►
Description
Don't miss out! Join us at our upcoming event: KubeCon + CloudNativeCon Europe in Amsterdam, The Netherlands from 18 - 21 April, 2023. Learn more at https://kubecon.io The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects.
A
A
These
projects
are
open
the
open
policy
agent
and
kyverno,
while
they
share
the
same
some
similarities.
There
are
also
some
significant
differences
between
them.
Let's
go
over
a
few.
The
policy
language,
for
instance,
Opa
uses
a
language
called
Rego,
which
is
declarative.
It's
a
rule-based
language
that
allows
developers
to
write
policies
using
a
set
of
predefined
rules
and
kyverno,
on
the
other
hand,
uses
yaml
based
policies
that
can
be
easily
understood
and
written
by
kubernetes
users
without
a
deep
knowledge
of
programming
languages.
A
So,
while
kyverno
is
easily
accessible
to
anybody
that
ever
wrote,
piano
oppa
with
Rego
requires
the
learning
curve
in
terms
of
policy
enforcement,
oppa's,
Standalone
policy
agent
engine
that
can
be
integrated
with
other
kubernetes
tools,
such
as
kubernetes
admission
controllers.
It's
used
to
enforce
policies.
Kyverno
is
a
native
kubernetes
admission
controller,
which
means
it
integrates
directly
into
kubernetes
API
server
and
enforces
policies
in
real
time.
A
The
policy
scope,
open
policies
can
be
used
to
enforce
policies
across
multiple
clusters,
while
kyverno
policies
are
scoped
to
a
single
kubernetes
cluster
and
in
terms
of
policy
updates.
For
instance,
in
Opa
policies
can
be
updated
on
the
fly
without
requiring
a
restart
to
the
policy
agent
in
kyverno,
policies
need
to
be
applied
as
a
kubernetes
resource,
and
they
may
require
a
restart
of
the
kubernetes
API
server
and
lastly,
in
terms
of
management,
Opa
provides
a
comprehensive
policy
management
API,
which
enables
users
to
manage
policies.
A
Programmatically
kyverno,
on
the
other
hand,
provides
kubernetes
native
policy
management
experience
where
policies
are
managed
as
kubernetes
resources.
In
summary,
while
oppa
and
caverno
are
both
policy
engines
that
enable
policy-based
governance
of
kubernetes
clusters,
they
differ.
They
differ
in
their
policy
language,
the
enforcement,
the
scope,
the
updates
and
the
management.
A
The
choice
between
the
two
will
probably
depend
on
the
specific
use
case,
and
it
is
possible
to
use
them
both
in
conjunction
to
achieve
a
comprehensive
policy
based
governance.
At
armo.
We
have
the
largest
library
of
security
controls
available.
There
are
over
200
at
your
disposal
and
they
are
all
written
in
Rego
from
time
to
time.
Armo
platform
and
cubescape
users
want
to
write
their
own
custom
policies
and
controls
to
meet
their
specific
needs
and
security
policies,
and
to
do
so,
they
need
to
know
how
to
use
Opa
and
Rego,
which
is
instant
trivial.
A
So
this
is
where
AI
comes
in
armor
Labs
has
harnessed
gpt3
to
help
users
create
their
own
custom
controls
without
the
need
to
know
how
to
use
Opa
and
Rego.
All
you
need
to
do
is
to
write
what
they
want
to
check
in
natural
language
and
armor,
with
gpt3
Will
generate
the
exact
control
written
in
Rego,
with
a
description
and
also
the
suggested
remediation.
A
Once
the
custom
control
is
generated,
the
user
can
download
it
and
run
the
control
in
the
CLI.
As
part
of
improving
their
kubernetes
security
posture,
so
how
do
we
do
it?
Let's
take
a
look
at
armo
platform.
All
you
need
to
do
in
order
to
use.
This
feature
is
just
head
over
to
the
settings
page
to
the
section
to
the
control
section
and
click
on
create
custom
control.
