►
Description
No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).
A
Welcome
to
Cloud
native
live
where
we
dive
into
the
code
behind
Cloud
native
I'm
your
host.
Today,
my
name
is
Whitney
Lee
I'm,
a
cncf
Ambassador
and
I'm
a
developer
Advocate
at
VMware
ton
Zoo.
Every
week
we
bring
you
new
presenters
to
Showcase
how
to
work
with
Cloud
native
Technologies.
We
will
build
things.
We
will
break
things
and
we'll
answer
your
questions.
Today
we
have
ratesh
Patel
and
Dallas
Sharma
here
with
us
to
talk
about
policy-based
governance
for
internal
developer
platforms.
I'm
so
excited
for
this
one.
A
So
as
usual,
this
is
an
official
live
stream
of
the
cncf
and
as
such
it
is
subject
to
the
cncf
code
of
conduct.
So
please
don't
add
anything
to
the
chat
that
would
be
in
violation
of
the
code
of
conduct
basically
be
respectful,
be
kind
of
your
fellow
chat
members
and
from
and
to
us
the
presenters
too.
Please
so
friends
who
are
joining
us
live.
Please
do
use
the
chat,
it's
so
much
fun
to
interact
with
y'all.
A
Even
now,
please
chime
in
tell
us
where
you're
tuning
in
from
I
I
enjoy
how
much
how
Global
the
community
is
here
and
as
always,
if
you
have
questions
during
the
presentation
as
we
go,
please
put
those
in
the
chat
too,
and
we're
actually
going
to
try
to
have
an
interactive
chat
this
time
and
answer
your
questions
as
we
go.
So
with
that
I'm
going
to
hand
it
over
to
ritesh
Patel
to
kick
off
today's
presentation.
Welcome
ritesh.
B
Thanks
Whitney
super
excited
to
be
here.
You
know
I'm
ritesh,
Patel
I
am
a
co-founder
at
nirmata.
Nimada
is
a
company
behind
kivano,
a
cncf
incubating
project,
and
you
know
we're
super
excited
to
kind
of
share.
Some
of
the
you
know,
use
cases
and
other
things
we
are
seeing
in
the
community.
So
before
we
get
started,
I
just
like
dollars
to
quickly
introduce
ourselves
and
then
we
can
get
going.
C
B
So,
let's,
let's
get
started
right,
so
I'm
gonna
quickly
share
some.
You
know,
slides
just
to
set
the
context
and
then
we'll
we'll
jump
into
some
demos.
You
know
Dallas
will
demonstrate
some
other
scenarios
and
use
cases
that
we
see
and
how
you
know
the
community
members
users
of
kimono
are
enabling
security
and
governance
for
internal
developer
platforms.
B
So
just
to
you
know,
set
the
stage
as
as,
as
you
know,
what
we're
seeing
today
is
is
a
move
towards
internal
developer
platforms
right
so
like
a
few
years
ago,
you
know
different
teams
where
you
have
you
know
using
CI
CD
tools
like
Jenkins
to
you
know,
build
their
code
and
then
you
know
deploy
it
to
you
know
Cloud
infrastructure.
Now
what's
happened
in
the
last.
You
know
a
few
years
with
the
emergence
of
kubernetes.
B
As
that
you
know
core
orchestration
layer
for
container
containerized
applications
large
mid
to
large
Enterprises
have
started
building
internal
developer
platforms,
essentially
created
platform
platform,
engineering
teams
that
can
deliver
these
platforms
and
that
enables
several
application
and
product
teams
right.
So
that's
kind
of
the
the
the
the
emergence
of
you
know
the
developer
platforms
that
we
are
are
seeing
today
in
the
cloud
native
space.
B
Now,
if
we
start,
you
know
double
clicking
and
into
this
platform
and
seeing
what
these
platforms
you
know
consist
of,
you
can
actually
map
a
lot
of
these
components
that
are,
you
know,
required
or
or
essential
to
operate
and
and
manage
these
platforms
to
deliver
that
that
capability,
that
these
teams
need
right.
So
you
know,
obviously
the
foundational
layer
tends
to
be.
You
know
an
orchestration
engine
which
is
in
most
cases
kubernetes
and
then
there
are
different
aspects.
B
Different
areas
like
observability
security
policy
and
governance
for
for
across
all
of
these
different
applications.
Now
git
Ops
is
an
area
which
is
increasingly
becoming
popular,
for
you
know
deploying
applications
to
kubernetes.
There
are
projects
like
Argo,
CD
and
flux
that
are,
you
know,
super
high
popular
amongst
you
know
git
Ops
adopters,
and
then
you
know
there's
projects
like
backstage
with
service
catalog
right.
B
So
this
is,
you
know,
not
necessarily
meant
to
be
a
comprehensive
list,
but
just
a
kind
of
an
idea
of
what
a
typical
you
know,
internal.
That
platform
consists
of.
A
lot
of
these
components
are
replaceable.
There
are,
you
know
in
several
areas
there
are
multiple
projects
that
can
that
can
address
those
those
requirements,
but
today
we'll
focus
on
an
open
source.
B
You
know
policy
engine
called
caverno,
which
is
a
project
that
is
part
of
nirmada
right,
but
before
we
get
there,
as
you
start
thinking
about
platforms,
you
know
what
what
does
it
mean
in
term
for
as
far
as
governance
is
concerned,
we
start
talking
about
governance
and,
and
these
platforms
are
typically
used
by
you
know.
Several
teams
with
you
know
different
types
of
applications
and
then
that
that
results
in
various
challenges
right.
So
how
do
you
ensure
you
know
compliance
across
these
various
teams?
B
How
do
you
prevent
misconfigurations
and
reduce
that
you
know
back
and
forth
between
the
operations
team,
the
security
team,
the
developing
development
team,
and
then
you
know
you
always
want
to
maintain
a
a
clean
security
posture
for
your
platform
right.
So
that's
where
you
know
having
you
know,
tools
for
your
for
governance
and
security
comes
in
that
it
allows
you
to
kind
of
reduce
that
reduce
risk
in
terms
of
failures.
In
terms
of
you
know,
security
misconfigurations
also
provides
a
consistent
development
environment
to
various
teams.
B
So
that
way,
they're
not
dealing
with
you
know
kind
of
disparate.
You
know
tools
and
Technologies
right.
So
that's
kind
of
where
you
know
the
governance
layer
comes
in
and
kivarno
is
an
open
source
policy
engine.
A
part
of
cncf
is
a
cncf
incubating
project.
This
was
a
project
that
we
from
nirmata.
You
know
donated
to
cncf
about
three
years
ago
and
since
then
it
has
seen
tremendous
adoption
right.
So
you
know
with
you,
can
see
some
of
the
numbers
on
the
on
the
bottom
right.
B
You
know
lots
of
lots
of
you
know
image
pulls
you
know,
increasing
GitHub,
stars
and
and
active.
You
know
contributors
and
slack
members
I
think
the
slack
members
are.
You
know
over
2000
at
this
point.
This
is
very
active
community
and
the
the
idea
behind
kevarno
is
you
know
for
kubernetes.
Given
it's
you
know.
You
know
the
declarative.
