►
From YouTube: Cloud Native Live: What's new with Kyverno
Description
No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).
A
Hello,
everyone
welcome
to
cloud
native
live
where
we
dive
into
the
code
behind
cloud
native,
I'm
annie
talasta
and
I'm
a
cncf
ambassador
as
well
as
a
senior
product
marketing
manager
at
camunda,
and
I
will
be
your
host
tonight.
So
every
week
we
bring
a
new
set
of
presenters
to
showcase
how
to
work
with
cloud-native
technologies.
A
They
will
build
things,
they
will
break
things
and
they
will
answer
all
of
your
burning
questions,
so
you
can
join
us
every
wednesday
to
watch
live
so
this
week
we
have
chiverna
to
talk
about
what's
new
with
kiborno,
which
is
really
exciting
so
and
as
always,
a
bit
of
housekeeping
to
kick
us
off.
So
this
is
an
official
live
stream
of
the
cncf
and
as
such,
it
is
subject
to
the
cncf
code
of
conduct.
A
B
B
All
right,
I
guess
that's
a
yes,
hello.
Everyone
welcome
to
like
this
cncf
webinar
for
kubernetes
and
we're
gonna
talk
about
like
upcoming
features
in
canva
160
release,
and
today
you
know
just
a
few.
Like
a
background
about
the
speakers.
Today
we
have
chip
dollar
and
I'm
shooting
down
we're
we're
both
skid
row
and
tenors
and
cheap
is
the
one
focusing
on
like
contributing
to
all
different
phases
of
kiberno,
except
for
like
developing,
and
I'm
currently
leading
the
the
current
project
on
the
development
side.
B
All
right
so
today
we're
gonna
have.
This
is
like
then
overview
of
the
topics
for
today.
We're
gonna
have
a
quick
introduction
of
kirono's
architecture
and
the
structures
of
the
kernel
policies
and
then
we'll
jump
directly
to
the
new
features
in
kiberno,
and
we
have
a
whole
bunch
of
like
different
demos.
Today
like
and
we'll
show
you
like
how
that
new
features
work
in
the
in
the
kubernetes
cluster
right,
and
I
will
take
the
questions
at
the
end.
B
But
if
you
have
like
in
case,
you
have
any
questions
popped
up
in
between
feel
free
to
pause
us
there,
and
I
will
happy
to
help
all
right
so
like
for
the
kiverno
high
level
architecture.
B
As
you
know,
like
the
kiverno
is
the
kubernetes
policy
engine
which
is
native
to
kubernetes,
and
it
runs
as
the
emission
controller
which
registers
limitation
and
validation
web
configurations
in
order
to
to
like
inject
defaults
and
validate
configurations
based
on
the
emission
reveal
data
and
based
on
the
policy
decision.
B
Kiberno
can
either
reject
your
resource
creation
or
operation
or
just
like
simply
let
it
pass
and
audit
the
results
to
the
policy
reports
and,
besides
that,
in
the
mutating
web
hook,
kiberno
also
verified
the
image
signatures,
as
well
as
the
testations,
and
you
can
also
look
up
the
data
from
the
external
registry
and
to
further
utilize
that
in
your
inner
policy
and
in
addition
to
that,
kiverno
also
runs.
This
generate
controller,
which
is
triggered
on
the
emission
webhook
and
generates
this
intermediate
resource
or
a
cr
called
generate
request.
B
And
the
general
controller
will
pick
up
the
generate
request
later
and
apply
the
paul.
The
generate
policies
on
on
the
like
the
trigger
resource
and
other
than
that
kevon
also
generates
the
policy
report,
which
is
just
you
know,
like
audit
policy
results
in
this
policy
reports
er
and
then
you
can
have
the
aggregate
view
of
the
results
of
the
policy
decisions
right
and
other
than
that.
Kirono
runs
a
monitor
and
webhook
server,
which
keeps
monitoring
the
webpack
status
and
as
well
as
managing
the
juvenile
secrets
and
config
maps.
B
Okay,
and
so
this
is
like
the
structure
of
economic
policy
and
a
policy
here
is
just
the
kubernetes
crd
and
you
can
create
like
multiple
cluster
policies
of
policies
as
the
kubernetes
cpr
and
in
each
policy
you
can
define
one
or
multiple
rules
and
then
each
rule.
You
will
have
like
this
match
and
exclude
block
to
select
various
sources
on
different
information
and
then
in
its
root
body.
You
can
specify
one
of
those
four
type
of
groups
to
mutate,
validate,
generate
resources,
as
well
as
verifying
image
signatures
and
attestations.
B
Okay,
so
this
really
is,
you
know
just
a
quick
entry
of
caverno.
There
are
a
lot
of
like
good
resources
out
there
for
the
introductory
and
how
how
you
can
use
kiberno
to
apply
the
basic
mutate
validate
policies
and
today
we're
just
gonna,
like
mostly
focus
on
the
new
features
in
160,
since
this
is
a
big
release
after
the
kubecon
last
year
october,
and
this
release
includes
a
lot
of
new
features
and
critical
enhancements.
B
Okay,
so
the
first
thing
I
want
to
talk
about
is
this
even
image:
verification
policy
with
kiverno15
we
have
this
type
of
rule
enabled
to
you
know,
verify
the
image
signatures
that
are
signed
with
or
without
the
keys,
and
you
can
use
this
tool
called
cosign
to
sign
the
image
and
it
has
this
kila
keyless
signing
ability,
so
that
in
covenant
policy,
you
just
need
to
create
the
root
or
provide
the
root
ca
so
that
kubernetes
can
validate
or
verify
your
image
signatures
using
the
provided
certificate,
and
I
wanna
like
what's
new
in
one
six:
is
this
use
kernel
policy
to
verify
image
attestation,
and
there
there
was
a
recent
new
feature.
B
Added
like
to
you
know,
look
up
image
data
from
external
registry
and
then
the
image
the
background
scan
is
also
enabled
for
this
type
of
rule,
so
that
you
can
have
the
policy
report
based
on
the
configured
image,
verify
policy
right.
So
before
we
jump
to
the
demo,
I
wanna,
like
you,
know,
just
give
you
a
little
bit
background
about
the
attestations.
