SlideShare a Scribd company logo

Securing and Automating Kubernetes with Kyverno

Download as PPTX, PDF
S
Saim Safder

Kyverno is a CNCF Sandbox Project Created by Nirmata. Kyverno is a policy engine designed for Kubernetes. With Kyverno, policies are managed as Kubernetes resources and no new language is required to write policies. This allows using familiar tools such as kubectl, git, and kustomize to manage policies. Kyverno policies can validate, mutate, and generate Kubernetes resources. The Kyverno CLI can be used to test policies and validate resources as part of a CI/CD pipeline. In this session Shuting Zhao and Jim Bugwadia, both of whom are Kyverno maintainers will provide an overview of Kyverno and describe how you can get started with using it.

Related slideshows

Kubernetes Introduction
Kubernetes IntroductionKubernetes Introduction
Kubernetes Introduction
 
Kubernetes Networking | Kubernetes Services, Pods & Ingress Networks | Kubern...
Kubernetes Networking | Kubernetes Services, Pods & Ingress Networks | Kubern...Kubernetes Networking | Kubernetes Services, Pods & Ingress Networks | Kubern...
Kubernetes Networking | Kubernetes Services, Pods & Ingress Networks | Kubern...
 
Kubernetes - Security Journey
Kubernetes - Security JourneyKubernetes - Security Journey
Kubernetes - Security Journey
 
1 of 24
Kyverno Kubernetes Native Policy Management nirmata
2 Kyverno - Kubernetes Native Policy Management • Why Kyverno • How it works • Use Cases • Roadmap • Q&A
3 What is Kyverno? • A policy engine designed for Kubernetes • Uses Kubernetes resources, patterns, idioms • Familiar to Kubernetes users
4 Why Policies? • Kubernetes configurations are complex to manage across developers and operations. • External configuration tools (Helm, Kustomize) etc. cannot ensure environment specific configurations. • Admission controllers provide a way to validate best practices and mutate configurations. • Policy management tools like Kyverno use admission control and provide a way to manage “policies” and “rules” without creating custom controllers.
Why Kyverno? 1. Declarative policies that are easy to write and manage 2. Policy results that are easy to view and process 3. Validate (audit or enforce), Mutate, and Generate 4. Support all Kubernetes resource types including CRs 5. Adopt Kubernetes patterns and practices e.g. labels and selectors, annotations, events, ownerReferences, pod controllers, etc. 5
6 OPA or Kyverno? By Example: Require read-only filesystem
A Kyverno Policy 7 • Kinds • Names (with wildcards) • Label Selectors (with wildcards) • Namespaces (with wildcards) • Namespace Selector • User Roles • User Groups • Usernames
Mutate Resources Events ✔ Policy Reports AdmissionReview request 8 Kyverno API Server AdmissionReview response Validate Policy Cache Validate Mutate Generate How Kyverno Works
9 A Kyverno Policy
10 Mutate ● JSON Patch (RFC 6902) ○ Use for precise updates ● StrategicMergePatch ○ Use for describing intent ○ Anchors for conditional logic • “If-then-else” • “if-not-defined”
11 Validate ● Overlays with patterns specify desired state ● Matches all defined fields ● Patterns ○ * : zero or more ○ ? : any one ● Operators ○ >, <, >=, <=, !, |(or)
12 Generate ● Triggers when a new resource is created ● Useful in creating defaults for a namespace ● Clones existing resources or copies in-line data ● Can optionally keep data in- sync across namespaces
13 Policy Reports
14 Advanced Features • Anchors and operators • Variables – Inline policy data – JMESPath • External data lookups – Config Maps – API Calls • Deny rules • Auto-generation of pod controller rules • Command Line for CI/CD and dev-test for policies
15 Use Cases • Security validation and enforcement • Fine-grained RBAC • Multi-tenancy • Auto-Labeling • Sidecar (including certificate) injection with mounts, etc. • IFTTT for Kubernetes
Pod Security 16
17 Pod Security • What is a Pod Security Policy (PSP)? o Cluster resource that controls security configuration of pods o Being marked for deprecation in v1.21 removal in v1.25 • A KEP is being developed to replace PSP with namespace based Pod Security Levels Privileged Baseline Restricted
18 Kyverno Policies for Pod Security • Also based on Pod Security Levels • Available at: https://kyverno.io/policies/pod-security/
Roadmap & Contributing 19
20 Roadmap: Major Features 1. Multiple replicas for scale and availability 2. Custom JMESPath functions 3. Javascript functions for complex validation
How you can contribute? - Kyverno Repo - https://github.com/kyverno/kyverno - Slack Channel - Kubernetes Slack channel #kyverno 21
Summary 22
23 Summary and Takeaways 1. Policies are useful in managing Kubernetes configurations at scale 2. Kyverno is built for Kubernetes 3. Kyverno can validate (audit or enforce), mutate, and generate configurations 4. Kyverno supports best practices for pod security and isolation 5. Kyverno is easy to use! Install Kyverno in your clusters, try the best practice policies, and give us feedback!
Thank-You! https://try.nirmata.io

