►
From YouTube: Policy as code with Kubewarden
Description
Don’t miss out! Join us at our upcoming event: KubeCon + CloudNativeCon Europe in Amsterdam, The Netherlands from April 17-21, 2023. Learn more at https://kubecon.io The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects.
A
Hello,
everyone
and
a
very
good
day
or
evening
or
based
on
where
you're
tuning
from
I'm
Divya
Mohan
and
today
I'm
going
to
be
speaking
about
Cube
bottle,
which
is
a
project
to
simplify
policy
as
code
AS
also
improve.
You
know
the
code,
reusability
and
developer
experience,
while
doing
so
so
before
I
go
ahead.
A
A
I
am
also
one
of
the
documentation
maintainers
on
the
kubernetes
project
and
as
cncs
ambassador
I
have
co-created
the
kcne
exam,
which
basically
helps
people
who
are
getting
into
the
cloud
native
ecosystem
test,
their
knowledge
of
everything
of
all
the
basics
in
the
cloud
native
world.
A
Now
coming
to
the
agenda
for
today,
I
I
foresee
a
very
packed
schedule.
So
first
up
we're
gonna,
look
at
a
cube
burden.
What
exactly
it
is.
What's
the
architecture
delve,
a
little
deep,
then
look
at
why
it
came
into
existence,
despite
all
the
admission,
control
and
security
policies
that
we
have
were
built
in
into
kubernetes,
we'll
try.
A
You
know
demoing
that
and
we'll
also
see
some
of
the
cool
new
stuff
that's
been
released
as
part
of
cubeboard
and
version
1.3,
which
is
our
latest
and
last
major
release
for
this
year
and
we'll
also
try
seeing
it
with
a
demo
and
hope
that
you
know
all
the
demo
Gods
comply
today.
A
Now,
if
you
want
to
actually
follow
along
on
the
presentation
or
follow
along
with
the
presentation,
or
you
know,
you
want
a
reference
for
later
to
actually
you
know
check
out,
you
can
visit
the
a
link,
that's
visible
on
your
screens
right
now
and
although
the
screen
cap
doesn't
show
the
screen
take
not
screen
deck.
A
Sorry
slight
deck,
that's
included
in
it
as
well,
so
you
are
going
to
have
all
the
code
that
I
am
executing
right
now
on
my
machine,
the
environment
that
I'm
using-
and
you
know
the
slide
deck
for
ready
reference
later
on
as
well.
A
Now
I
now
I
would
like
to
first,
you
know
start
off
with
the
textbook
definition,
which
is
a
policy
engine
for
kubernetes,
to
simplify
the
policy
score
process.
It's
also
a
cncf
project,
oops.
Sorry,
it's
a
cncf
project
and
we
are
in
the
cncf
sandbox
as
of
June
this
year,
if
I'm
not
mistaken.
A
Now,
if
you
actually
want
to
see
us
on
the
cncf
landscape,
I
am
afraid
that
you
know,
given
the
size
of
the
landscape.
I
was
not
able
to
give
you
a
like
for
like
representation
here,
but
I
have
circled
it
in
Black.
If
you
can
see
and
you'll
be
able
to
view
keyboard
in
under
the
security
and
compliance
section
of
the
landscape
and
the
logo
that
you
need
to
be
looking
out
for
is
this,
so
you
can
go
check
it
out
at
landscape.cncf.io
to
no
more
details
about
the
project.
A
In
terms
of
you
know,
Stars
Etc
or
you
can
visit
our
GitHub
repo
as
well,
which
is
https
github.com.
A
Now
this
is
all
great,
but
what
exactly
is
so
special
about
Cube
burden,
and
why
was
it
required,
despite
all
the
built-in
admission,
control
and
security
that
we
have
within
kubernetes?
What's
the
secret
sauce?
A
So
first
we'll
address
this
in
two
parts.
Let
me
you
know
state
that
at
the
outset
we
have
you
know
when
we
started
off
with
kubernetes.
We
had
pod
security
policies
to
enforce.
A
You
know
Securities
security
for
Access
Control,
based
on
permissions.
Now
we
know-
and
we
shall
see
in
the
next
couple
of
slides-
that
there
were
some
drawbacks
of
with
this
approach,
which
is
why
we
sort
of
deprecated,
then
removed
and
provided
an
alternative
in
the
form
of
part
security.
Admission.
A
Part
security.
Admission
is
a
great
replacement,
but
it
might
not
give
you
the
power
to
enforce
the
level
of
granularity
that
you'd
like.
So
that's
why
we
see
a
lot
of
tools
that
are
recommended
as
supplements.
Cube
modern
aims
to
be
one
of
them,
but
let's
see
how
it
stands
out,
because
there
are
other
Cloud
native
Tools
in
this
space
right
like
there's
opiates
gatekeeper,
why
not
choose
them
or
they
are
more
matured.
A
In
terms
of
you
know,
the
number
of
yours
may
be
in
existence
so
for
anyone,
who's
actually
used,
Opa
and
gatekeeper.