A
A
For
instance,
you
can
put
a
deployment
manifest
or
a
secret
manifest
or
whatever,
and
if
you
know
exactly
what
you're
looking
for
and
what
you're
testing
in
this
control,
you
can
also
provide
the
description
and
the
assisted
the
necessary
remediation,
but
you
don't
have
to
do
that
because
armo
does
that
for
you
here,
I'm
going
to
give
it
a
name,
it's
going
to
be
part
test
and
what
I
want
this
control
to
test
is
I
want
this
control
to
fail.
If
a
pod,
for
instance,
has
a
CPU
resource
request
with
a
value
higher
than
300.
A
A
Now
I
want
to
show
you
armor,
Platforms
in
general,
and
how
the
context
is
being
connected.
The
first
thing
you
see
when
you
start
using
the
RO
platform
is
the
dashboard.
It's
a
single
view
of
everything
you
should
know
about
your
kubernetes
environments
from
CI
CD
and
clusters,
and
it's
all
aggregated
into
one
single
view
that
helps
you
focus
on
what
really
matters
and
what's
really
important
from
a
security
compliance
perspective.
A
What
we
see
here
are
the
different
clusters
that
I've
scanned
in
the
past,
and
it's
prioritized
by
the
risk
score
calculated
based
on
the
different
framework
we
use,
and
you
understand
which
cluster
you
should
start
working
on.
First
right,
we
also
show
you
configuration
risks
Trend
over
time,
so
you
can
identify
drift
changes
in
your
configuration.
So
maybe
you
notice
something
changed
and
there's
maybe
a
spike
in
the
graph,
so
you
need
to
pay
attention
to
it
and
you
need
to
take
action
about
it.
A
Also
when
it
comes
to
vulnerabilities,
you
can
see
right
here
in
the
lower
graph,
and
we
also
show
you
what
are
the
top
five
failed
controls
that
we
ran
against
your
environment
and
what
are
the
top
five
cves
that
we
found
on
your
clusters.
This
is
actionable
items
from
the
dashboard
screen
now.
This
is
usually
the
first
view
that
a
typical
user
sees
after
the
onboarding,
and
this
is
where
you
should
start
your
kubernetes
security
Journey
first
thing
in
the
morning.
A
A
What
you
see
here
are
different
clusters
that
I've
scanned
and
you
can
see
which
provider
the
cluster
is
on
and
any
other
information
that
we
provide.
A
So,
let's
navigate
again
to
the
settings
page
and
under
the
framework
section,
you
can
see
the
different
Frameworks
that
we
have.
We
have
out
of
the
box
Frameworks
like
miter
NSA
CIS,
and
there
is
also
an
option
to
customize
and
build
your
own
framework
and
cherry
pick,
the
controls
that
are
relevant
to
your
security
needs
and
to
your
compliance
requirements.
A
Some
of
the
controls
can
be
configured
according
to
specific
needs.
So,
let's
say:
I
look
for
application
credentials
and
configuration
files,
which
is,
of
course
not
something
that
is
recommended.
It's
not
recommended
to
save
secrets
in
your
configuration
files
and
I
can
decide
on
which
secret
the
control
should
look
for.
I
can
add
or
remove
different
types
of
values,
and
this
is
also
true
for
other
controls
that
may
be
configurable
in
the
platform,
and
this
provides
a
high
level
of
flexibility
and
customization.
A
Let's
navigate
back
to
the
platform,
and
now
I
will
navigate
to
the
compliance
section
you
can
run
scans
manually
or,
according
to
a
schedule,
interval
using
Chrome
jobs,
focusing
on
the
control
that
we
just
looked
at
the
application
credentials
when
I
click
on
it,
I
see
which
resource
failed
against
this
control.
I
can
also
exclude
findings
that
are
approved
by
me,
because
you
know
some
manifest
files
have
those
configurations
by
Design
and
some
of
them
are
being
excluded
for
you
in
order
to
reduce
all
the
noise
and
the
system.
A
Not
only
shows
you
a
bunch
of
failed
resources.
If
you
click
on
the
fix
button,
the
platform
will
offer
a
remediation,
including
specific
information.
Regarding
what
the
issue
is
where
it
is
found
and
how
you
can
fix
it
in
order
for
you
to
fix
it,
I
can
also
share
my
I
shared
I
can
share
the
issue
with
my
teammates
I
can
send
that
via
slack
Channel
or
I
can
even
open
a
jira
ticket
Straight
From
Here
using
the
collaboration
feature
and
let's
move
to
the
vulnerability
section.
