

B

So whenever you delete something it has to validate by uh now, it will watch for those events and try to uh try to reconcile everything and see and reach out to the desired state right. For example, if I delete this uh netpoll network policy, you will see uh it will be, uh so I just deleted the network policy and the next step I go and I just go and check that network policies that still exist or not. So you can see that network policy got.

B

uh It was created earlier six minutes, 18 seconds back and then once I deleted it, so uh uh genetic controller kicked in and it was watching for the events and it tried to uh reach to the desired state which, uh which is the network policy, has to be there on this particular main space right.

B

So it goes and created the network once again, so it's kind of robust and whenever or by mistake, someone delete the resources which is very powerful feature of given to basically to generate and look out those things, and we try to generate the resources back right. So this is very powerful feature of the renault which is specific to uh and which, which is very unique to kavanaugh as well right. So uh so uh uh other example.

B

uh So, uh as I explained earlier, nancy has a permission uh to get and delete the namespace, but the user net, which is like other user, which had the senator permissions uh unable to do that right. So similarly he's trying to get that a space, but it won't. It got failed and similarly he's trying to delete the namespace, uh maybe uh right, and then he again got failure error, saying that you don't have certain permission to do this operation so once so, once we're done he can or she can go and delete the raceway.

B

So uh as part of our delete uh task has been done, user nancy goes and delete the range space as well so yeah. This is, uh and everything is done. So all the whatever name space got created under the delete, all the all the uh all the policies and all the validation mutations has been done, using a policy to to achieve something which is like.

B

If you have do it manually, you have to do so many other operations right so here this example shows that uh you can uh club the generate rules with uh other powerful features of we know with the mutate and uh generate mutate and validate, and you can achieve something and present something which is like create a namespace, and these policies and rules will get then right and it automatically everything should be done in the back in the background, and you have a pure multi-tenancy feature in your cluster yeah.

B

So this is all about multi-currency uh till now any questions. Anyone.

E

So, patrick, what is not possible with uh with generating resources anything which is which we cannot do.

B

So generate is a bit tricky here. uh So basically we should use generate. uh Something is like very tricky, uh maybe a secret. uh We should not use generate for some other processes. You can use it, but uh everything is possible with generate uh what what what I will suggest is to use. We should use generated.

B

Specific operations which is like should not affect, because uh it should be specific to admins right, uh because admin knows what they're going to do with the generate and if the user is going to use that he doesn't know about what is going to happen in the background uh he does something, and but uh the policies or generate rules will be doing some generating so many other resources, for example, which is doesn't aware of so this should be restricted, but it can be used as on the basis of different use cases and yeah.

B

So that's the thing, but yeah.

D

Generate can be.

B

Can be used for our cluster custom resources as well, so if we have, for example, uh I take example of storage right, so uh in case of open abs, uh uh you connect a disk connect, a device uh to a nodes, kubernetes nodes, and then uh certain resources will be kicked in and that you can use the uh so. Similarly, you are watching a new space here right, for example, you can look it look it for a particular custom resource.

B

Like uh can say, block device claim uh right, uh block device which is basically uh uh got created, uh and uh the generate controller then kicked in before this, watching that particular custom resource, and it will try to generate some other other resources like. Maybe it can generate cloud device claim or it can go and create a pool itself right and that tool will be automatically created, so user don't have to do it for many operations uh he has to watch for the okay blog device got created.

B

I have to go and create a particular pool using that block device, but you can try to automate those kind of stuff using the generator route as well. So this is one of the good things to have oh yeah. If there is numerous use cases, you can come up with yeah.

E

Sure got it so yeah. Is there any plan to go beyond kubernetes as well or not yet or no plans.

B

uh Right now, no uh so uh currently we are just working towards kubernetes, because that's like uh effective and uh standard uh of container orchestration right now, so I think uh we are not doing anything right now, but maybe in the future uh we're not sure. If something come up, uh we try to tune those things, but currently that's communities. It's like whole things cycle.

E

God, thank you.