You
know
the
Steep
learning
curve
that
actually
comes
along
with
learning
that
tool
right.
You
have
to
learn
a
separate
language
in
the
form
of
Rigo
from
scratch
to
actually
start
enforcing
your
policies
or
writing
policies.
Rather
so
what
if
I
told
you
that
you
could
write
your
kubernetes
policies
in
a
programming
language
of
your
choice?
A
A
So,
what's
the
caveat,
the
language
that
you
use
needs
to
compile
to
webassembly
bindings
now
webassembly
is
a
you
know.
Is
a
landscape?
A
That's
growing
pretty
quickly,
so
we
have
a
lot
of
languages
that
are,
you
know
fulfilling
this
caveat
currently,
but
not
all
of
them
are
supported
by
Cube
burden
because,
like
I
said,
we
are
relatively
younger
in
the
landscape
as
compared
to
some
of
the
other
tools,
and
keeping
up
is
difficult,
although
we
are
trying
our
best
to
actually
bridge
that
Gap
to
improve
your
experience.
So
what
are
the
languages?
A
You
know
that
we
support
currently
now
when
I
first
said,
webassembly
I'm
sure
you
thought
rust,
like
it's
very
synonymous.
Rastan
webassembly,
go
hand
in
hand
for
some
reason
and
everyone
else's
mind
and
in
my
mind
too,
so
it
was
a
no-brainer
for
us
at
the
cubodon
project.
To
actually
you
know,
Empower
you
to
write
policies
in
Rush.
A
Should
you
choose
to
so
we've
gotten
around
to
creating
SDK,
that's
raw
space,
leveraging
the
official
rust
compiler
so
that
web
assembly
more
policies
can
be
generated
as
webassembly
modules,
and
you
know
then
subsequently
evaluated
bird
during
incoming
requests.
A
But
rust
is
not
everyone's
cup
of
tea.
It's
considered,
Niche
I,
don't
know
how
true
that
is,
but
it's
considered
niche.
So
what
are
the
other
options
that
we
offer?
So
the
second
option
is
go
now.
Go
is
pretty
popular
in
the
cloud
native
ecosystem,
but
it
is
not
a
first
class
citizen
in
the
web
assembly.
One
that's
kind
of
reflecting
in
the
fact
that
go
does
not
have
its
official
compiler
supporting
webassembly,
which
is
why
we
have
used
the
time
you
go.
A
Compiler
that
actually
generates
webassembly
modules
from
you
know,
go
code
and
we
have
a
project
policy
template
or
sorry.
We
have
a
policy
template
for
you
to
actually
get
started
in
case.
You
want
to.
You
know,
begin
writing
policies
right
off
the
right
after
this
presentation.
So
all
of
that
is
linked
in
the
resources
section
of
this
presentation
and
it's
there
for
all
of
the
languages.
A
By
the
way,
if
I
did
not
say
that
before
the
next
one
up
is
Swift
now
I,
don't
know
how
widely
used
it
is.
So
pardon
me
because
I
do
not
come
from
a
development
background,
but
if
you
know
your
choice
of
poison
or
your
poison
of
choice
is
Swift.
We
have
an
SDK
for
that
too,
leveraging
not
the
Swift
compiler,
because
it's
still
officials
with
compiler,
because
it
still
doesn't
support
web
assembly
yet,
but
we
use
the
Swift
wasn't
project.
A
So
these
are
broadly
the
three
languages
that
we
support
and
I
know.
I
started
off
with
an
ambitious
claim
of
you
know,
saying
that
users
can
write
kubernetes
policies
and
their
favorite
programming
languages,
and
that
is
the
aim
they're.
You
know
we
have
plans
of
you
know
being
inclusive
of
front-end
development,
folks
as
well,
by
incorporating
assembly
script,
which
is
like
a
very
strict
subsection
of
not
sub
section,
which
is
a
strict
subset
of
a
typescript
which
is
a
strict
subset
of
JavaScript.
A
So
we
haven't
forgotten
y'all
but,
like
I
said,
the
webassembly
landscape
is
one
that's
quickly
growing
and
as
it
grows,
we
and,
as
you
know,
more
and
more
languages
have
their
official
compilers
support
support
the
web
assembly.
You
know
spec,
we
will
be
able
to
have.
You
know
specific
sdks
for
that
as
well.
But
currently
these
are
the
only
three
but
I
spoke
a
lot
about
reusability
as
well.
A
In
fact,
I
think
I
mentioned
it
twice
as
of
now,
and
why
did
I
speak
of
that
and
what's
the
deal
with
it
now,
if
you've
been
in
this
space,
you
probably
are
using
op
your
gatekeeper
and
for
all
the
you
know,
things
that
I
said
about
a
steep
learning
curve.
People
have
actually
adopted
it,
it's
there
for
a
reason.
So
what
if
you
actually
want
to
switch
to
you
know
cubeboarding
or
you
know
you
want
to
at
least
try
out
cubeboarding.