B
So
we
use
this
tool
called
in
total
and
it
is
like
a
linux
foundation
project
which
has
a
like
a
standard
attack
station
format
and,
as
you
can
see
here
within
a
attestation
statement,
you
can
either
like
custom,
customize,
customize
payload
or
define
some
of
the
built-in
payload
and
later
use
that
in
kevin
policy
to
validate
configurations
right.
So
the
attestation
is
just
something
you
can
sign
that
and
attach
to
the
image
and
then
stored
in
the
registry
and
cuverno
by
default.
B
Okay,
that's
that's
a
little
bit
background
about
testation,
let's
switch
to
my
to
the
policy
I
have
for
today
and
we
have
a
few
demos
for,
for
this
image
verify
type
of
rule
okay.
So
the
first
thing
we
have
here
is
a
kubernetes
validate
policy
and,
as
you
can
see
here,
I
set
the
validation
failure
action
to
enforce,
which
means
I
want
to
reject
the
resource
creation
or
operation.
B
If,
if
there's
any
violations
on
my
incoming
resource
right
and
then
in
its
root
body,
I'm
just
trying
to
specify
this
verify
image
blue
and
it's
matching
the
image
coming
from
my
own
registry
and
it
provides
the
public
key
to
verify
the
image
signatures
and
this
attestation
attributes.
I'm
just
saying
that.
Okay,
I
want
to
verify
my
image
is
coming
from
the
right
branch
and
the
reviewers
of
the
image
has
to
be
in
this,
like
the
listed
reviewers
and
before
we
do
that.
B
I
want
to
show
you
the
image
like
the
tasmanian
image.
I've
just
built,
as
you
can
see
here,
it's
a
simple
past
container,
which
is
used
in
kubernetes,
and
it
has
the
signature
ready
because
I've,
you
know,
signed
the
sign
image
with
the
private
key
and
push
it
upstream
and
then,
after
that,
I
just
want
to
verify
the
attestations
in
the
image
so
far
it
doesn't
have
any.
So,
let's
see
what
happens
if
I
create,
if
I
install
the
policy
and
create
the
the
resource
or
a
pod,
using
the
image
that
doesn't
have
any
attestations.
B
Okay,
so,
like
I'm
running
a
kubernetes,
1,
23
cluster-
and
currently
I
have
kverno
installed
like
this-
is
the
latest
1
6
release
candidate?
B
Let
me
just
check
the
tag
on
that
right.
It's
running,
canva,
160,
rc1
and
then
so
far
I
don't
have.
I
don't
think
I
have
any
policies
and
stuff
right
so
c.
Paul
here
is
just
the
short
name
of
the
cluster
policy.
You
can
either
like
do
crocodile
get
cluster
policy
or
get
simple,
it'll
return.
You,
the
existing
cluster
policies,
all
right,
so
let's
create
policy.
First,
let's
say
crocodile
apply
check
review.
B
In
that
case,
I
want
to
verify
the
policies
been
installed
and
it's
it's
becoming
ready
right.
So
it
indicates
this
policy
is
ready
to
serve
the
admission
request.
B
Okay,
so
now
we
have
the
policy
in
place
and
let's
say
if
I
run
a
just
a
standalone
pod
using
my
pos
container
image,
which
does
not
have
any
attestation
information
right.
So
let's
create
that
pod
and
ideally
I
should
see
kubernetes
blocks
that
resource
creation,
because
okay,
this
the
signature,
doesn't
match
right.
So
this
rule
is
actually
blocking
the
resource
creation.
And
then
this
remember
this
cosine
coi2.
B
It
also
provides
the
a
test
command
for
you
to
sign
the
attestation
and
attach
it
to
the
image
like
the
container
image
and
then
a
push-up
string
right.
So
let's
invoke,
let's
run
that
command
called
the
test
by
the
way
before
we
do
that.
I
want
to
you
know,
add
these
attestations
to
my
image
and
saying
that.
Okay,
this
image
was
built
from
men
branch,
and
this
is
the
reviewer
who
reviews
that
image
right.
B
It's
just
the
the
the
simple
information
here
and
then,
if
I
run
cosign
a
test
with
the
key
and
then
I
attach
the
entire
review
json,
which
is
a
test
station
with
this
flag
and
I'll,
attach
the
container
image
here
then
it'll
sign
the
test
station
and
attach
it
to
the
container.
I
have
right
just
entering
the
password
for
the
private
key.
B
Okay,
so
now
our
our
container
image
should
have
that
attestation.
Let
me
quickly
refresh
that
okay
good
now
you
can
see
there
is
another
like
signature
here,
which
is
which
has
this
dot
att.
B
A
B
A
So
far,
but
hopefully
we
will
get
more
and
more
as
we
go
along.
B
Okay,
I
think
I
can
just
proceed
from
here.
Yeah
all
right
and
the
next
example
I
have
is
to
look
up
image
data
from
your
image
registry
and
use
that
in
like
the
validate
or
the
mutate
policy
for
food,
their
policy
application
right.
So
again
I
have
a
cluster
policy
here,
which
is
matching
the
pod
and
simply
I'm
just
filtering
out
filtering
out
the
delete
request
and
this
with
with
this
validate
rule,
I'm
gonna
iterate
through
like
each
container
images
and
trying
to
calculate
the
image
size
right.
B
As
you
can
see,
I
have
defined
the
contacts
attributes
here
and
it's
trying
to
use
this
james
pass
operation
to
get
the
size
of
that
image
and
and
stored
in
this
image.
Size
policy
contacts
variable
right
and
this
variable
is
later
consumed
by
the
deny
rule-
and
here
I
have
a
condition
say
that,
okay,
if
my
image
size
is
greater
than
2gig,
then
block
the
resource
for
me.
Otherwise
allow
allow
the
creation
right.
B
So
let
me
clean
up
the
previous,
like
cluster
policy
and
then
I'll
delete
the
workloads.
The
part
I
just
run
like
a
quad
test.
B
And
then
apply
that
like
block
image
policy
to
cluster.
B
Okay,
let's
check
whether
the
image
is
ready
or
not:
it's
not
ready
yet.
Okay,
now
it
became
ready
and
then
I'm
gonna
create.
First,
I'm
gonna
create
a
like
a
busy
box
pod.
You
know
apparently
busy
box
size
is
this.