A

Yeah, you can use kyberno ci out of your kubernetes cluster just to uh test and apply policies locally statically, uh either your ci cd pipeline or on your local machine and well. I think we're also seeing the request that to decouple the policy engine inside converno to make it a general purpose uh library, so that you can reuse the logic inside kioverno to apply the policy logic.

E

Okay, okay- and I mean, if time permits I mean if you guys, uh are doing more glass perfectly fine. Otherwise, I would like to see how kiberno and supply chain kind of comes together if some light can be thrown on. That will be helpful.

B

E

The next demo I just took.

B

A break yeah, okay, so.

B

So yeah uh so yeah so uh another another good feature of kavanaugh, which is like uh recently built right and it's like used by so many other uh production companies in the production itself, and so many other companies and open source tools as well. So I just go and.

B

So yeah again I created a demo or just to automate right, try to automate all the stuff right. Let me start.

B

Yeah so as part of image verifications, uh so uh there are certain uh certain tools or certain uh like six store. Is there and a co-sign and also it's so we are using various tools to kind of try to verify the images and will credit the signatures and everything right. So, uh let's start so uh again, this is like a mix of policies here, just to demonstrate a use case right so again we can see the more of an acclimation of different uh kubernetes rules here.

B

So uh this is a policy which is basically uh which is going to block all the non-root things right of the non-neutral resources. So here we are watching for the resource called pod here right and we are enforcing these policies right. You can see the value failure. Action is in sports, so we are kind of enforcing this rules. uh We talked about different rules. Audit and force. Are there right? So this is an enforcing thing, because we want to block in the front of a user right so uh and certain precondition we have.

B

uh So we are looking for that and we try to validate the uh validate the containers right and we are looking for that. We are using the context lock, api, look up api of container registry, we're trying to get the date image data from the image registry. So we have. We can confirm different various major https of the image registry like you are using, and then we are trying to get those data and trying to uh trying to see if the user itself has a permission.

B

It's the user itself is a root user or not right. So you can see if user it's a root, not root user. It goes and block the uh permission. So there are different way of doing that. But this is like. uh We are going and fetching the image data. You can say that fetching the image inspect data and then we are trying to validate the data itself and if it's a, not non-root user, we're just going and blocking it so just go and apply this policy right.

B

So, uh for example, uh I'm just going to create a busy box image here uh with using I'm using a dryer and ecosystem server just to uh just because I just don't want to process the data but purchase the data into etc, but and create the deployment. But I want to trigger the validations right, so all the mutation standardizations web books will be triggered in. So I just using a right and server thing.

B

uh You can see the I created a root user access, so busy box image by default comes with the user root user permission, so it should be a block in the front itself uh yeah. So you can see uh this image uh busy box container deployment got blocked because saying that it's a validation got kicked in and it's saying that image with a root user are not allowed right, so it validated the user permissions and plot interference itself uh as part of uh further variating.

B

This one uh I'll go and create a a non-reducer based deployment. uh So for here from here for here, I'm using a cabinet camino uh image which basically I come in a controller uh uh which is not using a root user permission site. So uh it should be we'll see this has gone through and it's successfully accepted.

E

B

After the all the validation invitation, so you can see it's successfully created as part of next uh just to validate that it happened because of uh uh the policy we have uh created that block user root user thing is, I just go and delete this one just to validate the stuff and again try to create a uh root user base which has a duties. The permission uh busy box, which is which is earlier, got blocked due to pulse install right.

B

So you see it successfully, went in and uh created earlier. So it's because the policy was there, it got blocked, so we achieved something uh which is not very feasible uh to look into the containers.

B

For that you have to configure a contact from configure php earlier you so that now is duplicated, and then you have to look for certain from certain user groups and ids instead of uh instead of blocking the other non-nuclear sites, so those uh clumsiness, and so many other factors you have to think about everything and those thing can be easily uh done with policy as well. So this is one of the better great use case of uh given as well uh uh further moving. uh uh So uh this is other policy.