A
Do
you
have
to
learn
any
of
the
programming
languages
that
I
said
in
the
previous
slide?
Actually
I
mean
you
probably
could
if
you
want
to,
but
you
can
also
reuse
almost
all
your
existing
Rebo
policies,
I
say
almost
because
some
policies
have
not
some
policies,
policies
have
bacon
functions
and
some
of
these
functions
are
SDK
dependent,
which
means
that
Cube
modern
has
to
actually
Implement
them
as
opposed
to
the
webassembly
file.
You
know,
as
opposed
to
it
actually
getting
implemented
in
the
webassembly
file.
A
Now
we
have
made
it
a
point
to
actually
cater
to
a
majority
of
the
k8's
users
by
offering
support
for
almost
all
of
the
built-in
functions,
but
we
realize
that
it
does
not
cover
all
the
bases
and
we
are
tracking
this
over
a
GitHub
issue.
If
this
is
something
of
interest
to
you,
you
should
also
chime
in
on
that
thread.
A
I've
included
it
in
the
resources
section
of
the
slide,
and
you
can
help
prioritize
the
work
that's
being
done
in
this
regard,
and
once
you
actually
write
these
policies,
how
do
you
share
them?
Where
you
store
them?
What
you
store
them
as
like
you
could
have
them
on
your
local
machine
shop.
But
what,
if
you
actually
want
to
you
know
help
others
use
the
same
thing:
what,
if
you've
written
a
damn
good
policy,
so
you
could
use
a
web
server,
not
saying
no,
but
isn't
it
kinda?
A
A
Docker
Hub
is
currently
not
supported
because
it's
not
oci
compliant,
but
I
heard
that's
in
the
works
too
in
like
the
coming
few
months,
in
the
sense
that
it
will
become
OCR
compliant.
So
when
you
ask
me
what
is
the
secret
sauce
I?
Probably
summarize
it
as
kubernetes
Dynamic,
admission,
control
and
webassembly,
and
now
that
we've
looked
a
bit
at
the
web
assembly
side
of
it?
Let's
look
at
you
know
the
dynamic
admission
control
part
of
it
right
so
we'll
be
now
moving
into
the
architecture
section
wherein
I'm
gonna.
A
First,
you
know
speak
to
the
architecture.
Diagram
rather
speak
from
the
architecture,
diagram
and
you
know,
describe
all
the
components
and
then
we'll
see
how
they
Interlink,
with
the
help
of
a
sample
request.
View
sounds
good
right,
so
this
is
the
architecture,
diagram
and
I
know
it
looks
intimidating,
but
I
promise
you
it's
not
so
we've
been
talking
about
policies
all
this.
A
While
it's
a
policy
engine,
we
are
talking
about
policy
as
code,
we're
talking
about
evaluation
of
policies,
so
policy
is
kind
of
a
big
deal
in
this
presentation
and
it's
also
the
star.
So,
in
the
context
of
cube
burden
policies
are
webassembly
modules,
as
you've
probably
guessed
by
now,
or
at
least
heard
from
the
previous
couple
of
slides.
A
Now,
when
you
have
these
policies,
you
need
something
to
actually
enforce
them
and
evaluate
the
requests
against
these
policies
right.
So
that's
what
the
keyboard
and
policy
server
is
for,
which
is
our
next
component,
and
when
we
talk
about
you
know
the.
A
When
we
actually
talk
about
cubeboarding,
we
obviously
are
going
to
have
some
custom
resources
that
are
specific
or
some
natives
that
are
specific
to
a
cubeboard
they're
known
as
cubeboard
and
custom
resources
very
similar
to
kubernetes
custom
resources
that
help
us
effectively
manage
the
process
of
you
know
evaluating
policies.
A
Last,
but
not
the
least,
it's
the
thread
that
holds
all
of
it
together
the
cube
button
controller.
Now
the
cube
button
controller
is
kinda
like
the
eldest
child
in
the
family.
It's
gotten
a
lot
of
responsibilities.
That's
pretty
much
everything!
Sorry,
that's
pretty
much!
Everything
here
like
in
the
background,
so
first
up,
it's
responsible
for
creation
of
you
know
some
of
the
components
of
the
stack.
A
It's
also
responsible
for
ensuring
that
kubernetes
understands
Cube
bottle
because
kubernetes,
like
I,
said
there
are
going
to
be
some
constructs
in
Cube
burden.
There
are
constructs
and
kubernetes.
Somebody
has
to
make
sure
that
you
know
Cube
button
is
able
to
communicate
with
kubernetes
so
that
it
can
evaluate
resources.
A
The
controller
does
the
job
of
actually
translating
Cubone
constructs
into
kubernetes
natives,
and
it
also
does
you
know
this
whole
thing
of
reconciliation
of
policies.
Now.
A
What
it
is
and
how
it
happens,
is
something
we
shall
actually
look
at
in
the
next
section,
which
is
about
the
request
flow.