You
know
there's
no
chance.
It
exceeds
the
limit
right.
So
I
should
see
the
the
the
busy
box
creation
should
be
allowed
and
let's
just
execute
that
command.
B
Let's
say
demo
dash
dash
image
visit
box,
one
of
28
and
in
this
case
camera
look
up
the
the
image
data
and
tries
to
calculate
the
size
of
the
busy
box
image.
And
after
that
you
just
see
the
pod
creation
pass
pass
through
and
then
I'm
gonna
create
another
like
a
pod
using
this
large
cluster.
Sorry
large
image
which
its
size
apparently
exceeds
2gig-
and
you
know
ideally
kubernetes-
should
block
that
resource
creation.
For
me.
B
Okay,
now
you
can
see
that
okay,
my
policy
block
large
images
just
about
the
demo
creation,
because
the
image
size
exceeds
to
2
gig,
all
right
and
next,
I'm
going
to
have
another
like
policy,
leveraging
the
image
data
that
it's
been
used
in
the
take
policy,
and
it's
just
trying
to
replace
the
image
to
the
resolved
ref
again
here
I
have
a
cluster
policy
matching
a
pod.
B
I'm
trying
to
filter
out
delete
a
request,
and
there
I
have
this
for
each
mutate,
rule
defined
and
again,
trying
to
iterate
through
container
images
and
store
that
resolved
image.
Information
to
this
policy
context
variable
and
the
and
this
this
variable
is
later
used
in
this
mutate
patch
strategy,
merge
pattern
and
I
just
try
to
replace
the
image
by
its
reference.
B
Okay,
so
let's
apply
the
policy
to
the
cluster,
say,
resolve
and
then
okay,
let's
do
that
pause
image
again.
So,
if
I
run
do
I
have
that.
B
Okay,
it
said
wow
all
right-
I
don't
have
that
great,
so
you
can
see
the
part
been
created
and
if
we
inspect
the
public
image,
you'll
see
that
the
image
should
be
replaced
by
its
resolved
reference.
Instead
of
like
the
image
I
specified
in
the
command
okay,
this
is
then
an
example
of
the
like
how
how
to
use
image
data
and
validate
and
mutate
policies
all
right
and
going
back
to
the
slides.
A
As
well,
we
got
some
answers
in
the
chat
already,
but
if
you
want
to
expand
a
bit
so
there
was
santosh
asking
about
sure
they
got
details.
Thank
you
and
then
there
was
amir
asking
about
james
back,
which
is
a
query
language
for
jason.
So
if
you
want
to
understand
those
yeah.
B
Okay,
I
saw
them
are
already
answered
and
some
of
the
links
are
provided,
but
if
you
want
to
learn
more
about
jamie's
password,
the
that
type
of
policy
feel
free
to.
You
know
browse
our
like
your
own
website
and
we
have
all
the
documentations
ready
like
on
this
on
this
writing
policies
page
and
also
we're
working
on
like
one
six
release.
Trying
to
you
know,
publish
everything
along
with
the
q1016
release.
C
And
to
just
expand
on
the
on
the
james
path,
because
this
is
the
theme
that
that
comes
up
pretty
frequently
in
cavernous
policies,
just
a
real
quick
overview.
You
can
obviously
go
and
read
the
link,
but
jamespath
is
just
a
query
language
for
json
that
we
use
internally
to
perform
filtering
and
selection
on
complex
data
structures,
and
this
is
beneficial
because
it's
not
a
you
know.
You
can
get
many
of
the
powerful
things
that
that
you
need
to
by
policy
without
having
to
write
a
programming
language.
C
So
by
tapping
into
a
filter
language,
we
can
allow
some
pretty
complex
expressions
to
be
built
to
do
pretty
much
anything
or
most
things
for
sure
that
you'd
need
to
do
with
policy.
So
a
little
bit
of
background
on
james
path
and
you'll
see
that
across
many
caverno
policies
it's
not
a
requirement,
but
some
things
you
you
may
need
to
use
james
path
for
others.
Just
a
simple
pattern
statement.
A
Perfect
and
then
there's
a
extra
question,
so
amir
continues.
What
if
we
want
more
complex
mutations.
C
Yeah
I
mean
it's
like
with
with
most
use
cases.
If
your,
if
your
use
case
gets
more
and
more
complex,
then
you
may
need
to
involve
some
james
path,
but
for
simple
mutations
you
may
not
need
any
if
you
need
to,
if
you
do
need
to
do
complex
mutations,
whatever
the
definition
of
that
is.
C
B
Right
exactly
so
currently
we
have
22
mutate
policy
samples
here
available
on
the
website,
but
feel
free
to
browse
it.
But
if,
if
it
cannot
address
your
use
case,
feel
free
to
reach
out
and
we'll
definitely
add
that
to
to
our
sample
post.
A
Perfect
then
there's
one
additional
question
more
so
so
I'm
going
to
continue
so
we
cannot
use
scripting
languages
like
something.
C
Yeah
right
now,
the
scripting
language
that
we're
enabling
is
james
path.
It's
not
a
bring
your
own
scripting
language.
We
are
evaluating
some
ways
to
maybe
bring
your
own
language
like
maybe
javascript
or
something,
but
as
of
right
now,
it's
really
just
one,
and
quite
honestly,
we
found
that
with
james
path.
C
There
are,
I
mean,
at
least
in
my
my
experience,
and
I
I
keep
to
a
lot
of
what
the
community
is
doing.
I
haven't.
I
haven't,
run
across
much
of
anything
that
can't
be
accomplished
with
caverno
policies
and
james
path.
I'm
sure
there
are
some
use
cases,
but
they're,
probably
not
fairly
they're
they're
not
prevalent.
B
Right
and
we're
also
avoiding
like
doing
external
costs
if,
if
we
enable
like
the
javascript,
there's
no
control
on
that
right,
so
currently,
kubernetes
can
look
up
data
from
existing
clusters
through
config
map
through
api
cause,
and
this
image,
like
a
data
lookup
it
just
recently
added,
but
that's
that's
all
like
for
the
lookups
of
kevin.
So
that's
one
of
the
other
reason
we're
just
kind
of
hesitating,
adding
that
to
the.