B
Vein,
which
applications
are
deployed,
it
required
something
that
is
kubernetes
native
right
so
and
you
see
that
across
the
board,
with
some
of
the
projects
I
listed
before
like
cross
plane,
Argo
CD,
all
of
these
are
kubernetes
native.
Not
you
know,
projects
that
were
retrofitted
or
or
or
or
you
know
you
know-
kind
of
adopted
or
adapted
to
kubernetes
right.
So
kivano
is
a
kubernetes
NATO
policy
engine.
It
enables
policy
as
code
where
policies
are
written
in
kubernetes,
Native
yaml.
B
What
it
allows
you
know,
users
to
do
is
you
know,
shift
security
left.
You
know,
detect
issues
early,
maybe
in
your
CI
CD
Pipeline
and
even
prevent
you
know,
misconfigurations
or
or
insecure
configurations
from
entering
your
clusters
right
through
admission
control,
so
which
is
very
important
to
maintain
that
security
posture
of
your
platform,
and
it
also
has
the
ability
to
do
background
scanning.
Obviously
kubernetes
environment
continues
to
it
is
very
Dynamic.
B
Even
you
know,
overall
there's
always
new
issues.
New
new,
you
know
challenges
emerging
so
scanning
background
scanning
is
very
important
and
one
thing
that
kevano
does,
which
is
quite
unique,
is
it
goes
beyond
just
you
know,
validation
right.
It
has
capabilities
to
mutate,
which
is
modify.
You
know
incoming
configuration
or
even
existing
configuration
in
kubernetes.
It
can
generate
resources,
it
can,
you
know,
verify
images,
ensuring
images
are
signed
and
attested
and
so
on,
and
then
it
can
even
clean
up
resources.
B
So
this
a
lot
of
capabilities
around
security,
Automation
and
and
even
automating,
some
of
the
security
aspects,
which
makes
it
very
flexible
and
an
ideal
choice,
for
you
know
for
internal
developer
platforms
right
as
you
as
you
try
to
bring
together
all
of
these
cncf
components.
B
So
with
that,
if,
unless
there
are
any
questions
we
can
jump
into
the
demo.
A
That's
great
I
love
an
internal
developer
platform,
I
really
liked,
like
maybe
the
second
slide
you
put
up
that
showed
the
whole
stack
because
it
really
shows
I
think
the
idea
behind
an
internal
developer
platform
is
like
before
every
single
product
Team,
every
single
app
team
had
to
deal
with
all
of
these
components
on
their
own,
and
so
now
those
are
being
outsourced
to
a
a
platform
team
and
then
the
developers
can
focus
on
the
more
value,
driven
tasks.
So
I
think
that's
super
cool
and
we
do
have
a
question.
A
Well,
we
have
two
questions:
one's
just
a
logistical
one,
but
we'll
get
to
it.
Let's
talk
is
this
session
available
offline?
So
this
is
streaming
right
now
to
LinkedIn
and
YouTube.
So
if
you
find
the
YouTube
link
when
it's
over
at
YouTube
I
Believe
has
a
feature
where
you
can
download
videos
and
then
you
can
have
it
offline
and
then
our
other
question
is
for
both
of
you.
How
does
kyverno
compare
to
open
policy
agents,
which
is
another
cncf
policy
tool.
B
Yeah
absolutely
I
think
the
the
great
question.
This
is
a
question.
You
know
we
get
every
time,
and
this
is
not
something
we
can
go
deep
into
into
it
today.
But
few
differences
in
terms
of
you
know
between
kevano
and
open
policy
agent
and
again,
both
of
them
have
their
strengths
and
weaknesses.
One
of
the
biggest
things
that
biggest
difference
is
to
kind
of
understand.
B
When
we
talk
about
kevano
and
I'll,
just
you
know,
use
the
use
the
slide
on
kevarna
to
kind
of
highlight
it
is
kubernetes
native
right,
whereas
Opa
open
policy
agent
was
conceived
as
a
general
purpose
policy
engine
it
predated
kubernetes.
So
with
kivardo.
What
you
get
is
kibano
understands
a
lot
of
kubernetes
constructs
like
labels
annotations,
you
know,
pods
being
part
of
the
different
controllers
like
deployments
stateful
sets
and
which
makes
policy
writing
very,
very
easy.
B
Now,
when
you're
writing
policies
for
kiverno
the
other
other
main
difference,
and
the
other
reason
why
kevano
is
so
widely
adopted.
Is
you
don't
need
to
be
a
Rego
expert
to
write
policies
now
with
oppa?
You
know
you
need
to
learn
a
language
called
Rego
to
write
policies.
There's
obviously
pros
and
cons
the
benefit
of
using
a
language
like
Rego,
it's
very,
very
powerful,
but
a
lot
of
times
it
could.
B
It
could
get
complex
and
it
has
some
has
a
learning
curve
with
kevano
policies
are
kubernetes
native
yaml,
so
basically
policies
themselves,
you
know,
can
be
stored
in
kubernetes.
Can
we
you
could
use
any
kubernetes
tools,
githubs
tools
or
customize
or
any
of
those
tools
to
manipulate
or
manage
these
policies.
So
from
that
perspective
the
learning
curve
is
really
short
and
you
know
it
and
that's
one
of
the
reasons
why
camera
is
so
widely
adopted.
B
Apart
from
that,
some
of
the
capabilities
there
are
differences,
I
mean
things
like
mutate,
generate
verify
image
just
clean
up
again.
Some
of
these
I
believe
mutate
is
available
in
oppa,
but
generate
and
other
capabilities
may
not
be
directly
and
available.
I
mean
they
can
be
added
and
created,
but
that's
kind
of
just
a
few
differences
that
we,
you
know
we
have
and
I'll
share
a
Blog
link.
You
know
in
in
the
chat
to
kind
of
you
know
that
goes
deeper
into
these
differences.
C
Okay,
so
yeah
suggested
that
we
can
have
internal
platform
where
you
can
use
multiple
tools
to
actually
build
your
own
internet
platform,
and
this
can
be
a
pretty
well
a
pretty
good
transaction
between
a
platform
team
and
a
developer
team,
where
you
have
your
own
internal
developer
platform,
mixing
different
kind
of
tools,
and
now
you
have
built
a
platform
which
can
be
like
a
transaction
between
two
teams
right.
C
So
this
can
be
a
combination
of
different
tools
if
something
works
for
someone
and
something
doesn't
work
for
someone
right
so,
but
today
we're
going
to
talk
about
something
similar
using
cross
plane
and
kiberto.
Ritesh
has
already
introduced
what
Pro,
what
qrno
does
so
I'll
I'll
take
a
moment
and
talk
about
what
cross
pane
is
so
Cross
Pin,
basically,
is
an
IAC
tool
which
helps
you
to
deploy
all
your
infrastructure
in
your
Cloud
using
Code.
C
So
basically,
you
don't
have
to
go
through
the
complexity
of
deploying
your
infrastructure,
using
UI
or
navigating
through
UI
or
trying
to
understand
where
to
click,
how
to
click
right.
So
you
can
just
have
the
entire
info
structure
as
a
yaml.
That's
that's
what
the
good
thing
is
about.