But
once
you
know,
Cube
button
is
created,
kubernetes
needs
to
know
that
it
exists
right,
like
sure
you
actually
are
installing
it
at
all.
Sorry
attack
kubernetes,
but
you
need
to
know
like
one
needs
to
know
of
the
other,
for
it
to
work
seamlessly
the
cube
button
controller.
Does
that
as
well?
So
how
does
it
do
that?
It's?
A
How
does
it
achieve
this
whole
process?
Is
we
are
the
concept
of
dynamic
admission
control
wherein
Cube
button
is
an
admission
web
hook?
It
essentially
functions
as
an
admission
web
hook,
with
its
endpoint
being
the
keyboard
and
policy
server.
Now,
how
does
this
whole
process
happen
again?
Sample
request
flow,
and
that's
how
you
know
kubernetes
ties
are
rather
keyboarding
ties
into
the
whole
kubernetes
install.
A
So
if
this
sounds
like
mumbo
jumbo-
or
you
know
a
bunch
of
rambles
just
bear
with
me,
please,
because
we
are
now
going
into
the
request
flow
part
of
it
wherein
we
look
at.
You
know
how
Cube
Warden
actually
gets
to
the
point
of
evaluating
incoming
requests
by
integrating
with
kubernetes
API
server
right.
A
So
first
up
when
a
cube
button
is
installed
freshly.
What
happens
is
that
it
only
installs
two
companies,
one
is
the
keyboard
and
controller
deployment
and
the
other
is
a
policy
server.
Custom
resource
named
default.
Now,
when
the
controller
notices
that
there
is
a
policy
server
custom
resource,
it
obviously
spins
up
it
obviously
spins
up
a
deployment.
A
Now
I
told
you
a
while
back
that
it
is
the
sorry
the
policy
server
is
the
web
hook
as
well,
and
you
know
by
Design
the
web
hook
web
hooks
within
web
hook.
Endpoints
within
kubernetes
are
required
to
have
some
sort
of
security
enforced
in
the
form
of
TLS.
A
A
But
now
we
write
our
very
first
policy,
that
is,
we
use
the
cluster
admission
policy
resource
and
write
in
as
many
policies
as
we
want
now
within
this
resource,
you
can
specify,
as
many
like
I
said
and
I
said,
but
I
also
said
that
there's
a
whole
reconciliation
process.
A
What's
that
about
now,
when
the
coupon
controller
notices
that
there
is
a
clustered
admission
policy
resource,
what
happens
is
that
there
is
a
Reconciliation
Loop
triggered
in
which
the
config
map
generation
is
actually
initiated.
Now,
what's
a
config
map,
click
on
fake
map
is
basically
a
kubernetes
API
that
Stores
you
know
environment
specific
configuration
so
that
your
container
image
actually
doesn't
have
to
do
that
it
becomes
portable.
A
A
There
is
all
there
are
all
these
policies
that
you
have
listed
in
the
cluster
admission
policy
and
hopefully,
you've
configured
them
properly,
because
if
you
have
you
know,
your
policy
server
will
start
up
seamlessly
and
once
that's
done,
it'll
spawn
threads
to
actually
evaluate
incoming
requests
and
also
listen
to
incoming
requests,
because
you
have
to
listen
to
stuff
to
actually
start
evaluating.
So
how
does
it
listen
to
incoming
requests
it's
by
starting
up
a
https
web
server?
A
But
I
also
said
that
you
know
the
cubodon
policy.
Server
is
an
admission
web
hook
endpoint
and
the
kubernetes
API
server
needs
to
be
made
aware
of
this,
and
the
cube
button
controller
is
what
makes
it
happen.
How
does
it
do
that?
We
know
that
you
know
it
creates
a
mutating
or
validating
webhook
endpoint.
A
A
You
know
the
and
point
is
actually
registered
as
a
mutating
or
a
validating
one,
and
once
this
Plumbing
is
all
generated
you
sorted
because
the
kubernetes
API
server
then
sends
all
the
requests
to
the
keyboard
and
policy
server
and
based
on
the
endpoint,
whether
mutating
or
validating.
Your
policy
server
actually
ends
up
evaluating
and
sends
back
to
response.
So
that's
how
it's
done
folks
and
you
can
extrapolate
this
to
multiple
policies,
multiple
policy
server
setup,
but
where
would
you
use
it?
A
Probably,
you
know
in
Mission
critical
setup
where
resiliency
is
key
is
one
thing
that
comes
to
mind
and
maybe
in
a
multi-tenant
setup
as
well,
where
you
know
you
require
a
dedicated
policy
evaluation
Handler
for
avoiding
the
noise
that's
generated
from
other
tenants.
You
could
possibly
use
that
in
that
as
well.
A
So
multiple
policy
servers
evaluating
multiple
policies
is
certainly
doable
and
with
that
we
come
to
our
next
section,
which
is
looking
at
why
PS
PSP
PSA
did
not
just
cut
it
when
it
came
to
enforcing
Security
in
kubernetes.