B

I have just to demonstrate the scale images. For example, we can have certain certain deployments running in a cluster from last 20 years or like six years right, but they are now outdated and we want them to be updated once we once they try to scale or scale or some scale or try to redeploy or something right.

B

So, for example, you can take exam, take a deployment which is running from last six months and now someone uh because that image is now it's like stale image, it's no longer updated with the uh multiple vulnerability scans or new patches on everything, for example, and someone goes and try to scale those up deployments, and this will that will be blocked using this box right.

B

So here uh what we are doing is again we're watching for a namespace watching for a pod resource right and then again we're trying to uh doing a registry lookup to get the image data similarly, similar to the preview example right now we are looking for an image and then from the image data we are, what we are doing is we try to get the uh uh here's? Some change path. Expression kicked in and we're trying to get the time size data right.

B

What is the time that image has been created and what is the current time? We would try to evaluate that. It should not be greater than uh four three eight zero hours right. So, uh let's, for example, I.

E

B

Went and uh create this policy right. uh Let's wait for a couple of seconds or let the policy get ready. uh We go and create a deployment uh with certain uh old image uh here, I'm using uh ubuntu, 18.01 ebay and I'm doing again a trial and server just to trigger those books right not to pulsate that so I just run it. It should be blocked because it's it's like more than whatever the time we have provided in the policy right so see you can see. This. Is god block right?

B

uh Similarly, stating the the rule, what kingdom is saying the validation failure, images built more than six months ago are prohibited so, but this is one of the use case and similarly I go and apply uh just uh just a new image in the cluster right and they give it to 22.04.

B

uh New patch came in, for example, and I just want to apply and it successfully will be applied to the cluster okay uh yeah as part of now. What uh uh let's go uh to talk about the digits thing.

B

uh So whenever the image got, let we talked about this policy which basically again uh look for the container data right and try to resolve the data and try to uh add the image edges to the image itself right in the container image itself, so that if there is some someone who tried to uh do something some layer or try to index some layer on the date on the images itself like if you take an example of there is there's a couple of examples in the past uh where the images had been tempered and could apply to the cluster itself, and it did something- and maybe you can drastically do some destroy operations or anything can be happened right.

B

So just to me just to validate that we can have a certain policy which will try to get the image data from the certain uh lookup data for image line, string right and strike to whenever they try to mutate. The containers try to make the images right or contain images with the actual judges of those uh images right. So it will go and try to do that. So, let's create a deployment uh uh like covering right.

B

uh I'm just doing uh a hyphen ammo, just to sort of show that the image like this has been attached to the image name itself as a prefix right suffix, for example. So if I go and do that so this has been created right.

B

Now I apply the now before I begin up by the policy now go apply the policy itself right. The policy is created. Now, if I do and again, if I do so here, for example, here there's no, that just has been suffixed right. You can see the images covered or slash given itself now, because I applied the policy. If there will be a change in that it will append the digest, it will try to scan and uh get the image hd data and try to update that so that this will validate it.

B

Okay, we are using the official signed uh image with a particular digest number, uh which is very data everything, so there is no there's. No tempering can be done right, so uh yeah. So for certain examples, so we say have seen. How can we add the digest number now uh next sample I can show is the sec. How can we check the signature of the images as well?

B

The images are properly signed or not and those kind of operations right so for that we are using a six to two uh six store, which is another linux.

B

Linux, community based back project, which is basically work around the uh supply chain supply chain uh tooling around that, so we are using the tool called cosine, which is basically to can be used for image, signing uh and verification right. Another tool is falcio, which is which is basically a web-based identity, uh identity, management solution, um which we can uh simple. We can also say that it's a keyless sign-in feature right, uh so we are using going to use that, and so for that uh I have a policy uh which basically imposed that rule.

B

uh It's looking for a pod right and it has certain images right, so it will try to.

B

uh It will try to verify all the images which is coming from jim's uh jim paguardia's reports right and it has a subject and issuer uh be sure and uh issue fields has been set already once you sign the images right you have to, uh you will get those fields as part of whence you describe the image and you will get those fields to be populated, so as part of keyless signing feature, you have to populate these fields here.