A
Kiberno
perfect
thanks
for
the
extra
info
and
keep
the
questions
coming
up
everyone
we
will
answer
as
we
go
as
well
as
in
the
end.
So
thank
you
so
much
for
the
questions
so
far.
B
Okay,
thanks
sounds
good.
Let
me
just
continue
from
here
all
right
and
there
are
also
a
few
other
critical
enhancements.
We
added
to
kubernetes
one
is
related
to
the
conventional
performance,
as
we've
seen
that
in
caverno
prior
priority
to
kirino
1
6,
the
the
memory
usage
grows.
B
If
you
have
like
a
large
scale
of
clusters,
and
the
reason
for
that
is,
we
use
this
dynamic
informers
in
the
background
controller,
and
you
know,
by
default,
the
kubernetes
informers
maintains
the
memory
cache
for
that.
So,
if
you
have
thousands
of
load
resources
and
so
in
the
cluster,
convertible
memory
would
grow.
B
In
that
case,
and
with
one
six,
we
kind
of
moved
away
from
dynamic
informers
in
the
policy
controller,
and
it's
been
verified
that
the
memory
usage
was
reduced
from
around
like
400
mac
to
200
mag,
with
80
crown
jobs
and
10k
config
maps
scheduled
in
the
cluster
right.
B
So,
just
in
general,
we
don't
want
kirono
like
memory
usage
to
grow,
if
especially
when
you're
running
it
on
the
on
the
large
scale
of
clusters
and
we're
also
in
the
in
the
release
candidate
of
160,
we're
trying
to
collect
more
data
on
that
and
keep
monitoring
the
the
memory
usage
in
the
future.
B
Okay
and
another
related
is
like
how
you
use
kubernetes
like
how
cavernal
deals
with
failure
scenarios
right,
we've
heard
of
like
some
of
the
use
cases
from
the
community
that
the
user
shuts
down
the
the
entire
cluster,
at
least
the
data
plan
at
night
and
then
restart
the
cluster
in
the
morning
without
terminating
kiverno
create
gracefully.
So
in
that
case,
when
you
bring
back
your
cluster,
there
could
be
a
chance
that
caverno
is
not
recovered
yet,
so
the
admission
webhook
configurations
will
block
all
the
resource
from
recovering
right.
B
B
You
may
want
to
exclude
the
workloads
in
those
namespaces
and
you
can
also
configure
the
failure
policy
for
web
for
configurations
per
kiborno
policy
and
by
doing
that
on,
like,
for
example,
if
you
set
the
failure
policy
to
fail
in
that
case,
if,
if
webhook
is
not
responding
or
if
there's
any
arrow
of
the
of
of
the
mission
web
hug
kubernetes
will
just
reject
the
admission
request
on
that.
B
Otherwise,
if
you
have
it
set
to
ignore,
then
after
the
timeout,
kubernetes
will
just
allow
everything
to
pass
okay,
and
we
also
have
this
dynamic
web
hook,
which
is
introduced
in
run
five.
So
this
is
something
akiverno
will
automatically
and
manage
the
webpage
configurations
based
on
the
installed
policy,
that
is
to
say,
when
you
don't
have
any
policies
installed
in
your
cluster,
then
kyreno
won't
impact
any
of
your
like
the
cluster
workloads
or
the
resources.
B
Okay,
one
last
demo
from
me
for
today
is
this
namespace
scoped
failure
action
so
as
you've
seen
in
the
previous
demo
before
some
of
the
resource
creation
got
rejected,
because
I
have
the
failure
action
set
to
enforce,
and
in
that
case
like
especially
for
a
cluster
policy,
you
can
only
control
the
failure
action
across
entire
namespaces
and
with
this
override
ability
on
the
failure,
action,
you're
able
to
make
exceptions
for
kubernetes
namespaces
and
you
know
simply
either
like
to
enforce
or
audit
the
policy
violations
right.
B
B
While
I
have
this
overrides
defined
and
then
I'm
saying
that
this
within
the
prod
namespace,
I'm
enforcing
the
workloads
and
and
the
pods
must
have
this
label
with
a
key
app
right
by
the
way
qrino
automatically
handles
the
part
controllers
like
deployment
stick
for
set
and
others
by
converting
the
adding
the
additional
autogen
rules
to
the
policy.
B
So
let's
just
quickly
apply
the
policy.
Okay,
let
me
just
clean
up
the
previous
one,
because
I
don't
want
my
resource
be
blocked
by
any
of
the
previous
policies.
Okay,
after
that,
let's
apply
the
policy
to
the
cluster,
say:
overwrite,
failure,
action
and
then
once
I
have
it
ready.
B
Okay,
it's
ready
now,
so
I'm
going
to
create
two
parts,
one
in
the
default
namespace
and
another
in
the
prod
namespace,
both
without
the
label
app
and
the
expected
behavior
is
that
the
default
part
like
the
part
in
the
default
name.
Space
should
be
allowed
about
the
part
and
the
product
name.
Space
should
be
blocked.
B
Okay,
so
let's
say
kubrow
run
what
should
be
name.
I
use
test
failure,
action
and,
let's
run
nginx
image
in
the
default
namespace.
So,
apparently
you
can
see
it's
been
the
questions
been
allowed
and
if
I
try
to
schedule
it
to
the
product
name
space,
so
in
this
case
the
pod
creation
was
blocked
by
kubernetes.
C
So
a
couple
questions
that
came
up
here:
shifting
the
label
pattern.
Is
that
a
regex
and
can
you
explain
what
the
label
pattern
does.
B
So
yes,
indeed,
it's
a
regex
and
it's
just
trying
to
say
you
must
have
this
label
defined
on
your
incoming
pod
or
workload
and
the
question
marks.
I
recall
it
indicating
that
you
must
have
at
least
one
and
they
start
a
star
like
a
character
just
trying
to
match
any
of
the
patterns.
B
Right,
the
action
type
so
currently
we
support
creation,
update,
delete
and
connect
connect
is
something
like
when
you
exec
tries
to
exact
into
a
kubernetes
pod,
so
that
the
emission
request
is
sent
with
the
connect
type
of
operation.
So
that's
four
types
of
operations.
C
B
All
right,
okay,
I
guess
that's
all
the
demos
from
me
for
today.
Let
me
quickly
stop
sure
and
I'll
hand
off
to
chip.