A
So,
to
start
off,
we
will
first
look
at
tsp,
which
is
for
security
policy
and
it's
removed
currently
in
the
latest
version
and
has
been
replaced
by
Port
security
admission.
So
what
is
PSP
exactly
it's
a
framework
to
ensure
that
your
pods
are
running
with
proper
privileges,
able
to
access
specified
objects,
only
no
unwanted
access
is
given
and
no
extra
access
is
given.
A
In
fact,
the
concept
of
least
privileges
expected
to
have
been
enforced
and
kubernetes
are
back
essentially
links
PSPs
to
users
or
Services
via
the
roles
that
they
actually
assume.
A
So,
let's
quickly
look
at
it
in
action
now
I
mentioned
that
users
or
software
or
services
are
actually
you
know
given
roles.
Now
in
a
setup,
you
will
probably
have
users
and
software
assigned
accounts
or
being
part
of
accounts
which
will
then
be.
You
know
bound
to
roles
that
have
certain
privileges,
PSP,
actually
checks
for
you
know
the
permissions
assigned
or
corresponding
to
each
of
these
privileges
for
each
incoming
requests
and
accordingly
blocks
or
schedules
the
action,
but
there
is
a
problem,
isn't
there
because
it
did
get
removed.
A
So
what
was
the
problem
with
PST?
Firstly,
configuring?
It
is
extremely
tedious
if
you
assign
you,
know
the
broader
permissive
privileges
you
are
going
to
land
yourself
into
trouble
and
if
you
go
to
go
to
restrictive,
you
might
have
to
you
know:
reconsider,
designing
your
policies,
designing
your
policies
all
over
again,
because
certain
pods
might
not
get
created
and
then
you
know
they
will
be
in
the
non-reconciliate.
A
So
the
deployments
or
the
higher
objects
will
be
non-reconciliatory
straight,
and
that
is
problematic
because
doing
that,
for
maybe
one
two
or
three
deployments
makes
sense.
So
it
does
make
sense
for
a
single
installation,
but
it
does
not.
A
When
you
know
you
have
a
huge
huge
infrastructure
to
manage
so
yeah,
so
PSPs
were
problematic
and
that's
why
we
have
the
replacement
in
the
form
of
per
security
standards
and
for
security
admission,
which
offer
a
More
Level
based
control,
and
you
know,
allow
you
to
ensure
that
policies
are
set
in
a
clear
and
consistent
fashion.
A
So
we're
not
going
to
go
into
the
depths
of
actually.
You
know
checking
how
it
works.
Sorry
about
that
because
we
have
a
demo
to
get
to.
But
let's
look
at
what's
the
problem
with
pod
security
admission
as
a
version
to
1.25,
it
does
not
have
any
mutation
capabilities.
A
A
So
that's
essentially
why
tools
like
you
Borden
are
important
as
supplementary
or
can
I
say
complementary,
but
yeah.
So
they
are.
You
know
empowering
you
as
developers
to
integrate
into
your
Cloud
native
infrastructure
and
enforce
the
level
of
granularity
in
the
you
know,
levels
that
you
want
to
enforce
it.
A
So
we
did
create
the
project
or
conceptualize
the
project
as
replacing
PSPs,
but
we
were,
we
recommend
doing
it
by
complementing
part
security
admission,
that
is
by
actually
integrating
cubeboarding
into
part
security,
admission
profile
towards
mitigating
those
limitations
we
just
spoke
of,
and
now
we
will
just
come
to
the
demo,
part
of
it,
and
hopefully,
you'll
have
a
clear
picture
of
how
you
know
this
integration
happens.
So
I'm
just
gonna
quickly
stop
sharing
this
screen
and
start
sharing.
A
My
demo
screen
right
so
just
getting
the
font
size
up
to
the
Mark
here,
so
that
y'all
are
able
to
see
everything.
A
So
I
have
downloaded
all
of
these
on
my
machines
but,
like
I,
said
in
the
initial
slides,
you
are
going
to
be
able
to
download
all
of
the
manifest
that
I
am
currently
applying.
So
please
don't
worry
that
you
know
you
are
losing
art
on
something
now.
I'm
gonna
share
my
screen
all
over
again
right.
A
So
let
me
walk
you
through
what
we
are
gonna,
try
doing.
Okay,
I
say:
try
because
I'm
praying
to
the
demo
gods
that
it
whole
that
it
all
works
out.
So
the
very
first
thing
that
we're
gonna
do
is
create
a
namespace
with
extremely
restrictive
policies,
we're
not
going
to
allow
pods
to
run
as
a
root
user.
A
But
run
the
applications
within
pods
as
root
users.
That
sounds
reasonable,
but
I
am
going
to
try
to
create
a
Hello
World
app
that
has
run
that
needs
to
run
as
a
root
user
by
actually
specifying
it
in
the
yaml.
A
Now
it
will
obviously
not
allow
it
because
I
have
created
a
namespace
that
does
not
allow
for
it.