B

Once you sign the image right, you will get those details using a cosine. You can use a cosine binary to get those details and then populate here. Similarly, uh uh I just followed a root- the root section here, as of secret here, so that it can be uh just to demonstrate that it can be.

B

You can either use a custom secrets here if you don't want to use the particular secret what you have used earlier uh or if you're working on a air gap environment where you cannot access, go and access uh authenticate through a network, and you can use those certificate by hard-coding. It here itself right so now. This is on the use case. So let me go and apply our policy right, so I can see policy got created debate for a couple of seconds now.

B

uh What I will do, I will go and go create a create a deployment uh same unsigned example right, I'm using a james image of which is basically not signed right, which is basically a pause, a container image which is basically unsigned.

B

And uh we should say it should be blocked, saying that container doesn't matter, secret doesn't match right. So it says image verification got failed. uh Signature signature mismatch right, so it got significantly uh just to validate that uh I can go and create a. uh I can go and use a cosine, uh cosine, tooling library right so uh just to check the if this image is signed it properly or not.

B

So if I do the same image, what I've used earlier uh jim pause and sign, if I run this one close I'll verify that image particular image is signed or not, uh will have some information it's signed or not. So, let's see uh so yeah. It's a cosine given give us the error that there's no matching errors, no no matching signatures. So it says that may just not sign it right so yeah. So that's when date, our thing so that everything is working fine uh as part of next step.

B

Let's go and use the image which is signed already right. So I'm using a certain image of against jim's image from gym registry, which is called demo java tomcat. So it's an image which is already signed using a certificate or cosine sign thing right. uh We will see this successfully, uh it will accept by the cluster and it will certainly gone through. You can see it's uh accepted and it added the value and everything which is required, which is a part of certain policies.

B

What we are going to discuss about, yeah and also as part of validating we just go and verify the same same image. What we have used to just to deploy it. So if I go, do cosine verify of this particular image, which is which is already signed as per the policy, and we see what cosine shows us right so see, cosine shows everything uh it stays about. The cosine claims were validated.

B

Everything is got what what got validated with the this particular image. With the latest tag, it has all the transparency log right, which is verified again and all the uh all the way all the certificates has been uh verified against the falsehood side, because we are, we are using the keyless signing feature and verification, so it says using pulsio to verify those things, and it has all the data which is talked about the workflow and everything and all this stuff right so uh yeah. uh So this updates everything.

B

uh Now we can't uh talk about the attestation thing, which is like other features on top of image verification. So so till now we had a certificate or a class certification. Verification of the image that verifies this image is signed or not right. Similarly, we can have some attestations as well, which can talk, which can, where did that it has, as bomb has been uh cyclodex type of swamp, has been added or added to the images right.

B

Those predicate has been added, and certainly uh because we are using 3d scanner to scan the images and so that that has been uh added as well. So.

B

That here, uh those vulnerabilities should not be increased more than 10 right. So if you have, if you have an image or maybe a older remainder, something which has so many vulnerabilities which cause the actual number more than 10, more than 10 vertices, for example, uh even the signatures are matching. This will not accept it right. So this is one of the example you can just do uh just to just before just image signing you can do some more uh things to validate those images like illustrations and some predictive values as well.

B

So if you see certain images which has this vulnerability's rule doesn't match, it will just block it as well. So this is the feature uh image verification works in kavanaugh as well, so yep any questions any doubt, please feel free to ask.

B

Does it answer questions? uh uh You talked about the image when it comes.

E

To yes, yes, definitely yeah.

B

So it's pretty simple uh to do stuff to do this stuff and we're coming with some more uh cloud registry based uh k like signing features, you know as a future road map, so those things will make it more easy uh to use and yeah.

E

Definitely help users.

B

Yeah, let's remove two slides. What we have uh we talked about generate policies inside uh I just go: give the demo image verify policy assessment. uh Let's now the next section is about governor, say: let's uh move on to uh two presents.