Iac
is
you
can
actually
codify
your
infrastructure
and
you
get
all
the
good
advantage
of
codifying
something
or
using
yamls
right
now.
You
can
store
it
in
GitHub.
You
can
audit
it.
C
You
can
enable
version
controlling
from
them,
so
you
can
use
it
when
you
want
to
troubleshoot
or
even
roll
back
for
that
matter
and
think
of
it.
The
situation
where,
if
you
want
to
destruct
it
from
destroy
it
from
some
region
and
just
bring
it
up
in
different
region,
it's
just
a
matter
of
applying
those
yammals
right.
So
it's
pretty
cleaner,
good
way
of
doing
things.
C
It's
it's
a
convenient
and
a
smart
way
of
doing
things
rather
than
just
clicking
10
different
on
10,
different
buttons
or
maybe
just
navigating
to
different
providers
right
like
as
or
maybe
AWS
trying
to
figure
out
where
to
click
in
the
first
place.
I
go
through
that
a
lot
of
times,
I'm
AWS
fan.
So
when
I,
when
I
go
when
I
went
to
Asia
I
was
like
okay,
a
new
Cloud
right,
so
I
think
those
challenges
are
something
that
cross
in
health.
You
don't
have
to
learn
new
Cloud
providers
all
the
time.
C
So
this
is
a
standard
example.
Where
you
know
there's
there
can
be
a
different
kind
of
tools
you
can
build
and
then
there's
a
workflow
but
I'll
I'll
I'll
show
you
what
does
the
internet
development
platform
we
are
talking
about
today,
so
I'm
going
to
demo
what
self-service
cluster
success
service
model
looks
like,
so
you
can
provide
self-service
cluster.
You
can
provide
self-service
name
spaces.
I'll
talk
more
about
it,
but
taking
a
step
back
and
trying
to
understand
how
does
it
work?
C
So
in
this
diagram
you
have
you're
seeing
that
a
developer
will
have
a
simple
yaml
file.
Now
this
yaml
file
will
be
like
a
cross
plain
Apple
file
which
will
have
the
bucket
will
have
the
instance
are
as
complicated
as
an
eks
cluster
right.
So
they
can
just
use
this
simple
yaml
and
they
can
just
like
the
deploy
a
deployment
today
or
a
part.
They
can
apply
that
in
their
kubernetes
cluster.
Now
the
moment
that
happens,
crosswind
gets
triggered
and
Cross
Pin.
C
C
The
things
that
we
need
to
set
up
over
here
is
Crossland,
so
the
platform
team
for
for
ones
will
set
up
everything
that
will
be
required
to
trigger
cross
plane
all
the
providers,
all
the
compositions,
all
the
definition
files,
which
is
like
a
one-time
activity.
Once
all
of
that
is
set,
then
the
developers
can
actually
use
yaml
and
just
apply
those
after
one
after
one
at
a
time
and
then
deploy
all
the
resources.
C
So
yeah
I
think
enough
of
the
slides,
I'm
gonna
go
back
to
the
terminal.
I
think
we
all
love
terminals
so
yeah.
So
let's
talk
about
what
does
that
yaml
look
like
because
I
was
talking
about
or
I
was
saying
that
you
know
you
take
this
yaml
you
deploy
this
and
push
that's
done,
but
what
does
that
Yaman?
Look
like?
How
does
that
configurations
looks
like
so?
C
This
is
a
simple
bucket.yaml
and
just
let
me
know
if
you
want
me
to
increase
the
found
or
if
you
don't
see
that
like,
if
you
want
to
increase
it
decrease,
it
just
feel
free
to
interrupt
me
or
let
me
know
when
I
can
do
that
so
going
back.
This
is
a
simple
bucket
yaml
in
Cross
plain
now,
you'll
see
this
is
a
simple
yaml
file,
just
like
a
deployment
or
pod
reading.
It
writing
this
updating.
C
It
is
pretty
simple
for
the
developers,
so
they
can
add
the
resources
they
can
add
their
bucket
name
over
here.
They
can
add
the
provider,
so
today
I'm
doing
using
AWS
provider,
but
you
can
use
Azure
gcp,
you
can
add
location,
you
can
add
your
encryption,
you
can
add
you
can
you
can
decide
to
make
it
private
public
and
all
the
configurations
that
you
do
today
to
create
an
S3
bucket?
A
C
So
yeah
I
think
this
is
the
yaml
and
that's
how
it
looks
like
now.
Let's
deploy
this
yaml
and
see,
what
does
the
workflow
look
like
right?
So
this
is
my
terminal
over
here.
Oh
one,.
A
Thing
I'd
love
to
say
is
that,
like
with
cross
plane,
you
have
a
simplified
yaml
that
you
can
show
your
developers
so
that
they
only
see
the
knobs
that
they
they
need
to
know
about,
and
they
need
to
turn.
But
it's
backed
by
like
your
Ops
people,
can
can
add
a
lot
of
extra
information
in
in
the
another
type
of
emo
and
cross
plane
called
composite
definition
right.
A
C
Gonna
just
start
with
an
SD
bucket
and
then
I
have
composition
as
well.
So
we
are
gonna
like
dig
deeper
into
the
complicated
resources
as
well
love
it.
So
yeah
I
think
you
can
deploy
this
using
Cube
CTL
apply
and
simply
you
can
just
use
the
same
command
that
you
use
today
for
your
to
get
the
Pod
and
if,
like
you,
have
some
kind
of
issues
or
if
you
want
to
troubleshoot
it,
you
can
use
the
same
cube
cutter
Command
right.
So
you
don't
have
to
understand.
C
Like
cloud
trail,
Cloud
watch
10
different
logging
functionality.
Everything
is
something
that
you
can
do
using
view
cuddle
itself.
So
it's
kubernetes
native,
it's
pretty
simple
and
easier.
Now,
once
this
bucket
is
is
deployed,
you
will
see
that
it
you'll
see
over
here.
You'll
see
the
name.
It
takes
some
time
to
get
ready.
Sometimes,
and
all
the
details
will
be
seen
over
here.
So
yeah
I
think
this
was
that
simple
to
deploy
one.
B
Thing
dollars
just
to
interrupt
and
I
want
to
quickly
add
one
thing:
I
think
you
know.
Obviously,
just
like
we
had
a
question
about
Kevin
versus
oppa,
there's
going
to
be
questions
about
crosswind
versus
terraform
and
again
the
similar
answer,
like
you
know,
kubernetes
native
versus
non-kubernetes
native.
So
that's
one
aspect
of
it,
but
the
other
aspect
is
also
the
State
Management.
B
The
state
aspect
right
so
like
Dallas
mentioned
over
here
there
are
controllers
in
the
background
that
will
continue
to
check
the
state
of
that
resource,
in
this
case
the
S3
bucket
and
let
you
know
if
that
was
created
right
and
oftentimes,
it's
nev,
it's
not
fire
and
forget
when
you're
dealing
with
infrastructure.
It's
actually
you
want
to
know
if
something
you
triggered
actually
happened,
and
and
and
and
has
the
right
configuration
and
settings
and
so
on
right
and
cross
plane.
B
C
And
to
add
to
that
I
think
in
terraform
you
have
to
actually
manage
the
state
file.