A
The
platform
scans
for
images
that
run
inside
the
cluster,
and
we
can
see
vulnerabilities
that
were
found.
So
we
can
filter
or
sort
according
to
certain
criterias,
like
show
me
only
the
rce
vulnerabilities,
which
are
considered
more
likely
a
risky
vulnerability,
or
only
the
ones
that
have
a
fix,
meaning
I
can
do
something
about
them
or
let's
combine
them
both
with
the
severity
filter,
and
this
reduces
the
noise
and
filters
everything
that
you
know.
A
A
Is
the
arbuck
visualizer,
it's
considered
by
many
to
be
one
of
the
most
complex
things
to
manage
in
kubernetes,
so
the
platform
offers
an
interactive
visualizer
to
understand
all
your
resources,
your
row
bindings
your
roles,
cluster
roles,
who
can
access
what
verbs
everything
we
made
it
even
easier
to
query
using
some
built-in
queries.
So
you
get
useful
information
and
important
information
and
insights
with
no
trouble.
A
For
example,
show
me
all
the
cluster
admins
that
I
have
in
my
cluster
and
by
the
way
the
c35
means
that
it's
also
a
misconfiguration
covered
as
one
of
the
controls.
A
So
we
actually
get
context
between
the
misconfiguration
and
the
rbac,
and
this
show
how
different
section
of
the
platform
provide
context
when
combined
and
now
I
see
all
the
cluster
admins
in
my
cluster
I
can
also
have
a
reverse,
look
and
see
which
other
roles
this
user
is
related
to
or
which
subjects
are
related
to
certain
cluster
roles,
depending
on
the
need
that
I
want
and
I
can
go
top
down,
I
could
can
go
bottom
up
and
another
example
is
show
me
all
the
unassigned
roles,
which
is
not
a
good
practice
to
leave
unassigned
roles
in
your
environment
and
you
can
easily
take
action
based
on
the
information
that
you
see
here.
A
I
can
also
use
the
investigate
tool
where
I
can
search
for
specific
roles
or
users
or
Services
accounts,
and
so
on
and
and
investigate
from
there
I
get
asked
to
see
all
the
related
resources
or
roles
and
using
the
who
can
tool.
I
can
further
investigate
in
question
and
ask
who
can
get
or
list,
for
instance,
secrets
in
my
environment
and
and
you
see
there,
you
go
it's
it's
actionable
items
everything
we
just
played
with
is
in
the
context
of
your
clusters,
but
the
platform
also
provides
the
same
information
regarding
misconfiguration
vulnerabilities
outside
the
cluster.
A
There
are
many
potential
use
cases
for
using
chat
GPT
within
the
context
of
kubernetes
kubernetes
can
be
challenging
to
navigate
and
fully
utilize
due
to
its
complex
nature
and
the
need
for
a
substantial
understanding
and
set
of
skills.
Any
help
that
AI
based
tools
like
chat
GPT,
can
provide
to
make
this
test
easier.
Is
welcomed
from
writing
a
new
animal
file
to
deploying
a
new
cluster
to
securing
it
in
the
case
of
the
implementation,
I
just
showed
you.
A
We
envision
a
custom
framework
made
up
of
custom
controls
which
will
grow,
as
you
add,
controls
to
it.
Our
roadmap
includes
adding
the
ability
to
create
custom
Frameworks
that
will
host
and
save
all
the
custom
controls
and
enable
the
users
to
run
them
directly
from
our
platform,
thus
making
it
easier
for
users
to
access
and
utilize
their
custom
controls,
as
well
as
streamline
the
process
of
adding
new
ones.
A
This
new
type
of
custom
framework
will
provide
a
more
flexible
and
user
from
the
experience
for
our
users
and
in
terms
of
Upstream
cubescape
users
will
be
able
to
contribute
new
controls
to
the
cubescape
regular
library
and
give
back
to
the
community
that
way
once
merged.
These
controls
will
be
available
for
selection
and
used
by
all
cubescape
and
armor
platform
users,
thus
making
you
part
of
our
cubescape
community
and
that's
what
I
wanted
to
talk
to
you
about
today.