C

Okay, so now we are in the interesting part of the keyword that is uh cli. So if you want to use uh keyword, so we can use uh as a pure cla, so kiwano cli is uh mostly uh apply. The policy and the uh test, the policy uh with or without cluster running, so we can apply. A client cli with apply rule, apply command on the cluster or without on the cluster.

C

So we can test. uh Are the validate kubernetes configuration for violation before deploying to the cluster and uh to uh use the kubernetes cli is not necessary. We need to install uh the keyword know so without installing qr nodes, so you can use the keyword cli.

C

So there are uh multiple commands uh which we are using uh as a in the keyboard cli, which uh most popular we are using as a apply command and the test command. The test command is mostly used in the csd pipeline and I am going to give demo for the apply command test command and the jp command gp command.

C

So before we move to the apply command demo, just I want to show how we can install uh the qrno cli. So there are multiple ways we can install the uh clr. If we go into the documentation, part of puremociali uh we can install uh serializing through or- and so I have already installed uh cli in my system. Let's get verified keyword, no version yeah, so I already installed with the latest version of cli that is 1.6.2, so let's first uh apply.

C

uh So, let's start with the apply demo yeah, so qrno cli apply command, perform dry run on one or more policies with the given set of input, resource and import resource. It can be the original context cluster or we can pass as a resource as a file. Also, so I'm going to give demo for the both and see if we apply uh use keyword, apply command for the validate policies.

C

It will give us a result as a pass or fail, and if we use for the muted policy, uh then it will give us the mutated resource. uh So we're going to see the uh demo for the both. So before that I am I'm going to show which policy I'm using for to use the qr no applies uh command. So what we are going to do is here we are going to validate uh the name space, uh so the we are going to validate the default namespace.

C

So what we are trying to achieve uh there is no should uh we should not allow uh any uh workflow should be created on the defaulting space.

C

So so, if we apply this policy uh on the uh cluster uh with this air qr noise cli, it will give all the violations means all the workload uh violations for all the running uh parts on the cluster. So for that I want to do your first. I will show all the faults.

C

Which are running in the default namespace.

C

There are four parts are running in the defaulting space. Now I am going to apply the given.

C

Then we need to pass the path of the file.

C

And I'm going to pass the current context of the cluster, so I used to pass uh as advanced cluster 5 and as we can see, there are uh four tests fail and the uh 10 are passing and we are showing all the four. So as we already seen, uh there are a part called engine deployment. There are three deployment, uh three uh deployment ports uh which happening in the default namespace and there is another part which uh running in the uh demo part which you know default option.

C

So if you want to paste- or if you want to know the current state of cluster on uh using that policy, we can use the kubernetes cli apply command for that, and this is all about the uh the current context and if we want to use, uh you know, apply command on the resource, so we can use the same command only instead of the current context, we can use uh the resource.

C

So what my resource has see uh right now uh the resource is running on resources we are supplying, which is on the text name.

E

C

So if I run this, my appliance means the test will be passed because we are running on the test and space. But if I change it to the default namespace.

C

Our test is going to be failed, so in this way we can uh test our policies uh using the apply command.

C

So now the next things which I am going to show, uh which is the text command, so the test command, is mostly using the ci cd pipelines so for the test command. We can give the local repository as a input or the git repository as a input, and the test command is currently uh test, the muted and the validate policy, and we are working only supporting the generate policy on the right side.

C

We can see the structure of the test command, so we need to pass the test file, so we need to pass name of the uh test which uh which we can provide, then the number of policy and the number of resource. So we can provide the uh policy path and the policy resource path. So every policy is going to apply on the uh every resource and the rule which, which is our.

C

Sorry going to apply uh on the resource, then we have the variable section. So if we have in the policy we have variables, we can define our variables in that section and then the result section. So, in the result section we have, we need to provide the policy rule uh rule name the resource name, the kind of the board, and what is the expected result? uh We are uh assuming.

C

So if we think the result will be passed, then we have to provide pass and if you think uh the result is fail, then uh we have to uh define as a failure.