So
that's
something
that
you
don't
have
to
do
in
Cross,
plane
and
otherwise.
Crosman
provides
you
automatic
reconciliation,
so
you
don't
have
to
take
the
car,
take
the
state
files
and
just
reconcile
it
again
and
again
crosswind
using
kubernetes
apis
as
that
automatically
for
you
right.
C
So
these
are
some
of
the
advantage
when
you
want
to
go
kubernetes
native
and
use
kubernetes
native
tool,
you
get
get
that
pretty
handy
right,
so
yeah
I
think
all
of
this
looks
pretty
fascinating
cool
on
papers,
but
we
have
seen
for
our
customers
that
there
are
some
challenges
that
they
see
when
they
are
using
just
crosswind
to
provision
their
infrastructure
right
and
if
we
talk
about
what
are
these
challenges,
these
challenges
can
be
that
today
we
know
that
every
cloud
out
there
has
some
kind
of
best
practices.
C
For
example,
one
simple
best
practices
SD
bucket
should
not
be
public
right
or
your
Security
Group
should
not
have
allow
all
inbound
rules
or
we
we
have
one
best
practice
in
nirmata
itself
that
all
your
resources
should
be
in
just
north
California
region.
It
becomes
much
simpler
to
actually
optimize
your
cost,
manage
it
clean
up,
industrial
resources,
I
know,
and
and
just
one
day
you
don't
have
to
figure
out
that.
Oh
who
created
that
instance
in
North
Virginia
who's
that
guy
you
don't
have
to
go
through
all
of
that
right.
C
So
all
those
struggles
to
just
avoid
all
those
struggles.
Every
customer
out
there
have
some
kind
of
best
practices
that
they
want
to.
They
want
to
make
sure
that
that's
been
Incorporated,
and
then
they
have
some
security
and
compliances
for
all
their
Cloud
providers.
So
so
how
do
they
make
sure
that
you
know
you
provide
you
enable
cost
developers
using
the
cell
service
model,
but
platform
team
actually
have
some
control
and
they
are
actually
checkboxing
all
those
security
lists.
C
So
that's
where
actually
kiberno
comes
very
handy,
so
using
kivana
policies
you
can
actually
make
sure
that
the
configurations
are
compliant
with
your
Cloud
governance.
So
all
those
security
boxes
are
checked.
All
the
governance
are
in
place.
All
your
best
practices
are
being
followed,
while
you're
still
allowing
developers
to
just
to
create
these
all
resources
in
a
self-style
fashion
right.
So
how
does
that
look
like?
So?
C
This
is
one
simple
keyword,
no
validate
policy
that
I've
that
that
I'm
I'm
sharing
on
my
screen
and
this
policy
basically
validates
that
no
SC
bucket
should
be
public
right.
So
what
it's
doing
is
it's
a
simple
cluster
policy?
It's
a
validate
policy.
There
are
a
bunch
of
annotations
and,
as
ritesh
was
saying
right
that
this
is
kubernetes
native
and
you
don't
have
to
learn
language.
That's
what
it
looks
like
now.
It's
simple
yaml,
so
you
can
create
you
can
update.
You
can
play
around
with
it.
You
can
develop
new
policies
right.
C
Is
this
a
whole
lot
of
possibilities
and
customization?
You
can
do
when
you
don't
have
to
learn
a
language
or
it's
very
similar
to
create
policies
so
yeah?
These
are
some
of
the
rules
that
in
the
policy
you
can
see,
this
is
getting
applied
to
a
bucket
API,
and
there
is
a
validate
message
saying
that
this
this
public
SD
buckets
have
been
blocked,
and
this
is
what
it
is
checking
right.
So
it's
checking
that
public
ACL
should
be
true,
so
there's
a
parameter.
A
C
And
this
is
one
more
like
region
policy
and
if
you'll
see
that
this
is
again
pretty
simple,
it's
it's.
You
have
a
lot
of
messages
and
annotations
that
can
help
you
navigate
what
this
policy
is
doing.
So
it
tells
you
that
using
any
other
location
other
than
this
region
is
not
allowed.
It's
checking
this
region
right,
it's
pretty
straightforward.
You
can
create
your
own
policies
and
just
make
sure
that
your
best
practices
are
getting
followed
across
your
environment.
Now
we
have
a.
C
Okay,
so
now
I'm
gonna
do
bottles.
I'm
gonna
just
apply
that
region
policy,
because
that's
one
of
my
favorite,
so
we're
gonna
apply
that
policy
and
let's
see
how
does
that
work
so
I
have
applied
the
region
policy,
which
means
that
basically,
you
cannot
create
your
SC
bucket.
Apart
from
any
other
region
which
I
have
in
my
policy
now,
let's
see
my
bucket
has.
C
Let
me
delete
the
bucket
that
I
created
it's
perfect
and
then
I'm
gonna
just
show
you
that
my
bucket
have
this
region,
whereas
my
policy
allows
only
this
region.
So
basically
it
should
just
block
this
bucket
because
it's
not
in
the
right
region.
So
let's
try
applying
this
policy
here
and
voila.
So
you
see
keyword
is
actually
blocking
this
and
it
does
not
only
block
the
resource.
C
It
actually
tells
you
why
it's
blocking
it
right,
so
the
developers
are
actually
getting
some
knowledge
that
what
is
not
working
and
why
that
resource
is
getting
blocked
and
they
can
actually
go
back.
They
can
change
the
region,
come
back
and
apply
it
again
right.
We
have
seen
this
in
our
customer
environment
a
lot
that
there
are
some
firewall
and
we
are
banging
our
head
trying
to
troubleshoot
what
exactly
is
going
wrong.
C
So
kimono
helps
you
with
that.
It
provides
your
descriptive
messages
and
you
can
make
this
and
this
is
custom
customizable.
So
you
can
make
it
more
descriptive
or
precise
help.
Your
developer
understand
what's
going
wrong
and
make
them
self-reliable
self-efficient
and
they
can
automatically.
You
know,
change
the
yaml
and
apply
it
again.
A
That's
amazing:
we
have
a
question.
Can
we
use
kyverno
in
openshift
yeah.
C
B
Again,
I
just
shared
a
link
that
can
be
handy
in
terms
of
how
to
do
it.
We
can't
you
know
we
probably
don't
have
time
to
get
into
it
in
this
live
stream,
maybe
some
maybe
in
the
next
live
stream.
We
can
probably
do
that,
but
yeah.
This
is
it's
definitely
supported
and
in
fact,
some
of
the
red
hat
products
like
Red,
Hat,
Advanced.
Custom
manager
also
supports
kivano
as
a
policy
engine.
C
Cool
so
yeah
I
think
we
we
saw
that
how
you
can
create
a
simple
SC
bucket
right
now.
Let's
understand
how
you
can
create
some
complicated
resources
like
an
eks
cluster
too,
for
an
example
and
let
me
bring
up
the
cluster
claim.
Let
me
pull
down
this
terminal
perfect
yeah.
So
we
have
seen
that
when
you
want
to
create
an
eks
cluster,
it's
just
not
the
matter
of
creating
one
eks
cluster.
You
actually
have
to
deploy
10
different
prerequisites.