So
what
to
do
should
I
remove
the
root
user?
I,
don't
think
so.
Can
you
know
something
magically
allow
for
a
user
to
be
created
and
assigned
so
that
it
can
run
the
application
as
another
user
with
specific
permission
levels,
let's
see
because
that's
the
demo.
So
the
first
step,
like
I,
said
we
are
going
to
create
a
namespace.
A
I
will
Okay,
so
we've
created
the
namespace
I've
actually
created
it
before
so
I'm.
Really
sorry,
but
I
will
show
you
the
lab
yaml.
So
this
is
the
namespace
that
I've
created
now
right.
So
now
we
will
first
try
to
create
to
run
a
Hello,
World,
app
and
I'll.
Show
you
the
yaml
here
again
as
well,
so
that
you're
able
to
understand
what
I'm
saying.
A
So
you
want
to
run
as
user
0,
which
basically
corresponds
to
root,
so
these
two
actually
conflict
each
other
and
then
the
pods
not
created
at
all.
If
I
actually
go
ahead
and
apply
this
right
now
and
create
a
deployment
in
my
namespace.
A
It
shows
that
it's
created,
but
let's
have
a
quick
look
at
how
that's
the
case
am
I,
seeing
any
logs
am
I
able
to
just
a
second.
A
Damn
sorry
am
I
able
to
see
any
logs
nope
not
able
to
see
any
logs,
because
it's
just
a
simple
hello
world
application.
It's
not
anything
sophisticated.
So
just
a
second,
let's
see
what's
the
status
of
the
deployment,
because
I'm
sure
that
the
status
of
the
deployment
is
that
it's
not
available.
A
Right
we
saw
why
that
is
the
reason,
and
now
what
I'm
gonna
do
is
enforce
this
policy.
A
So
I
should
have
named
it
better
because
I
named
it
PSP,
but
it
is
PSA,
so
so
yeah.
So
basically
what
this
does
is
allow
the
hello
world
application
to
get
created
if
even
if
it's
run
as
any,
and
it
does
not
have
a
root
user
specified.
So
if,
if
you
just
go
ahead
and
check
this.
A
So
what
I'm
trying
to
do
is
I
do
not
have
a
root
user
specified
here
if
I
actually
ended
up,
creating
or
applying
this
right
now
without
the
policy
enabled
the
Pod
would
get
created,
but
it
would
run
into
a
container
config
Arrow,
which
is
not
what
we
want.
A
So
once
you
enforce
the
policy
and
then
apply
this
hello
world
application
thingy
without
the
root
user,
it
will
allow
you
to
create
so
yeah.
So
that
being
said,
let's
just
apply
our
create
not
create
sorry
use
a
PSP
policy.
A
This
takes
a
while
to
actually
get
created
so
not
created
rather
but
to
come
into
effect.
So
if
you
just
look
at
this,
it
will
be
in
pending
status
for
at
least
a
couple
of
minutes.
A
Like
I
said
it's
in
pending
status,
so
hopefully,
when
this
comes
into
effect,
you
will
be
able
to
see
that
the
Pod
does
get
created.
Let's
just
see
if
this
is
active.
Okay
still
not
active,
so
once
this
gets
active
I
will
be
able
to
show
you
the
actual
enforcement
of
the
policy
and
the
subsequent
creation
of
the
pod.
A
Yes,
now
it's
active
hey
so
now,
I'm
gonna
apply
the
PSA
keyboard
and
dot
yaml
in.
A
So,
like
I
said
it's
going
to
go
into
crash
loop
back
off
because
it's
just
a
simple
message,
but
yeah.
If
you
actually
see
yeah
I,
actually
forgot
to
delete
the
previous
deployment.
So
let
me
redo
it
again.
Instead
of
confusing
y'all
foreign.
A
Yeah
so
I've
deleted
the
app
right
now,
but
even
then,
if
you
apply
you've
created
the
hello
world
backup
if
it
still
ends
up
getting
into
the
CIA
so
see
so
it
goes
into
the
completed
State
and
yeah.
So
your
replica
sets
are
available.
There
is
your
deployments
will
not
be
available
because
your
board
has
completed
so,
let's
just
check
the
logs
to
see
everything's
gone
normal
because
logs
are
the
best
indication.
A
In
my
space,
so
if
you
see
like
I
said,
this
is
just
a
hello
world
application,
nothing
too
fancy,
but
it
does
show
that
you
know
this.
This
thing
has
started
and
completed
successfully,
which
is
why
the
Pod
has
come
into
complete.
Completion
status
deployments
are
not
available
and
your
applications
created
and
are
not
ready
because
again
completed.
So
that's
it
for
this
demo.
A
You
know
cubeboarding
into
a
pod
security
admission
profile,
but
to
summarize,
what
we
essentially
did
is
we
created
and
restricted
namespace
wherein
we
did
not
allow
any
application
to
runner's
route.
We
tried
deploying
an
application
to
run
as
root
via
you
know.
We
are
the
field
run
as
user.
