►
Description
Kubernetes Community Days Bengaluru'21
Kyverno is a Kubernetes-native policy engine that helps you define policies using Kubernetes compliant manifests. Kyverno uses the Kubernetes admission webhook to validate, mutate, and generate Kubernetes resources. Using Kyverno, a central platform team can define policies and ensure the configurations are compliant with their security and best practices standards. The best thing about Kyverno is it does not require learning a new programming language to define a policy. Creating and operating a policy is really easy! Attendees will learn how Kyverno works and how they can use it to secure workloads on their cluster using Kyverno.
A
Okay,
so
here's
the
situation,
a
new
team
member
set
up
a
jenkins
cluster
and
the
cpu
keeps
fighting
200
percent.
When
I
investigated,
I
found
that
it
did
not
add
port
security
policies,
as
they
heard
psps
were
depreciated,
the
lack
of
port
security
on
the
cluster
allowed
introverts
to
run
privileged
boards
and
launch
crypto
mining
workloads
that
causes
the
cpu
to
spike
and
results
in
large
cloud
provider
bill.
A
While
it's
true
that
psps
are
marked
for
depreciation
in
version
1
or
21,
you
can
still
use
them
until
an
entry
replacement
is
ready.
However,
implementing
psps
has
many
challenges,
which
is
why
they
are
depreciated
to
begin
with.
So
what's
one
to
do,
I've
heard
about
this
new
cncf
project
called
killer,
no,
which
also
implements
spot
security,
and
I
know
one
of
the
maintainers.
So
let's
learn
about
it
and
see
what
it
can
do.
Hey
puja.
Thank
you
for
hopping
on
the
call
real
quick.
I
am
actually
in
the
middle
of
a
situation.
A
A
Okay,
so
you're
looking
for
security
policy
that
can
block
the
spot.
Yes,
this
is
exactly
what
I'm
looking
for.
Have
you
tried
psps?
I
was
thinking
of
implementing
psps,
but
again
it
has
its
own
disadvantage.
A
Make
sense.
So
did
you
try
any
other
policy
management
tools?
I
checked
kiwarno
and
oppa,
and
I
recall
that
you
were
involved
in
some
kiwanos
project.
So
can
you
help
me
to
understand
which
will
be
the
best
case
to
use
here?
A
So
let
me
tell
you
about
both
kiberno
and
opa.
Okay.
Kirano
is
a
policy
engine
designed
specifically
for
capabilities,
and
it
has
a
full
implementation
of
pod
security
standards
and
other
policies
to
help
secure
configuration
while
oprah
it
is
general
purpose
policy
engine
and
it
provides
high
level
declarative
language
that
lets.
You
write
specific
policy
as
hope
it.
Its
policy
are
written
in
rigo.
Oh,
we
go
so
is
there
any
other
language
to
learn?
A
A
So
can
you
show
me
the
pod
configuration
so
that
we
can
check
it
quickly
and
we
can
decide
what
kind
of
policy
we
need
here?
Let
me
know
my
screen
and
yeah.
This
was
the
pod
yaml
file.
I
was
actually
looking
at
and
if
you
can
see,
the
security
context
has
set.
Privilege
is
equal
to
true
here,
yes,
and
I
can
see
that
it
has
host
access
which
is
not
secure.
A
So
I
think
yes,
this
sky
kybeno
fits
very
well
here.
It
is
specially
designed
for
handling
these
kind
of
scenarios.
Oh
it's
really.
I'm
really
glad
to
to
understand
that
kiwano
is
the
best
use
case
here.
Can
you
tell
me
more
about
kevino,
so
kibano
actually
runs
as
a
dynamic
admission
controller
in
kubernetes
cluster.
A
A
I
have
shared
you
a
link,
so
let's
try
installing
kiberno
in
your
cluster
okay,
so
you
are
telling
that
the
single
link
will
help
me
to
install
given
in
my
cluster
exactly
okay.
So
let
me
install
this
pretty
quickly
and
here
it
goes.
I
think
this
is
getting
installed.
So
let's
wait
for
a
while
and
yeah
it's
created.
Can
you
take
a
look
at
your
side
and
check
whether
the
configuration
looks
good,
yeah,
sure,
okay,
so
here
we
can
see
kevin
o'bot
is
running.
This
means
keyboard
no
is
installed
in
your
cluster.
A
A
So
here
we,
this
is
how
policy
structures
looks
like
under
policies.
We
have
a
collection
of
rules
under
rules,
we
can
mention
match
and
exclude
clause,
and
these
are
the
parameters
which
you
can
mention
under
this
clause.
So
here
math
match
means
the
resources
you
can
mention
under.
This
is
on
which
you
want
to
apply
the
policy,
and
similarly
exclude
is
the
resources
which
you
want
to
exclude
and
another
rules.
You
can
mention
three
types
that
is
mutate
validate
and
generate.
A
So
what
this
policy
will
do
is
it
will
go
and
check
in
the
part
for
this
specific
words
that
specific
keys,
that
is
spec
in
it
containers,
security
context
and
privileged
so
other
end,
you
will
go
for
the
the
policy
will
check
for
the
privilege
keyword
and
it
will
check
that
its
value
is
false.
If
the
value
is
false,
it
will
allow
the
part
to
get
created.
If
it
is
true,
then
it
will
give
this
error
message,
so
it
will
block
the
policy.
A
So
considering
your
use
case,
I
have
just
changed
the
policy
a
bit.
I
have
added
an
extra
parameter
as
namespace,
then
all
so
what
this
policy
will
do
is
it
will
be
applied
to
all
the
parts
which
will
be
created
in
this
specific
namespace.
A
A
A
A
A
Okay,
so
we
have
an
example
that
is
ad
network
policies.
So
what
validate?
What
what
generate
does
is?
It
will
help
you
to
create
an
additional
resource
on
creation
of
a
new
resource,
so
here
you
can
see
what
will
happen
is
it
will
be?
This
policy
will
be
triggered
when
you
create
a
new
namespace
and
it
will
generate
a
network
policy
under
the
created
name
space
with
this
inline
data.
A
A
A
I
have
shared
you
the
documentation
for
kilberno,
so
you
will
find
a
github
link
on
the
same,
and
there
are
also
free
workshops
and
training
from
the
company
like
network
who
created
ping
me
in
case
you
need
anything
else.
Sure.
Thank
you
thanks
a
lot,
it
was
really
helpful.
Thank
you.
A
lot
hi.
My
name
is
dollas.
I'm
working
as
a
devops
engineer
in
nermata
hi.
This
is
pooja.
I
am
working
as
software
engineer
in
nmata,
so
today
we
saw
how
kiberno
can
help
secure
your
cluster
in
under
five
minutes.