C
You
have
to
deploy
a
VPC
subnet
route
tables,
Security
Group
many
resources
to
make
sure
your
eks
cluster
is
up
and
ready
right.
So
how
do
you
make
sure
that,
when
you
are
deploying
these
complicated
resources,
you're
making
developer
self-reliable
right?
So
there
is
something
called
as
composition
in
Cross
brain
using
which
you
can
do
that
I'll
talk
about
what
crosswind
is
and
how
platform
team
can
actually
deploy
it.
But
before
that,
let
me
talk
about
how
does
it
look
from
developers
standpoint?
C
What
is
the
yaml,
what
kind
of
resources
and
how
will
they
create
eks
cluster?
How
easy
or
difficult
is
right.
So
this
is
a
cluster
claim.
Basically-
and
this
is
what
an
eks
cluster
creation
will
look
like
simple
yaml-
it
has
bunch
of
the
variables
that
have
been
exposed
by
the
platform
team.
So,
let's
think
about
what
are
the
variables
which
developer
team
will
actually
need.
They'll
need
the
name.
They'll
need
node
size,
they'll
need
node
count,
that's
it.
C
They
don't
have
to
worry
about
VPC,
Security,
Group
and
all
complexity
right,
so
you
can
use
compositions
and
you
can
actually
hard
code
all
of
those
complexity,
whereas
just
allowing
parameterizing
only
the
variables
which
the
developers
can
use
and
they
can
just
change
these
parameters
and
create
any
case
cluster.
So
what
they
can
do
is
now.
This
is
like
again
simple
yaml
I'm,
creating
a
node
size
which
is
medium
node
count
as
two,
which
is
pretty
good
and
I
have
like
a
cluster
name.
C
Okay,
so
I
have
a
namespace
that
I've
created
for
the
developers
I
think
it
is
called
team
a
so
you
can
create
a
namespace
called
team.
A
you
can
provide
access
to
your
developer
team
for
that
particular
namespace.
So
now
what
they
can
do
is
using
the
simple
cluster
claim.
They
can
actually
provision
their
eks
cluster
in
the
particular
namespace,
and
it's
just
a
matter
of
applying
this
yaml
and
you'll
see.
All
of
that
will
get
kicked
in
so
initially
the
VPC
will
start
coming
up.
C
If
you
see
that
VPC
came
up
already,
then
your
subnets
will
come
up
and
automatically
you'll
see
roles
and
everything
getting
provisioned
like
10
15
minutes
for
your
cluster
to
come
up
so
you'll,
see
using
simple
cluster
claimed
file
you'll
be
able
to
trigger
your
entire
eks
cluster.
So
the
developer
will
only
choose
three
parameters
or
four
and
that's
that's
the
plot.
That's
that's
with
the
platform
came
to
decide,
so
the
platform
team
can
decide
that
okay
do
I
want
to
do.
C
A
So
so
we
have
a
question
which
I
think
you
just
maybe
restate
what
you're
doing,
but
can
we
create
infrastructure
with
kyverno
so
to
be
clear
in
this
demo,
we're
creating
the
infrastructure
with
cross
plane
and
you
can
create
it
with
other
tools
like
cluster
API
and
then
what
in
the
role
that
kyverno
is
playing?
Is
that
it's
making
sure
that
the
cluster
that's
automatically
created
is
follow
us
following
company
policy
and
Company
best
practices?
C
B
Kivano,
as
we
talked
about,
has
the
ability
to
generate
yaml
through
policy,
so
you
could
trigger
again
for
cross
plane.
If
you
wanted
to,
you
could
trigger
creation
of
infrastructure
based
on
policy
through
the
policy,
so
it's
certainly
possible
and
and
if
you
want
to
do
it
based
on
you
know
some
event
or
some
some
setting
I
mean
so
it's
all
possible
as
long
as
it's
doing
it
through
a
kubernetes
in
a
kubernetes
native
manner,
interesting
like
essentially
creating
a
custom
resource
because
ultimately,
kimano
can
mutate
or
generate
any.
B
You
know,
custom
resource
in
the
cluster
and
that
custom
resource
could
be
a
cross
plane.
You
know
S3
bucket
or
something
like.
B
In
most
common
use
case
and
that's
kind
of
we're
getting
into
the
next
part
of
the
demo,
around
namespace
as
a
service
I
mean
right
now,
it's
mainly
generating
the
kubernetes
native
use
cases.
Right,
but
again,
a
lot
of
things
are
possible
because
of
the
flexibility
that
that
kivarno
has-
and
you
know,
on
the
generate
use
cases,
we
will
talk
about
it
in
the
the
what
we
call
the
multi-tenancy
use
case
or
a
namespace
as
a
service
use
case.
B
That's
coming
up,
but
before
that
maybe
dollars
can
you
know,
wrap
up
this
one.
Okay,.
C
A
C
Yeah
so
yeah.
This
is
like
a
composition
that
I'm
showing
like
if
the,
if,
if
you're
wondering
that,
where
the
resources,
the
VPC
configurations
and
everything
are
coming
up
from,
so
these
are
like
composition,
which
are
like
a
cross
plane
configuration
thing
that
you
can
do
beforehand.
So
here
you
will
see
that
all
of
that
is
something
that
I've
hard-coded,
so
I
have
hard
coded.
C
The
node
group,
I've
hard-coded,
like
what
region
what
instance
type
do
does
small
medium
large
mean
right,
and
this
is
like
the
policy
and
all
the
thing
that
you
do
as
a
part
of
prerequisite
today,
when
you
want
to
create
an
eks
cluster,
you
can
take
all
of
that.
Setting
put
it
in
a
composition,
file
platform
team
can
deploy.
It
once
keep
the
setup
ready,
that's
it
choose
which
variable
they
want
to
expose,
provide
that
Yama
to
developers
and
boom.
C
The
developers
can
use
that
yaml
again
and
again
and
create
the
eks
cluster
right,
so
so
yeah
I
think
you
know.
We
see
a
lot
of
interaction
and
you
know,
like
developers
looking
for
clusters
to
test
their
applications,
a
lot
of
back
and
forth
between
developers
and
platform
team-
and
you
know
just
like
creating
any
case.
Cluster
sometimes
becomes
a
challenge
or
getting
any
case
cluster
to
deploy
an
application
sometimes
takes
time
right.
So
all
of
this
can
make
developers
self-sufficient.
C
A
One
one
thing:
I
really
like
about
your
demo,
like
when
I
think
of
caverno
or
like
policy
in
general,
I,
think
of
security
and
I,
think
of
governance,
but
then
you're
also
showing
like
automation,
use
case,
which
is
pretty
cool,
and
you
also
talked
about
cost
optimization,
which
of
course
makes
sense.
Now
that
you
said
it,
but
it's
not
something
I
had
thought
of
before
yeah.
C
Exactly
and
one
example
of
cost
optimization
on
this
cluster
is
now
we
can
provide
this
to
developers
but
again,
like
a
very
pretty
common
challenge
in
real
life
in
Practical
life,
he
sees.
How
do
you
make
sure
a
developer
doesn't
spin
up
nine
notes
right.
It's
going
to
spin
up
so
much
of
your
cost
right
and
the
next
thing
you're
going
to
shut
down
this
model,
saying
that
no
no,
this
is
not
working
for
us.