A
We
gave
it
as
zero,
even
though,
just
above
that
statement
we
have
given
a
separate
field,
wherein
we
are
saying
rana's
non-truth
user
two
now
when
we
did
that
it
still
did
not
allow
the
port
to
get
created
or
the
deployment
to
come
into
available
status,
and
once
we
applied
the
PST
policy
wherein
we
allowed
for
a
part
to
get
created.
If
you
know
no
user
was
specified
now
we
could
have
done
that
in
the
earlier
case.
A
A
We
allow
for
that
particular
thing
to
happen
in
this
namespace
by
enforcing
the
user
PSP
policy,
and
then
we
create
a
Hello
World
app
or
recreate
it
all
over
again
by
actually
first
deleting
the
previous
deployment
and
then
by
going
ahead,
and
you
know
creating
a
deployment
wherein
we
do
not
specify
which
user
we
want
to
run
us,
so
it
allows
for
it
to
run.
We
saw
from
the
logs
and
it
gets
completed
so
after
which
you
know
the
replica
sets
are
created.
A
You
know,
the
deployments
are,
you
know
created
and
the
Pod
is
created,
which
is
not
the
case
in
the
very
first
yaml
that
we
applied
so
I
hope.
That's
a
little
bit
more
clear
now
how
we
do
the
integration
now
coming
back
to
our
presentation,
because,
unfortunately
we
have
to
go
back
right,
so
we
were
here
and
now
this
was
done
and
now
that
we've
looked
at
all
of
this
integration,
let's
check
out
some
cool
new
features
in
version
1.3.
A
So
first
up.
This
is
something
that
we're
all
extremely
proud
of
that
is
joining
the
clo
monitor
initiative,
which
is
an
initiative
that
checks,
for
you
know
the
healthiness
of
project
repositories
based
on
some
conditions.
It's
a
cncf
initiative,
so
we're
currently
rated
a
with
a
score
of
97,
which
is
pretty
good
and
it's
we
started
off
in
the
90s
like
lower
90s,
but
we're
currently,
you
know
we
currently
have
a
score
of
97.
A
So
we've
clearly
gotten
better
with
time
if
I
can
say
that
we've
also
listened
to
the
community
and
reduce
the
startup
time
for
the
policy
server.
So
that's
another
major
win
in
our
bag.
According
to
us
and
we've
bettered
our
six-store
integration
and
that's
all
thanks
to
the
Fantastic
work
done
by
all
members
of
the
cubodon
project.
A
A
Hsn's
and
smart
cards,
so
that's
a
bit
of
the
stuff
that
we've
introduced
and
a
little
proud
of,
but
we
also
have
new
policies
because
policy
engine
right
and
we
want
to
simplify
policy
as
code.
So
there
are
a
bunch
of
new
policies
that
are,
as
always,
Backward
Compatible
like
most
of
our
other
policies
except
one.
If
I'm,
you
know
not
mistaken,
so
we
have
one:
that's
that's
responsible
for
scanner
and
compliance
of
environment
variables.
A
We
have
the
volume
securing
the
volume
months
policy
and
we
have
one
that
helps
you
keep
up
with
API
deprecations
as
well,
so
yeah.
So
we
have
these
four
policies
and
we
have
also
expanded
the
scope
for
some
of
the
existing
policies.
A
Now
most
of
the
policies
were
targeting
pods
earlier
on.
We
have
wanted
the
scope
to
include
higher
level
objects
like
replica
sets,
demon
sets
jobs,
ground,
jobs,
etc,
etc,
and
there
are
drawbacks
with
each
of
them
and
you
can
use
either
or
both
it's
not
like.
There
is
a
strict.
A
You
know
rule
that
you,
you
can't
use
one
or
you
can't
use
the
other.
It's
all
upon
your
use
case,
but
with
this
expansion
of
scope,
what
we
wanted
to
do
as
a
project
was
to
give
you
the
control
as
an
administrator,
to
actually
get
the
level
of
granularity
that
you
want,
because
you
should
be
able
to
do
that
right.
You
should
be
allowed
to
actually
enforce.
A
The
level
of
granularity
that
you
deserve
customized
to
your
infrastructure.
So
that's
what
we
hope
to
do
with
this
expansion
of
scope
and
all
theories.
No
talk
is
again
very
boring.
So
I'm
going
to
go
on
to
the
second
demo
and,
like
I,
said
in
the
big
demo
before
I'll
have
to
start
sharing
my
command
line
again
so
I'm
gonna
stop
sharing
this
one.
A
All
right,
hopefully
just
a
second.
This
is
great,
so
I'm
hoping
that
you're
able
to
see
this
now.
Let
me
navigate
to
the
second
demos,
manifest
files,
so
first
off
I'm
gonna
give
you
a
summary
and
we're
again
going
to
summarize
it
at
the
end,
because
that's
that's
how
I
work
so
first
up
what
we're
gonna
do
is
yeah.
So
just
let
me
open
up
the
files
so.