C

So let's let me close all the files and I will going to show the test for the disallow latest tag which we uh usually ask. So what we are doing here. We have two rules here. One is required tag. The image should has a tag and another the image. If uh once we have tagged, it should not be latest type.

C

So we have poly uh resource uh which we are going to apply on that policy with the uh latest type. So we can write the two test cases for that. So one is uh test case, for we have uh the tag for that.

C

uh That means uh the the image uh the resource image have back. So we are, uh uh the actual result will be passed and we are passing uh the default tag, so what we are expecting, so we as we are passing as a latest stack so in this test case should fail and this uh this this description pass.

C

So what I'm going to do? um The keyword test command should.

C

So, as expected, both the test cases are passed because uh in the first test case we are expecting. It has the latest uh the tag, so we are expecting and the actual result is passed and the second test is, uh we expected. It should fail because we have passing the uh the latest type and if we change here uh to any other tag like 1.2 and still, we are expecting that uh it should fail.

C

So that is not going to happen because of that the test will fail and if we uh change the result to expected result as a pass. So since the both rule will get passed as we are passing uh the latest tag, we are adding the tag and we are not adding as a latest type in the this. Both test case will pass for this. uh These policy rules.

C

Yeah so as expected, the both cases are passed in this way we can write latest uh uh test uh for the uh all our policies, and now we are, we are providing the local repository. So currently uh we have almost 100 plus policy and we have written uh test cases for all this policy and if you want to use all the policies directly from the git repo, so we have command us for that. Let.

E

C

What we need to just do is uh we need to do pure, no test and the uh path of the git repo. So if we go to the current qrno policy repo, we have all the test cases written and if you enter what it will do, it will uh hit this uh repo and it will start testing all the policies.

C

So we have almost a thousand plus test cases written for that, as you can see, all the test cases are passed and let me just show how we have retained the test cases.

C

You are now policy repo.

C

You can see we have all this structure and for every policy we have written the test, dot uh test cases, so there are multiple uh tests. We have already written uh for all the policies which we have so and almost there are um thousand plus tests. uh We have already written further, so this is all about the test command.

C

The next I am going uh roughly. I am going to show about the the third commandment, which is the jp command. uh So what exactly the jp command do is is evaluate any genius path, expression and once we supply the output, so we can get. uh Let us see uh what filters we have for the jb command.

D

C

So all this filter, like uh all this filter, we can use uh to get the output from the james path expression. So I will show you one simple uh demo uh for to get length of pod.

C

So what we are doing here is uh uh this is the cubesating raw command, uh which will gives us the uh all the uh adjacent output for this uh pure, no parts uh out as a json output, and then we are using the qr node jp command and we are taking the length of that. So we have currently one part running, so we get output as a one and another. If and sometimes uh we get uh the uh output in the uh in this context, like uh the pod output in this context.

C

So if we want to get uh the name of the container- and uh we want to use that in the policy later part, so we can use as uh command so what we are doing here, we are using the qr node jp command and then we are passing uh the json as a path and then we are going to the the particular path. uh What exactly uh details we want- and we want to use uh on that. So this is the container name uh which you are getting exactly.

C

How we can use in the policy like uh here is the example uh we are using. So what we are doing. uh We have this path called uh api, a slash, superversion, slash pod, so we'll get all the details of part uh running in that cluster and then we are checking uh the every the known name. For that uh uh part response is: if it's mini cube. If it's manicured, then we can uh get the length of that.

C

um How many uh node names has name as a mini group, and then we will uh using that for account to deny the rule. So if that length is more than 10 uh greater than 10, so it will validate the rule. Otherwise this policy will means that resource will get created.

C

So this is all about the uh jp command. So let's move to the next slide.

C

D

C

Is about the sample policies and uh patek is going to explain uh all the sample policies which we have in the vector.

B

uh All the policies, what we have just seen right as part of our demo, uh everything has been- uh we are using it from the repo uh called uh which we have, which has been seen number of times in this video right. If you go to the community policies right, uh it's either go go to the website called io.