Our
cost
is
pretty
spiking
high
right.
C
C
So
we
have
seen
that
Enterprise
customer
have
this
naming
convention
that
they
should
have
Dev
clusters
with
Dev
hyphen
and
product
clusters,
broad
hyphen
right.
So
all
of
this,
where
you
see
that
there
is
some
possibility
of
human
errors,
they
can
change
the
convention.
They
cannot
follow
the
best
practices,
just
create
as
many
policies
and
make
sure
they're
following
it
right.
So
pretty
quickly,
I'm
going
to
deploy
one
policy
and.
A
B
Er
does
support,
you
know
oci,
one
of
the
things
kivano
the
capability
has
is
the
ability
to
you
know,
verify
images
and
and
and
actually
be
able
to
configure
policies
on
on
images,
and
that's
where
you
know
that
support
for
oci
comes
in
the
other
capability.
That
kevano
has
is
you
know
basically
ensuring
that
images
are
built
from
specific
base
images.
You
know
and
again
this
is
more
like
a
security
use
case.
So
a
lot
of
those
use
cases
require
keyword
to
interact.
B
Which
is
a
different
question,
which
is
absolutely
yeah,
is
agnostic
to
within
oci
Oracle
Cloud
infrastructure
would
actually
be
used
with
oke
Oracle
kubernetes
engine
and
and
it's
completely
compatible
with
that.
In
fact,
we
have
customers
who
are
using
using
it
there
right.
So
definitely
there's
no
kind
of
nothing
specific
in
kivano.
For,
for
you
know,
cloud
provider
support.
There
are
nuances
in
terms
of
How,
It's
deployed
or
or
tunables,
but
apart
from
that,
it
should
work
on
any
cncf,
confirmment,
kubernetes
distribution,
excellent.
A
C
So
yeah,
meanwhile
I
think
I
deployed
this
to
policy
and
I've
also
made
sure
that
my
cluster
K
claim
is
not
so
good.
So
I've
added
my
note,
sizes
large
and
like
I've,
created,
like
nine
notes,
I
want
and
let's
deploy
this
cluster
claim
and
see.
How
does
that
look
now
I'm
going
to
just
apply
it
in
my
list
crying,
and
you
will
see
that
kivano
will
actually
block
it.
So
keyword
will
say
that
okay,
this
is
not
allowed
because
of
two
problems.
I
see
two
policy
violations.
C
First,
is
the
cluster
with
any
more
than
three
nodes
is
not
allowed.
You
have
nine
go
back
change,
it
apply
it
again,
and
this
note
size
is
large.
I,
don't
like
it
go
back
again
right
so
yeah.
This
is
a
pretty
cool
feature
to
have
and
make.
Of
course
you
can
optimize
your
cost.
We
have
fill-ups
policies
that
works
perfectly
well
for
your
Cloud
providers.
We
have
validate
policy
for
your
best
practices.
C
We
have
muted
policy,
you
can
mutate,
we
have
generate
policies
for
automations,
so
pretty
much
a
lot
of
use
cases,
but
I'm
gonna
stop
for
cluster
as
a
service
use
case.
I'll
I'll
go
with
namespace
as
a
service
use
case.
But
before
that
do
we
have
any
questions
for
this
use
case,
anything
that
or
maybe
I'll
catch
uncatch
I.
A
Guess,
there's
some
confusion.
So
we
have
this
link
to
kyverno
policies
and
our
Oracle
Cloud
friend
doesn't
see
Oracle
Cloud
listed
in
the
policies.
B
Yeah,
so
the
policies,
the
list
of
policies
you
know
a
lot
of
those
policies
are
in
are
Cloud
agnostic
right
and
there
are
some
policies
that
and-
and
most
of
these
pretty
much
are
contributed
by
the
community.
So
there
are
some
policies
which
which
are
cloud
provider
specific,
maybe
there's
you
know,
there's
Oracle
policies.
B
Specific
policies
are
not
in
that
list
and
you
know
we'll
we'll
work
with
the
community
to
to
add
more,
but
a
lot
of
the
policies
that
are
in
there
you
know
can
be
used
on
Oracle,
Cloud
infrastructure,
right,
All,
pod
security
policies,
any
policies
again
which
are
related
to
kubernetes
resources
can
be
used
on
Oracle.
You
know
Oracle
kubernetes
engine
right.
So
that's
the
lot
of
vast
majority
of
the
policies
are
independent
of
any
cloud
provider.
C
Sure
so
yeah
I
think
this
is
like
a
standard
namespace
as
a
service
model.
So
now
we
have
seen
how
you
can
provide
cluster
as
a
service
to
your
developers
and
make
them
set
sufficient.
But
what
about
namespace?
We
have
seen
customers
having
like
big
clusters
like
10
or
15
nodes
having
20
30
namespaces,
and
all
the
developers
are
confined
to
a
particular
namespace,
where
they're
working
in
a
cluster
in
a
shared
model,
and
they
have
access
to
only
one
namespace
right.
C
So
in
this
scenarios
there
is
some
multi-tenancy
best
practices
which
kubernetes
tells
you
to
follow.
For
example,
every
namespace
will
have
Network
policy
just
to
make
sure
that
your
part
traffic
is
confined
in
a
particular
namespace.
So
there
is
no
application
talking
to
different
application
in
different
namespace
as
a
best
practice.
Now
there
is
best
factors
that
you
have
to
enable
quota
request
and
limit
just
to
make
sure
that
someone
doesn't
bring
like
big
application.
C
Utilizes
all
your
cluster
resources
right,
so
such
kind
of
application,
which
helps
the
which
helps
to
not
have
any
kind
of
impact
on
the
cluster
for
just
one
namespace,
and
this
is
like
multi-tenancy
best
practices
that
kubernetes
suggests
to
do
for
shared
clusters.
So
how
do
you
make
sure
that
this
happens
in
an
automated
fashion
because
think
of
it?
This
scenario
that
this
is
like
big
cluster.
C
C
This
is
how
keyword
number
will
help
you
with
that.
Now,
let's
talk
about
how
so
basically
I
have
like
a
use
case
where
you
know
you
you
name
space
without
labels
are
something
qrno
will
block.
So
you
need
to
make
sure
that
your
namespace
has
a
label
label
can
be
small,
medium
and
large,
depending
upon
that
kivano
will
automatically
generate
quota
for
the
theme
space
right.
So
a
developer
can
create
a
namespace
with,
for
example,
I
have
an
application
which
requires
small
quota,
so
I
can
create
a
namespace
with
small
label.
C
It
will
automatically
create
a
quota
for
me,
request
and
limit
Network
policies,
all
10
things
that
will
be
required
for
multi-tenancy.
Also
it
will
add-
or
it
will
mutate
a
label
in
my
namespace
with
my
name.
That's
so
that
the
platform
team
understand
that
okay
dollars
created
it.
So
if
there's
anything
wrong,
you
should
reach
out
to
dollars
right
so
yeah,
let's,
let's
start
from
very
basic
like
if
you
don't
have
a
label,
namespace
should
not
be
created,
let's
start
from
there.
So
to
start
there,
let's
create
this
policy.