A
So
we're
going
to
look
at
the
environment
variable
compliance
policy
with
this
demo,
that's
first
thing,
and
what
this
essentially
does
is
that
we
are
going
to
actually
enforce
that
if
a
resource
is
created
with
any
of
these
environment
variables,
you
actually
do
not
allow
for
the
pot
to
be
created.
You
will
get
an
error
message
with
something
that's
very
similar,
so
saying
something
very
similar
to
what
I
just
said.
But
that's
that's
the
objective.
A
Once
we
see
that
we
will
also
try
to
create
something
we'll
edit,
this
Resource
One
Dot
yaml
in
in
line,
and
we
will
then
try
to
actually
create
something
that
is
partially
fulfilling
like
some
of
it
doesn't
fulfill,
and
some
of
it
does
and
we
are
going
to
try
doing
that
in
this
one.
So
that's
so
we'll
try
to
see
if
the
environment
policies
can
actually
sorry
the
environment
variables
can
actually
comply
to
the
policy.
A
So
first
up
we
do
not
have
any
preconceived
notions
here.
So
I'm
gonna
first
just
apply
a
minimum
required
or
spot
the
environment.
Variable
policy
here
with
this
file.
A
A
So
so
we
are
going
to
see
the
other
one.
A
So
I
just
want
to
show
how
these
look
in
vs
code
so
that
it's
a
little
more
visible.
A
So
what
we
are
essentially,
let
me
just
share
my
screen
again.
What
we
are
essentially
going
to
try
to
do
is
that
we
are
going
to
create.
A
So
this
is
the
resource
that
we
are
going
to
try
to
create
right,
so
we
are
going
to
try
to
have
an
engine
nginx
deployment
with
the
environment
variables
bar
now.
A
We
have
explicitly
told
in
our
policy
or
specified
in
our
policy
that
we
do
not
want
this
to
be
created
right,
so
this
should
essentially
block
this
screen,
the
this
creation
or
the
creation
of
this
resource.
So
coming
back
to
our
command
line.
A
Yep
now
it's
active,
so
Cube
CTL
apply
f.
A
So
if
you
see
the
error
message
here,
the
resource
cannot
Define
any
of
the
environment
variables
from
the
rule
so
yeah
the
policy
worked.
But
now
we
want
to
edit
the
policy
a
slight
bit.
Okay,
now
we're
going
to
try
creating
a
resource,
firstly,
which
does
not
comply
to
this
all
right.
So
let
me
just
switch
the
share
to
our
vs
code.
You
can
edit
it
here,
but
I'd
rather
do
it
on
vs
code.
A
So
here
in
the
minimum
required
Wars
dot.
Yaml
we've
specified
these
so
I'm
now
just
going
to
have
a
environment
variable
named
future
with
value,
but
it's
just
very
simple
and
it's
easier
to
remember
and
now
we
will
go
back
to
the
command
line.
I'll
just
actually
just
share
my
entire
screen,
because
this.
A
A
A
So
that
is
what
this
demo
was
all
about,
and
now
we
are
going
to
go
back
to
our
presentation,
which
is
on
its
last
leg,
so
I'm
Gonna,
Leave
You
with
these
resources.
To
be
honest,
we
these
are
some
of
the
website
docs
or
that
I
really
find
helpful.
While
preparing
for
this
presentation
and
I
think
you
would
too,
if
you
had
to
read
or
have
it
for
any
reference.
A
The
cube
modern
website
is
here,
there's
also
the
artifact
Hub,
where
we
publish
all
our
policies
and
we
have
the
official
create
documentation
which
provides
more
details
about
the
cube
button
SDK
for
rust.
Then
we
have
the
tiny
go.
You
know
tiny
go
project
website
that
I've
linked
here,
because
we
use
their
compiler
for
go.
A
The
different
policy
project
templates
and
also
the
GitHub
issue
for
built-in
functions.
I
did
not
forget
that
so
yeah,
just
a
second,
so
oh
okay,
I
just
a
second
I'm,
really
sorry
about
that.
A
So
yeah
that's
pretty
much
all
I
had
and
yeah.
This
is
the
Swift
policy
template
if
you
all
wanted
to
see
that,
but
that's
pretty
much
all
I
had
for
today
and
I
also
wanted
to
give
a
huge
shout
out
to
where
you
can
find
us,
because
this
this
conversation
should
not
stop
here.
A
So
if
you
want
to
chat
with
us,
you
can
find
us
on
the
kubernetes
slack
on
the
cubeboarding
channel,
we're
also
there
on
Twitter
for
as
long
as
it's
up
and
we're
there
on
YouTube
too,
in
the
Rancher
YouTube
on
the
Rancher
YouTube
channel
we've,
we
frequently
make
appearances
there
as
well,
and
that's
it
thank
you
once
again
and
if
you
miss
the
supporting
material
that
I
actually
linked
to
in
the
first
couple
of
slides
here,
is
that
again
I
hope
you
made
a
note
of
it
and
yeah.