He
will
talk
about
like
a
few
new
opera
jamie
as
pass
operators
and
the
updated
rental
policies.
C
Yeah,
thank
you.
Let
me
go
and
put
this
in
and
I
realized
I
hit
the
wrong
button.
But
one
thing
that
I'll
mention
that
reminded
me
from
shooting's
last
slide
that
may
not
be
fully
appreciated
is
the
when
she
showed
the
screenshot
here
of
the
validation
failure.
Action
overrides
you'll
notice
that
this
is
a
cube,
control,
explain,
command
and
everything
in
converto.
C
All
of
the
crds
are
open
api
v3
schemas,
which
means
that
you
can
do
and
explain
on
any
aspect
of
any
portion
of
a
caverno
policy
or
a
report,
and
it
should
tell
you
what
it
does,
what
it
means
and
how
to
configure
that,
and
that's
a
super
helpful
thing,
as
I'm
sure
you
all
know,
but
you
don't
have
to
necessarily
go
and
dig
them
through
the
documentation
or
go
look
at
pr's.
Just
cube
controller.
C
Explain
whatever
you
want
and
it'll
tell
you
how
to
go
about
writing
that
that
policy
object
and
shifting
and
folks
if
there
are
any
questions
as
I'm
going
through
this
either
just
stop
me
or
we'll
get
them
in
the
we'll
get
them
in
the
end.
C
So
I
want
to
keep
going
where
left
off
as
far
as
some
of
the
new
things
that
are
coming
out
in
1.6
and
also
show
some
demos
around
these
first
thing
is:
we've
got
several
new
operators
that
make
it
even
easier,
or
in
some
cases,
allow
some
new
policies
to
be
written
and
for
those
that
aren't
familiar,
operators
are
just
a
way
of
when
you're
building
an
expression
and
a
covernal
policy.
C
Rather
than
stating
you
know
what
the
pattern,
if
it's,
if
it's
a
simple
pattern,
that
works
well
in
a
lot
of
use
cases,
but
in
other
use
cases
you
need
to
be
more
expressive
around.
You
know
what
what
things
should
be
checked,
how
they
should
be
checked
and
what
set
they
should
be
checked.
And
so
these
operators
are
useful
in
preconditions
which
are
a
way
to
determine
whether
a
policy
is
actually
going
to
fire.
C
It's
it's
sort
of
an
intermediary
in
between
a
match
statement
and
the
actual
policy
body.
So
you
can
further
refine
with
precondition
based
on
these
operators
and
an
expression
that
you
build
whether
this
policy
should
actually
apply
to
an
incoming
object
and
also
in
validate
policies.
We
have
a
type
of
validate
that
is
a
deny.
So
a
validate
rule
is
just
saying.
C
So
I'm
looking
at
a
a
policy
here
that
uses
the
all
in
operator
and
so
in
our
validate
message
here,
we're
doing
a
a
for
each
and
just
looping
through
all
of
the
containers,
the
ephemeral
containers
and
the
indent
containers,
and
we
are
interested
in
knowing
if
any
of
these
two
values.
So
in
this
case
we're
looking
at
ad.
The
objective
here
is
to
drop
any
pod.
That
has
any
container.
C
C
We
can
do
that
and
we're
going
to
put
those
two
values
in
the
key
statement
and
we're
going
to
check
and
see
if
all
of
those
are
in
not
just
one,
not
the
other,
but
all
of
those
are
in
the
value
of
whatever
specified
for
the
add
statement
in
a
pod,
and
so
if
we
look
at
an
example
of
a
bad
pod
here,
I've
got
a
pod.
That
does
add
both
of
those.
In
addition,
it
adds
a
third
one
cis
shown,
but
it
also
adds
the
two
that
we
don't
want.
C
So
I
should
be
able
to
block
this
pod
I'll,
create
the
policy
make
sure
the
policy
is
ready
and
apply
bad
pod,
and
we
can
see,
as
expected,
the
all
not
in
operator
has
blocked
this,
because
it
sees
that
the
two
values
were
in
the
list
of
add
the
the
the
add
array
for
this
container.
So
it
blocked
that
and
by
comparison,
if
we
look
at
a
good
pod
that
has
one
of
the
ones
that
we
didn't
want,
but
both
of
them
and
the
operator
is
all
in.
C
So
we
should
be
able
to
apply
the
good
pod
and,
as
expected,
that's
allowed
so
all
not
in
pretty
straightforward.
All
these
operators
are
really
helpful
in
building
either
allow
lists
or
deny
lists,
depending
on
how
you
build
the
expression.
C
So
that's
all
not
in
and
taking
a
look
at
our
that's
all
in
and
then,
if
we
take
a
look
at
all,
not
in
it's
a
basically
an
inversion
of
that
statement,
where
we
can
check
and
ensure
that
we
deny
so
it's
a
similar
type
of
similar
type
of
expression.
But
we're
saying
deny
a
pod
if
these
two
in
this
case
capabilities
with
a
drop
statement,
are
not
in
what's
in
the
drop,
so
an
inverted
check
there.
C
And
I'll
apply
this
policy,
and
so
bad
pod
says
that
we've
got
systone
and
netbind
service,
but
the
policy
said
make
sure
that
these
two
all
of
these
are
not
in
that.
C
A
Yeah
and
there's
a
question
from
the
audience:
how
can
we
be
notified
whenever
an
audit
action
causes
the
plot
to
be
blocked,
and
is
there
an
alerting
system
like
the
one
in
communities
or
something
similar
from
a
mirror.
C
So
yes,
by
by
default
and
mentioned
this
a
minute
ago,
the
validation
failure
action
can
be
either
in
force
or
audit.
If
it's
an
enforced,
that
means
that
the
pod
is
going
to
be
blocked
or
whatever
the
resource
is,
is
going
to
be
blocked
immediately.
If
it's
in
enforcement
or
in
audit
mode,
it
will
be
allowed.
But
it
will.
Report
in
a
policy
report
object.
So
you
can
see
these
if
you
do,
for
example,
c
paul
r
is
the
alias
for
cluster
policy
report.
C
I
don't
have
anything
there
and
I
don't
have
anything
here,
but
there's
nothing
reported.