C
Now
I
have
this
again
a
simple
validate
policy
checking
it
should
have
a
label
and
will
tell
you.
The
label
should
be
present
either
with
small,
medium
large,
so
I'm
gonna
just
quickly
apply
this
policy
validate
namespace
label
and
the
moment
I
apply
this
policy,
we'll
see
that
no
namespace
without
a
label
should
be
created.
So
now,
since
this
policy
is
applied,
I'm
going
to
create
a
namespace
and
it
will
throw
an
error
saying
that
okay,
you
have,
you
need
to
choose
a
label,
or
else
it's
not
going
to
happen.
C
So
I
have
a
demo
namespace
over
here
foreign
and
this
namespace
has
like
a
small
label.
So
I'm
gonna
apply
this
leg
space,
which
is
demo
and
it
will
go
through
and
it
will
go
through
it
will
it
says
it's
configured.
That
means
it
will
go
through
and
it
will
apply
all
the
labels
and
stuff
like
that
right.
So
now
it's
just
a
matter
of
the
developers
that
they
have
to
create
this
namespace
with
the
proper
label.
C
After
that,
all
the
things
which
we
were
talking
about,
like
your
network
policy,
it's
automatically
there
in
your
namespace
or
it's
in
the
matter
of
quota.
That's
automatically
there
in
your
main
space
right,
so
you
have
like,
with
the
label
that
was
small.
There
was
automatically
a
small
quota
created
in
the
particular
namespace
right
and
request
and
limit,
and
even
if
you
just
get
this
namespace
and
you
do
a
natural
yaml
in
this
name
space,
you
will
see
there
will
be
a
label
that
gets
created.
C
It
says
kivano,
Dash
I,
created
by
dollars
right,
so
it
becomes
very
easy
for
the
platform
team
to
Now
understand
that
this
was
created
by
dollars
and
the
moment
I
just
do
apply.
It
will
create
quota
for
me
it
will
create
network
policies.
For
me,
you
using
generate
policy
and
it's
going
to
mutate
the
existing
namespace
by
applying
this
labels.
So
let's
let's
go
back
and
see
what
this
policy
looks
like.
So
what
does
a
mutate
policy?
Look
like
now.
I.
Have
this
something
called
as
mutate
add
namespace
label.
C
So
this
is
what
muted
policy
look
like
now,
let's
understand
line
by
line
what
it
does.
It
looks
very
simple
again,
so
it's
very
same
similar
to
what
validate
policy
looks
like
so,
basically,
what
it's
doing
is
it's
having
a
name,
it's
matching
it
with
all
the
namespaces
and
it's
mutating,
this
user
info.
It's
taking
this
using
the
James
path
and
you
can
just
append
this
label
in
the
namespace
right.
So
this
is
like
simple
mutate
policy
that
you
can
create
and
you
can
mutate
your
existing
resource
it,
you
can
add
your
trigger.
C
So
here
the
trigger
is
that
this
rule
will
match
any
time
a
namespace
will
create.
So
you
can
add
triggers
like
okay.
If
config
map
gets
created
mutate
this,
if
a
secret
gets
created
mutate,
this
like
do
any
kind
of
mutation
with
any
kind
of
trigger.
Is
you
can
play
around
with
this?
You
can
do
many
things,
so
this
is
a
mutate
policy
and,
let's
understand
the
generate
policy.
We
generated
our
Network
policy,
quota's,
request
and
limit.
C
So
this
is
one
generate
policy
that
we
have
over
here
again
simple
and
straightforward,
similar
to
validate
and
mutate
policy.
It's
basically
giving
you
the
name.
You
can
apply
it,
it's
matching
the
namespaces
and
then
it's
using
the
selector.
So
if
the
selector
is
small,
it's
gonna
create
these
many
things
right.
So
if
the
selector
is
small,
it's
going
to
create
small
quota,
one
CPU
8GB
memory,
stuff.
If
the
namespace
selector
is
medium,
it's
going
to
create
medium
quota,
maybe
Code
4
memory
will
be
16..
C
If
this
is
large,
it's
going
to
create
large
quota
for
you
right.
So
these
kind
of
policies
is
something
that
it's
going
to
generate
these
yaml,
so
you
don't
have
to
generate
it.
It's
automatically
creating
generate
yamas
for
you,
so
this
can
be
used
for
automations,
like
in
your.
If
you
have
some
automation
use
cases
where,
but
with
this
with
this
trigger,
it
should
generate
10
yamls
or
it
should
generate
some
resources
or
it
should
mutate
some
resources.
Okay,
you
can
deploy.
A
B
B
Yeah-
and
one
thing
to
add
to
that
is
you
know,
there's
also
a
a
configuration
option
to
actually
even
prevent
or
keep
thinking
things
keep
the
resources
in
sync.
So,
for
example,
if
a
developer
goes
and
deletes
that
Network
policy
kivano
will
make
sure
that
it
gets
recreated
right
so
so
they
cannot
just
bypass
it.
Obviously
you
can
do
that
through
roles
role,
bindings
things
like
that,
but
kivano.
B
Also
all
it
essentially
follows
the
same
Principle
as
kubernetes
will
always
you
know,
treat
the
policy
as
the
source
of
Truth
and
make
sure
that
you
know
if
the
namespace
label
matches
that
resource
always
exists
right
and
then
even
on
the
cleanup
side,
if
that
resource
is
deleted,
the
the
generated
resources
are
automatically
deleted.
B
So
that's
kind
of
how
it
helps
manage
this
life
cycle
and
I
mean
these
are
small
things,
but
in
large
environments
they,
you
know
add
up,
and
you
know
create
a
lot
of
you
know
challenges
so
kevano
addresses
those
pretty
elegantly.
A
B
Yeah,
which
is
actually
that's
a
great
point
when
you
say
exception
to
a
policy
you
mean
somebody
who,
if
then
there's
an
application
that
wants
to
kind
of
bypass
that.
A
B
Yeah,
so
there
is,
there,
is
you
can
there
is
a
construct
within
caverno
called
policy
exceptions,
and
you
can
actually
create
these
policy
exceptions
on
a
per
namespace
per
resource
basis,
and
you
can
allow
certain
applications
or
or
resources
to
bypass
that
policy?
B
Okay,
so
that
is
certainly
available
and-
and-
and
we
see
that
very
often,
especially
when
it
comes
to
security
policies,
a
lot
of
times
if
you're
dealing
with
third
party
applications
and
don't
have
the
ability
to
fix
those
security
issues
immediately,
you
may
want
to
request
an
exception
and
then
get
those.
As
you
know,
those
issues
fixed
while
the
exception
is
in
place.
A
C
Yeah
I
think
yes
of
course,
so
let
me
just
pull
it
up,
and
you
know
this
is
like
a
GitHub.
All
my
policies
are
over
here.
So,
if
you
want
to
just
you
know,
check
them
out
all
the
policies
for
cluster
services
in
this
folder
are
named
by
service
S3
bucket.
All
the
configurations
are
over
here,
maybe
I'll,
put
in
like
a
installation
document
which
will
help
you
to
install
cross
plane
and
using
all
this
instructions,
you'll
be
ready
and
get
it
done
in
your
environment.