More Related Content

Securing and Automating Kubernetes with Kyverno

  • 1. Kyverno Kubernetes Native Policy Management nirmata
  • 2. 2 Kyverno - Kubernetes Native Policy Management • Why Kyverno • How it works • Use Cases • Roadmap • Q&A
  • 3. 3 What is Kyverno? • A policy engine designed for Kubernetes • Uses Kubernetes resources, patterns, idioms • Familiar to Kubernetes users
  • 4. 4 Why Policies? • Kubernetes configurations are complex to manage across developers and operations. • External configuration tools (Helm, Kustomize) etc. cannot ensure environment specific configurations. • Admission controllers provide a way to validate best practices and mutate configurations. • Policy management tools like Kyverno use admission control and provide a way to manage “policies” and “rules” without creating custom controllers.
  • 5. Why Kyverno? 1. Declarative policies that are easy to write and manage 2. Policy results that are easy to view and process 3. Validate (audit or enforce), Mutate, and Generate 4. Support all Kubernetes resource types including CRs 5. Adopt Kubernetes patterns and practices e.g. labels and selectors, annotations, events, ownerReferences, pod controllers, etc. 5
  • 6. 6 OPA or Kyverno? By Example: Require read-only filesystem
  • 7. A Kyverno Policy 7 • Kinds • Names (with wildcards) • Label Selectors (with wildcards) • Namespaces (with wildcards) • Namespace Selector • User Roles • User Groups • Usernames
  • 10. 10 Mutate ● JSON Patch (RFC 6902) ○ Use for precise updates ● StrategicMergePatch ○ Use for describing intent ○ Anchors for conditional logic • “If-then-else” • “if-not-defined”
  • 11. 11 Validate ● Overlays with patterns specify desired state ● Matches all defined fields ● Patterns ○ * : zero or more ○ ? : any one ● Operators ○ >, <, >=, <=, !, |(or)
  • 12. 12 Generate ● Triggers when a new resource is created ● Useful in creating defaults for a namespace ● Clones existing resources or copies in-line data ● Can optionally keep data in- sync across namespaces
  • 14. 14 Advanced Features • Anchors and operators • Variables – Inline policy data – JMESPath • External data lookups – Config Maps – API Calls • Deny rules • Auto-generation of pod controller rules • Command Line for CI/CD and dev-test for policies
  • 15. 15 Use Cases • Security validation and enforcement • Fine-grained RBAC • Multi-tenancy • Auto-Labeling • Sidecar (including certificate) injection with mounts, etc. • IFTTT for Kubernetes
  • 17. 17 Pod Security • What is a Pod Security Policy (PSP)? o Cluster resource that controls security configuration of pods o Being marked for deprecation in v1.21 removal in v1.25 • A KEP is being developed to replace PSP with namespace based Pod Security Levels Privileged Baseline Restricted
  • 18. 18 Kyverno Policies for Pod Security • Also based on Pod Security Levels • Available at: https://kyverno.io/policies/pod-security/
  • 20. 20 Roadmap: Major Features 1. Multiple replicas for scale and availability 2. Custom JMESPath functions 3. Javascript functions for complex validation
  • 21. How you can contribute? - Kyverno Repo - https://github.com/kyverno/kyverno - Slack Channel - Kubernetes Slack channel #kyverno 21
  • 23. 23 Summary and Takeaways 1. Policies are useful in managing Kubernetes configurations at scale 2. Kyverno is built for Kubernetes 3. Kyverno can validate (audit or enforce), mutate, and generate configurations 4. Kyverno supports best practices for pod security and isolation 5. Kyverno is easy to use! Install Kyverno in your clusters, try the best practice policies, and give us feedback!