C
But
if
I
created
that
bad
pod
and
the
policy
was
in
audit
mode,
I
would
be
able
to
get
the
policy
report
for
this
namespace,
because
applause
and
namespace
resource
and
see
that
one
of
them
had
failed
the
validation
and
so
that's
a
way
for
you
or
if
you
wanted
to
decouple
that
functionality
and
say
you
know,
since
it's
just
another
custom
resource,
you
can
delegate
that
to
like
a
security
group
and
the
security
group
has
the
ability
to
read
those
policy
reports.
You
can
get
that
information.
C
We
also
do
have
prometheus
metrics
that
are
exposed,
and,
yes,
it
will
show
in
those
metrics-
and
I
don't
remember
what
the
exact
one
is
offhand,
but
it
will
show
the
a
number
of
resources
that
have
failed.
You
can
go
to
the
documentation
and,
if
there's
a,
if,
if
anybody
wants
to
post
the
link
to
that,
there's
a
whole
page
on
the
monitoring
with
prometheus
and
all
of
the
metrics
that
are
exposed
and
we've
also
got
a
really
cool
project.
That's
out
there.
It's
basically
a
front
end.
C
A
policy
reporter
front
end
that'll,
show
you
a
lot
of
these
things
that
are
going
on
in
a
nice
gui
that
doesn't
entail
you
having
to
roll
your
own.
If
you
want
to
install
that
it's
an
optional
component,
if
you
would
want
to
install
it
alongside
caverno
it'll,
give
you
a
nice
web-based
dashboard
where
you
can
go
in
and
take
a
look
and
see
you
know.
All
of
your
policies
and
what
your
what
your
audit
status
looks
like.
So
several
good
tools
there
to
help.
C
Cool,
so
I'm
going
to
skip
over
a
couple
of
of
these
just
in
the
interest
of
time,
but
so
talked
about
the
first
two
similar
type
story
with
the
other
two.
You
know
the
the
gist
of
these.
C
Is
it
we're
providing
much
more
granularity
for
you
to
be
able
to
select
exactly
what
it
is
that
you
want
when
you
build
an
expression
by
saying
either
these
things
can
any
of
these
things
can
be
in
or
all
of
these
things
can
be
in
and
vice
versa,
and
so
super
powerful
they'll
help
unlock
new
possibilities
of
either
writing
new
types
of
policies
or
making
existing
policies
better
and
then
the
last
two
things
here.
C
We
now
have
support
for
integer
ranges
and
also
some
of
the
existing
operators
like
greater
than
less
than
etc.
Now
support
duration
and
simver.
A
couple
of
these
things
aren't
exactly
in
1.6,
but
they
bear
they
bear
fleshing
out
or
or
mentioning
just
because
they're
super
powerful
so
and
looking
at
the
the
range,
I
guess
first
so
in
this
policy
we
want
to
be
able
to
check
that
a
host
port.
C
So
if
you
define
a
pod
and
it
has
a
host
for
it
in
it,
this
range
operator
is
a
simple
way
for
you
to
express
a
large
range
of
ports.
I
mean
it's
the
you
could
use
it
for
any
type
of
integer,
but
we've
got
five
thousand
to
six
thousand.
You
can
just
simply
write
five
thousand
dash,
which
is
the
range
operator
six
thousand
and
any
pod
that
fits
this
again.
This
is
a
james
path.
C
C
And
so,
if
we
apply
the
policy
that
just
had
a
minute
ago
which
saying
collect
all
of
the
containers,
including
ephemeral
and
init,
containers,
look
at
the
ports
and
look
at
the
host
parts
and
if
any
of
those
are
not
in
this
range,
deny
it
because
this
is
a
deny
rule.
So
we're
going
to
ask
basically
5000
to
6000
is
our
green
range.
Anything
that
falls
outside
of
that
is
bad,
so
block
it
and,
as
you
can
see,
our
bad
pod
here
specifies
host
port
53.
C
C
C
And
on
the
greater
than
so
just
quickly
on,
these
won't
go
and
show
demos,
but
on
the
the
duration
comparison
and
the
simber
comparison,
caverno
now
natively
understands
sim.
So
you
can
have
something
again.
Another
james
patch
pass
expression
which
is
going
into
a
pod,
because
that's
our
kind
gonna
go
look
at
the
label
game
version
and
going
to
get
the
value
of
it
and
we're
going
to
be
able
to
compare
that
using
the
greater
than
and-
and
it's
going
to
natively
understand
is
this
greater
than
1.4.0?
C
Well,
you
don't
have
to
write
any
complex.
You
know,
substitution
logic
or
or
scripting
logic
you
can
just
ask
hey.
Is
the
version
greater
than
one
four
o
if
it
is
block
it,
if
it's
not
allow
it
so
caverno
understands
that
in
the
value-
and
it
also
understands
duration.
C
So
in
this
case
the
the
use
case
for
this
one
might
be.
You
know
if
you
particularly
in
audit
mode,
if
you
want
to
be
able
to
be
informed
about
pods
that
maybe
have
run
out
there
for
over
a
week
or
a
month
or
something
and
the
images
are
you.
You
want
to
have
refreshed
over
time,
and
you
want
to
rebuild
those
pods.
C
You
can
have
a
label
or
whatever
the
the
key
is
that
expresses
time
and
caverno
with
the
with
those
operators
now
understands
time
so
12
hours,
it'll
understand
that
12
hours
is
greater
than
11
hours
and
you
can
express
it
in
minutes
as
well.
So
a
couple
new
capabilities
to
the
existing
operators,
in
addition
to
the
new
operators
that
make
it
make
it
possible
to
write
new
types
of
policies,
as
well
as
existing
policies,
be
much
smoother
and
even
consolidation
of
rules.
C
Because
that's
another
thing
that
you
know
you
want
to
be
able
to
express
your
intent
in
the
most
efficient
manner
possible
and
in
some
cases
in
the
past,
it
might
have
taken
several
rules
to
do
that.
Even
though
those
rules
have
been
expressed,
you
know
fairly
simply
and
that
you're
not
programming
what
the
rule
is
you're.
Just
simply
writing
your
intent,
but
now
you
can
collapse
those
into
one
rule:
oracle
rules.