C
Cool
so
yeah
I
think
these
are
some
of
the
benefits
and
yeah
while
ritesh
was
talking
through
policy
exception,
I
also
realized.
We
have
something
called
as
cleanup
policies,
so
you
know
we
have
struggled
with
cleaning
up
Cloud
resources
again
for
cost
optimization.
That's
that's
a
problem
for
everyone
today,
so
we
have
something
called
as
cleanup
policies
where
you
can
actually
clean
up
these
resources,
so
you
can
use
them
as
a
Cron
job
where,
like
your
eks,
cluster,
automatically
gets
deleted
after
two
days.
C
If
anybody
just
forget
to
delete
it
right,
so
that
helps
you
as
well
to
clean
up
everything
using
like
a
clone
job
fashion.
So
that's
one
thing:
that's
available,
just
just
realize
that,
but
yeah
apart
from
that,
these
are
some
of
the
benefits
that
I'm
showing
on
the
screen.
It
helps
you
to
automate
it.
It
helps
you
to
have
consistency.
C
Not
to
forget
self-service
style
is
is
fantastic
to
adapt.
Then
it
helps
you
with
security,
best
practices
compliances.
It
helps
you
to
scale
well,
and
then
we
have
Community
Support
out
there.
So
kubernet
is
an
open
source
project.
We
have
a
slack
Channel
and
you
know
if
you
have
any
issue,
you
can
just
drop
your
messages
or
questions,
and
our
entire
team
is
quite
active
on
slack.
So
we
are
there
to
help
out.
A
Yeah
absolutely
so
far,
we've
been
sitting
on
top
of
the
questions,
but
I've
really
really
enjoyed
your
presentation,
and
you
have
just
really
amazing,
like
relatable
use
cases
that
that
I
think
are
really
valuable.
A
It's
worth
saying
like
with
internal
developer
platforms,
there's
no
like
one-size-fits-all
solution,
like
you're
building
out
custom
like
apis
and
such
for
your
your
own
internal
development
teams,
and
so
when
you
do
that,
you
also
need
to
build
out
your
own
policy
and
so
you're
you're,
showing
that
there's
like
great
Community
like
great
what
you
said
ritesh
is
that
you
use
the
word
elegant,
I
liked.
The
word
elegant
like
elegant
solutions
that
just
the
common
sense
they
make
a
lot
of
sense.
B
So
yeah
and
quickly
what
we
saw
just
to
add
to
that
Whitney
I
mean
in
the
past
in
a
lot
of
teams,
were
kind
of
struggling
with
these
challenges
and
the
the
kind
of
one
way
to
address
them
was
you
know,
creating
like
operators
right
and
when
you
start
doing
that,
you
you
one
is,
obviously
you
know
creating
the
operators
managing
maintaining
them.
That
creates
overhead.
A
B
Obviously,
that's
additional.
You
know,
code
resources,
time
and
complexity,
so
with
kivano
you
can
certainly
eliminate
quite
a
few
of
these
operators,
especially
the
ones
that
would
you
know,
manage
life
cycle
of
certain
resources.
Now,
maybe
for
super
complex
things,
you
still
need
to
write
an
operator,
but
for
basic
life
cycle
you
know,
Resource
Management
kivano
can
handle
that
right.
So
that's
kind
of
an
advantage.
Excellent.
A
B
In
fact
there
is
and
I
can
I
can
you
know,
find
a
link
and
share
it,
but
in
fact
cncf
has
guidance
and
we
work
with
cncf
on
that
on
that
topic
as
well.
I
think
you
know
dollars
beat
me
to
it.
I
think
she
shared
that
link.
So
if
you
want
to
put
that
out
there
I'm.
A
Because
very
speedy
and
then
multi-tenancy
there
are
a
lot
of
strategies
in
terms
of
out
their
Technologies
like
V
cluster.
We
can
make
virtual
clusters.
Kcp
is
one
that
I,
don't
honestly
completely
understand
to
be
honest,
but
I
understand
it
helps
with
multi-tenancy
and
I.
Have
I'm
gonna
put
up
another
multi-tennessy
link
so.
C
C
C
C
A
Yeah,
okay,
it's
too
small,
but
we're
talking
about
it
at
a
high
level.
So
it's
fine
people
can
go
there.
Yeah.
C
So
I
think
there's
a
tenancy
model
that
you
can
deploy
where
you
can
stick
all
the
parts
to
a
particular
node.
So
you
can
add
Toleration
sentence
and
do
that
so
there's
keyword,
no
policy
that
automatically
helps
you
to
apply
the
tolerations
in
every
part
based
on
the
labels.
There
is
something
called
as
priority
class
for
isolations,
so
there
are
a
bunch
of
recommendations.
C
You
can
dig
deeper
and
you
can
make
it
more
and
more
tight
and
secure,
and
we
have
keyword,
no
policy
for
each
of
these
use
cases,
whether
it
is
like
quota
request,
limit
priority
classes,
isolation,
soft
nodes,
stuff,
like
that
so
yeah,
this
one
link
talks
about
what
is
the
best
practice
all
about,
and
the
other
link
talks
about
what
kind
of
policies
we
today
have.
So
this
is
like
something
that
you
can
start
with
now
not
to
forget.
This
is
like
yaml
policies
right,
so
you
can
create
and
develop
your
own.
C
A
Yeah,
this
has
been
a
really
wonderful
presentation.
Thank
you
so
much
you
two
for
sharing
your
time
and
your
expertise
with
us
we're
getting
a
lot
of
nice.
Thank
you
great
content
and
conversation
and
a
lot
of
nice
comments
and
chats
so
really
really
appreciate
your
time
today.
Is
there
anything
you'd
like
to
say
in
closing.
B
No
I
think
you
know
just
if
you're
interested
in
learning
more
about
kimono,
like
Dallas
mentioned
you
know,
join,
join
the
slack
Channel
join
the
community.
We're
always
happy
to
hear
about
your
use
case,
learn
more
about
how
we
can
extend
and
expand
kevano
to
address
some
of
your
challenges,
and
you
know
at
nirmata.
We
we
are
fully
committed
to
kind
of
you
know
ensuring
that
kevano
continues
to
be
that
number
one
policy
engine
for
kubernetes,
right
and
I
would
love
to
continue
working
with
the
community.
A
Excellent
wonderful
yeah,
our
friend
who's
interested
in
using
kyverno
on
Oracle
Cloud.
If
you
have
any
troubles
slack,
it
sounds
like
Slack's
the
place
to
go
with
more
questions.
So
thank
you.
Everyone!
Thank
you
for
sharing
your
expertise,
dolls
and
ratesh.
A
Oh
I,
have
a
closing
thing,
I'm
supposed
to
say
thanks
everyone
for
joining
today's
episode
of
cloud
native,
live
it's
great
to
have
ratesh,
Patel
and
Dallas
Sharma
here,
teaching
us
about
policy-based
governance
for
internal
developer
platforms,
as
always,
I
really
love
the
interaction
when
questions
from
chat
y'all
are
the
best,
and
thank
you
also
for
everyone
who
watches
the
recording
later
here
at
Cloud
native
live.
We
bring
you
the
latest
in
Cloud
native
code
on
Tuesdays
and
Wednesdays
at
noon.
Us
Eastern.