B

If you go to the website to win a dot if right and you click on the uh click on the policies, so these are, there are so many policies right. If you see uh we have around 140 around policies, which is uh what we have in use our demos as well, and it's like contributing contributed by the community.

B

So there are so many contributions uh come from the community about the different, with the various use cases of uh with various use cases, they have different policies and they've thought of contributing to governor, and we are trying to uh maintain those uh as part of sample policies as well. So, as you can see, we have a uh as we showed that on the demos and the previous slides, we have a generate mutate and verify images policies which are the different features of camera itself.

B

uh If you go and click on the generated, so uh we have tried to define our policies on uh based on the policy type just to make it is. It is easier to understand the use cases. uh Users has so if you see that we have add network policies which we just found on the demos as well. Similarly, we have add quota policies right, you can click on any policies and uh we have some detailed description about the policies.

B

What it does you can copy copy it from here and then, if you apply into clustering right. Similarly, we have.

D

B

Footer or sync, which we already talked about in the video. uh Similarly, we have a muted policy, so we have various operating policies based on the various use cases either either you want to uh because psps is no more longer. There is going to be duplicate companies versions. So what is alternate for psp site? What speedy policy?

B

So we have different policies which try to uh work for the those which try to do the similar thing about psp, speeders and then adding some most features on top of that, as well, so, like add certificate to a volume. uh So whenever volumes are created, uh certainly uh our default resources. Whenever uh you create a certain resources or default resources or limits will be created or some photos will be set right, just just just to control the keywords of multiple services.

B

uh Similarly, you can have a secret context and either you can add one variable from a config map to the to a deployment.

D

B

Part and then you can use it right, so there are various uh policies: uh either you can use labels right. uh We talked about init containers.

B

If you were containers other ones, you can validate those female containers as well, because as part of debugging, there is a so many uh debugging tools are there which go and configure them for female containers as well right so as part of uh making a secure cluster uh as a namespace service, for example, people go and add those containers as well right, but those efficient containers can be validated or can be validated using a cabin or policies as well right, add labels and add no definition or node selector to any resources.

B

When you come up with a benefit of certain resources, so there are so many either either you can add a part proxies uh either you can use some safety effect labels on a when you do a auto scale or when you configure outer skill, or you want to add certain say- to make safe to evac, annotations or labels to certain resources to make them a vector. Certain operations can be automated and mutated, with the uh policy structure so yeah either.

B

You can want to inject a sidecar container when you create a cycle container to do some uh initialize operations and then your main container get kicked in so those can. Those kind of uses can be done as well. uh Similarly low for shell uh block virginia security, vulnerabilities came in some days back right. That was a long. uh There is number of people who are talking about number of softwares which were using log4j was affected, but because of that cv error, so we kind of have those validations.

B

We can. You can write certain policies just to validate and those unmuted certain elvs as well right. So it's a certain continuous you just started images getting used. You can just do some operations. You can either validate and mutate those parts just to overcome these.

B

Spread forward across the node, so you can add some low definition, abilities or labels required labels or departments, and those kind of stuff can be easily done using these policies. Similarly, we have before guided because.

B

Why did you can uh so most of the phd policies are validated, so you can have certain policies with just a similar thing uh to achieve the similar behavior. What psp does and more on top of that right. So these are the.

B

Complex complex scenarios, um you can just click on some of some of an example. Try to learn about that and you can just apply and apply and let's see the beverages right based on the certain use cases uh yeah and then yes. Similarly, we have for verifying this as well. uh We talked about how can you?

B

How can you verify images with a certain cosine features or base sign features, and then you can verify image with multiple keys as well right if you have a image stored with different strings, so particularly, it has to be used in particular cluster of those kind of use cases you have, you can use different key features, multiple key features as well and either you can uh verify images from these kms as well.

B

So those kind of everything has been, as a use case has been put here, and you can just click on any other policies that try to learn about those things. uh Similarly, we try to divide the policies with the subject. If you need a policy around pod network policy, deployment or service account or by link once it happens, so you can click based on the certain resources. You can click on the on these labels or you can say, and you can get certain policies like if you want to have certain policies around persistent volume claim.