C
Yes,
a
great
question:
we
should
have
a
section
on
the
website
that
kind
of
talks
about
what
the
organizational
strategies
that
that
may
be
useful
to
you,
but
in
general
you
know,
caverno
cluster
policy.
Well,
a
caverno
policy,
regardless
of
whether
it's
a
cluster
policy,
which
is
a
cluster
scoped
resource
or
a
policy
which
is
a
namespace
scoped
resource,
is
really
a
container.
C
The
thing
that
matters
are
the
rules,
and
so
we
see
in
some
cases
that
some
users
like
to
simply
write
cluster
policy
like
one
cluster
policy
that
has
all
of
the
validate
rules
and
maybe
another
cluster
policy
that
has
all
of
the
mutate
rules
or,
depending
on
you,
know
what
what
they're
trying
to
do?
C
Maybe
they're
a
bunch
of
they're,
a
bunch
of
rules
that
they
need
to
express
for
a
specific
type
of
resource
like,
for
example,
you
have
a
bunch
of
policy
that
you
want
to
wrap
around
pods,
but
then
you
have
another
set
of
policy
that
you
also
want
to
wrap
around
like
services,
for
example,
where
you
could
create
two
cluster
policies
and
have
your
pod
policies.
C
One
your
service
policies
in
another
and
a
combination
of
that,
if
you
wanted
to,
and
also
the
same
type
of
thing
when
it
comes
to
a
name
space,
so
you
can
have
a
set
of
cluster
policies
and
also,
if
you're,
delegating
especially
multi
multi-tenant
environments,
where
you
are
going
to
delegate
some
of
these.
Some
of
these
functions
to
your
namespace
administrators
or,
however
you.
However,
you
you.
You
call
that
you
probably
want
them
to
be
able
to
set
some
policies,
but
they
need
to
have
the
ability
to
find
those.
C
Well,
you
can
define
yours
in
cluster
policy.
They
can
define
theirs
and
a
policy
that
you
don't
collide
because
one
policy
can't
override
another.
They
just
simply
extend
whatever
the
conditions
are,
so
so
there's
a
lot
of
ways
to
go
about
doing
it,
but
at
the
end
of
the
day,
caverno
aims
to
be
flexible
and
also
simple
with
that
flexibility.
To
give
you
whatever
the
control
that
you
need
for
your
environment
and
for
your
your
customers,
your
users,
you
should
be
able
to
do
that.
A
C
So
a
generate
rule
is
a
specific
type
of
rule
in
caverno
and
it's
a
different
type
from
a
validate
policy.
So
a
validate
rule
says
it's
like
basically,
a
yes
or
no
answer
like
here
comes
a
resource.
We
want
to
take
a
look
at
it.
Is
it
allowed
yes
or
no?
That's
a
validate
rule.
A
generate
rule
is
here,
comes
a
resource
based
on
that
the
criteria,
that's
in
the
rule,
what
other
resource
should
we
create
in
response
to
that?
C
So
there
are
two
separate
rule
types
they
have
to
be
expressed
separately,
but
that
that's,
the
purpose
of
a
generate
rule
is
to
generate
a
new
resource,
but
it
still
has
to
match
the
criteria
and
rule.
So
if
the
criteria
isn't
met,
it
doesn't
deny
the
resource.
It
just
says
all
right.
The
pattern
isn't
what
I'm
looking
for
to
create
that
resource.
C
So
I'm
not
going
to
do
anything
perfect
and
okay,
so
we're
a
little
behind
here,
so
I'm
probably
going
to
have
to
skip
over
these,
because
we
want
to
leave
some
more
time
for
q
and
a
so.
We
talked
about
james
path
and
what
james
path
is
just
a
quick
recap
on
that.
It's
a
powerful
json,
query
language
if
you're
familiar
with
jq
jq's
filtering
application.
C
James
path
is
similar
to
that,
but
it
has
a
lot
more
things
that
are
called
filters
that
are
built
into
it
and
in
this
release,
we've
added
a
whole
bunch
more,
and
so
I
did
want
to
show
some
of
these
that
were
highlighted
here,
but
since
we're
getting
lower
on
time.
I'll
just
mention
that
you
know,
in
addition
to
the
existing
filters,
and
you
can
go
to
the
james
path
website
and
see
all
the
ones
that
they
have
there,
which
are
super
helpful.
C
We've
also
created
a
whole
bunch
of
new
ones
which
allow
you
to
do
common
operations
like
being
able
to
divide
and
have
caverno
understand
what
you
know
what
the
resources
are
in
kubernetes
terms.
That's
one
of
the
great
things
about
converto
is
since
it
doesn't
need
it
doesn't
require
your
program.
We
try
and
build
in
as
much
of
the
logic
as
possible,
so
you
can
divide
one
resource
like
100,
midi
bytes
by
another
resource
50.
Maybe
bytes
and
caverno
just
does
the
math
behind
the
scenes
and
also
the
unit
conversion.
C
So
that's
similar
with
all
of
these
others.
Time
sense.
The
ability
to
look
at
you
know
a
time
stamp
and
an
object
and
compare
that
to
now
or
something
else
and
make
decisions
on
that
without
you
having
to
write
a
bunch
of
logic,
we've
already
done
that
path,
canonicalize,
the
ability
for
you
to
look
at
a
path,
that's
specified
in
like
a
host
path
and
have
that
normalized.
So
there's
just
like
one
forward
slash
in
between
each
path.
C
Separation,
so
don't
have
the
time
to
go
into
these
but
urge
you
to
go
and
look
at
when
it
becomes
available.
The
documentation
try
these
out,
but
these
are
all
new
james
path,
filters
that
are
coming
in
caprero,
one
six
that
are
not
found
in
the
upstream
james
path,
library
also
for
each
enhancement.
C
So
I'm
just
going
to
talk
to
these
real
quick,
because
we're
running
out
of
time
for
each
is
an
ability
in
caverno
that
we
have
to
allow
you
to
loop
over
objects
that
are
in
an
array
and
one
of
the
things
that
is
coming
in
one
six
is
the
ability
to
use
json
6902
patches
to
be
able
to
to
loop
through
objects
in
a
for
loop
and
do
things
like
remove
so
strategic
merge
gives
you
the
ability
to
do
like
a
customized
style
patch,
but
with
json
style
patches.