A

Anyway, I think you have the image verify rule filter, so maybe you can cancel that out and I'll show.

B

You yeah exactly okay, so yeah, for example. I was talking about the perception volume thing so yeah. I want to limit certain persistent volumes, so this is one of the examples just started here, but uh some certain examples. uh We are coming with certain more examples. We'll just try to add those examples here. So it's in a multi-progress cycle, so yeah. So here you want to limit the certain host path volume which has uh matching patterns right. So these are the policies you can use based on the different scenarios.

B

Yeah, I think this is all about the sample policies. Thank you. Yeah.

A

Thank you for taking uh vanquish. I think those are really helpful and useful policies that address different type of use. Cases all right just to quickly summarize. Today's workshop uh as kiverno is the kubernetes native policy engine that can be used to secure and automate configurations of your kubernetes resources, and you can run kiverno either as an administration controller or as a cli standalone ci to integrate it in your cdicd pipelines and also uh you know this with four different types of cavernal policies.

A

Combined with like the variables streaming's past expressions filters and all the features we've supported. Kimrono can't handle complex policies and it's it has been approved, approved for production already, and uh the last thing that it's most important kimono is really easy to get started with. uh You have all the we have all the sample policies from our library and it works well with other kubernetes tools and processes.

A

So yeah with that, uh if you're interested in caverno feel free to join the caverno community, we have all the policies, the docs, all the references available on our website and uh by the way, the demo all the demo manifests, are also available under the kubernetes github optimization.

A

You can find the repo called demos and we have all the manifests there and uh we host two slack channels under kubernetes workspace.

A

One is for uh you know you can ask questions and on kiberno's slack channel and if you are interested in contributing to kiverno, you can join this kiberno dev channel to discuss any of the uh like the implementation uh designs or any details about the project development, and we also host meetings for end users, as well as the contributors so feel free to subscribe, subscribe to kirono google group and uh join our discussion all right, and I will also provide this free training for caverno, like for you to learn more concept of caverno to help craft your rental policies, once you complete that you will get certified with this caverno fundamental certification and yeah.

A

That's all about this workshop. Thank you. Thank you. Thank you for take. Then thank you nipendra to have us here and we're open to take any questions.

B

It says: is there a way to send cicd results to the camino policy reporter? Do you want to answer that.

A

Yeah, I can take that um so mostly a policy reporter consumes. The policy report result that that is generated into the kubernetes cluster, but but the results in the cicd pipeline is something that you need to configure with the pipeline itself in order to send out the notification.

A

But if you have the policy reporter installed for any violations like I, um I think we have slides for that. You can configure the different targets, like the slack, uh elastic search, loki and all the others to send out the notification. It is not with the cs cd itself, but it's something that you can report the violations of the result. Lively from your cluster through those targets.

A

I hope that answers your question.

E

Okay, um thank you. uh Thank you for the event, shutting down have some time with us and talk about giver, know and all the great demos what we have shown, I'm pretty sure that uh people would have learned a good amount of stuff uh for these workshops.

E

As this workshop would be available on the youtube video in some time, so we'll do that just lastly, before we kind of sign off just want to share a few more stuff. So as this workshop as an entire kcd event is uh primarily community driven and uh we are basically going to um whatever the sponsor money we're going to get from sponsors right. We are sponsoring different uh boot camps for the students there.

E

So last year we sponsored a few uh six or seven boot camps and out of that three to four participants have clear ck exam. Similarly, if you know there are students in your community who want to kind of join in this ecosystem and they need to kick start so again. This year also will be giving like seven to eight boot camps uh coupons to the students.

E

So if you know, students who want to join in, please request them to come and attend the seek the kcd event, uh where we'll have the kind of details, how they can uh kind of win, that bootcamp uh certification and so on.

E

I hope to see in the main event as well and look for more participations uh in the community. uh So for participants, please become speaker next time and we'll be happy to host you.

E