C
C
Also
context
loops
shifting
showed
this
a
little
bit
in
some
of
her
sample
policies,
but
but
context
can
now
be
provided
inside
of
a
loop.
So
the
the
use
case
that
she
showed
was
looking
at
variables
from
an
image
from
an
upstream
oci
register.
You
want
to
look
at
metadata
on
an
image
you
can
put
that
as
a
context
inside
of
the
loop
and
just
iterate
over
those
things,
policies
and
the
the
popularity
sample
policy.
C
So
for
those
that
didn't
know,
caverno
has
over
100
sample
policies
that
you
can
download
and
use
right
now
and
they're
of
all
sorts
of
resources
of
all
sorts
of
across
all
of
the
covert
rule
types,
and
many
of
them
are
even
outside
of
the
kubernetes
core
resource
type.
So
we've
got
some
there
from
traffic.
Some
from.
C
I
think
we've
got
some
from
valero,
some
from
cert
manager,
so
there's
over
a
hundred
of
policies
that
are
out
there,
that
you
can
either
download
and
use
right
now
or
at
the
very
least
they're
great
for
teaching
and
and
giving
you
some
concrete
examples
of
how
to
to
build
the
policy
that
you
want.
C
And
if
you
don't
find
the
one
that
you're
looking
for,
you
can
probably
easily
customize
one
that's
there,
and
if
all
of
that
fails,
you
can
open
up
either
a
request
or
or
come
to
our
slack
channel
and
tell
us
about
what
you're
trying
to
solve
and
we'd
be
interested
to
figure
out
how
to
do
that.
But
there
are,
there
are
even
more
coming
in
1.6
with
over
20.
and
then.
C
Lastly,
on
this,
the
kubernetes
pod
secure
standards.
This
is
a
a
a
a
a
set
of
standards
that
that
that
explain
what
types
of
controls
should
be
in
an
environment.
Caverno
has
built
these
quite
a
while
ago,
but
we've
now
refreshed
these
with
the
capabilities
that
are
in
one's
1.6
and
also
that
align
with
what
the
pss
is
upstream,
so
18
or
19
new
policies
over
a
thousand
test
resources
for
just
these
pod
security
standard
policies.
C
C
They
also
cover
the
ephemeral
containers,
which
is
now
turned
on
by
default
in
1.23,
and
also
one
last
note
to
mention
that
for
those
of
you
that
have
worked
with
caverno
policies,
specifically
validate
policies,
if
you
have
a
deny
rule
the
auto
gen
controller,
the
nice
capability
in
caverno
that
allows
us
to
take
the
rule
that
you
write
pod
and
have
that
automatically
translated
for
other
pod
level
controllers,
like
deployments
staple
sets
cron
jobs.
Well.
That
now
works
for
the
denial
rules
as
well.
C
So
that's
another
example
of
of
us
doing
more
of
the
work
on
your
behalf
and
you
being
able
to
simplify
your
rules
to
just
get
what
you
want
automatically
so
just
to
just
to
quickly
wrap
up
here.
The
really
the
summary
of
this
release
is
adding
more
features
that
solve
more
use
cases
through
policy,
but
you
know
caverno's
model
motto
is
we
want
to
do
things
easy?
C
There's
no
programming
required
anywhere,
it's
very
quick
to
get
up
and
running
and,
as
time
goes
on,
we
try
and
look
at
use
cases
solve
more
of
those
problems
and
build
more
capabilities
into
caverno
that
allow
you
to
do
more
stuff
in
less
amount
of
time,
but
also
the
other
two
themes
of
this
release
are
less
resource
usage.
You
know
we
know,
clusters
are
becoming
larger,
more
people
are
using
it
there's
more
stuff
being
thrown
at
them.
So
we
want
to
reduce
the
resource
usage
to
make
it
make.
A
C
Make
it
less
memory
intensive
and
also
more
robust
for
your
production
use
cases
should
be
able
to
trust
this.
This
is
a
an
element
of
security,
so
we're
trying
to
put
a
lot
of
work
into
figuring
out
how
we
can
make
it
more
resilient,
how
we
can
make
it
more
robust.
In
the
case
of
you,
know
these
types
of
failures
and
other
events
occur,
and
so
there's
a
lot
of
work.
That's
that's
been
put
through
in
that
regard,
so
so
yeah.
C
That's
that's
really
the
summary
of
what
we
have
for
you
and
if
there's
any
time
left
be
glad
to
take
some
q
a
here.
A
Yeah
we
have
about
one
minute,
but
we
can.
We
can
run
through
a
quick
question
or
so
so
essentially,
this
is
the
last
call
for
questions
from
the
audience.
A
So
if
you
have
anything,
just
ask
now
quickly
and
we
forget
to
it-
and
there
was
one
question
that
got
answered
with
a
quick
note,
but
just
if
you
want
to
explore
it
further,
there
was
a
question
from
amir.
Our
generated
resources
also
validated.
B
Okay,
just
yeah,
it's
just
a
mute
yeah.
You
can
verify
the
kirino
generated
resource
by
adding
another
validate
policy
to
your
cluster
and
there
you
can
select
on
that
specific
resource
using
the
the
label,
because
kiran
will
add
labels
to
its
generated
resource
and
use
that
to
validate
whatever
configurations
you
want.
A
Perfect
now
we
are
not
getting
questions,
but
we
are
getting
compliments,
so
great
job,
beautiful
video,
beautiful
priorities
for
the
team,
so
a
great
job
I
have
from
everyone
today.
So
if
there
isn't
any
last
questions-
and
we
are
perfectly
on
time
here
as
well-
we
did
answer
a
lot
of
q,
a
throughout
the
webinar
as
well.
So
there
was
a
lot
of
great
interaction.
Thank
you
so
much
everyone
for
that,
but
yeah.
Let's
start
wrapping
things
up.
So
thanks
everyone
for
joining
the
latest
episode
of
cloud
native
live.
C
A
To
see
that,
thank
you
so
much
for
all
of
the
great
questions
and
as
always,
we
bring
you
latest
cloud
native
code
every
wednesday,
so
you
can
tune
in
every
week
going
further
as
well,
and
we
have
a
great
session
next
week
in
store
as
well.
So
thank
you
for
joining
us
today
and
I'll
see
you
next
time.