Presenters

Source

Unlocking the Power of Open Source Policy in Kubernetes: A Journey from Curiosity to Control 🚀

Ever felt like Kubernetes policies are a bit of a black box? You’re not alone! Our speaker, a Developer Advocate at a European cloud provider specializing in cloud-native infrastructure as code and developer experience, loves to make complex tech accessible. And today, they’re taking us on an exciting journey into the world of open-source Kubernetes policy management.

From a Lockdown Idea to a Policy Revolution 💡

It all started in 2020, during lockdown. Our speaker, intrigued by the elegance of Kubernetes and containers, wondered how to bring structure and control to this dynamic environment. What began as a “little seed” of an idea blossomed into a passion for making complex technologies useful and accessible. This wasn’t just a fleeting thought; it was the beginning of a great adventure!

This journey wasn’t entirely new. Years ago, while working in the automotive industry, our speaker was developing and deploying microservices for connected autonomous vehicles. They dove headfirst into a world of concepts that were familiar yet excitingly new. Tools like Prometheus, Grafana, Velero, and Kube-bench became essential companions on this “amazing adventure.” Even though the technology was nascent back then, the drive to understand and master it was immense. This led to countless nights spent reading, writing, and even publishing a book on the subject – a testament to their dedication!

Fast forward to 2022, a message arrived: “Hey, what’s up? Experience with Kiveno?” The technology had evolved significantly, and the challenge was accepted. This brings us to the core of our discussion: open-source native policy.

What Exactly is Open Source Native Policy? 🤔

Let’s be honest, the term itself doesn’t immediately paint a clear picture. But imagine this: magic!

  • Magic Resources: Creating, labeling, and securing secrets and namespaces.
  • Magic Deletion: Effortlessly removing resources.
  • Magic Verification: Checking container image signatures.
  • Magic Policy: Defining rules in YAML manifests.

This “magic” is powered by controllers that run in the background, ensuring everything is in order. At its heart, it involves an API server that identifies users, checks their permissions, and then, if all is well, sends the request to the policy engine. This engine then examines existing policies and applies relevant rules to the new request.

The Building Blocks: Rules and Policies 🛠️

Kubernetes policies come in several flavors, each designed to address specific needs:

  • Validation Rules: These ensure that resources conform to predefined standards. Think of them as gatekeepers, checking if your YAML manifests meet the requirements before they’re applied. They can also be set to audit mode, allowing you to report on potential violations without blocking them outright.

    • Use Cases:
      • Enforcing resource limits (CPU, memory) for containers.
      • Denying resources from public container registries.
      • Ensuring specific labels are applied to resources.
      • Defining failure actions when rules aren’t met.

  • Mutation Rules: These allow you to modify resources before they’re applied to the cluster. This is incredibly powerful for standardizing configurations.

    • Use Cases:
      • Adding or editing memory and CPU requests/limits for containers.
      • Modifying existing resources, like changing the version or kind of a resource (though this requires careful consideration).
      • Adding image pull secrets.
      • Adding selectors to affinity and anti-affinity rules.
      • Adding annotations for ingress or external load balancers.

  • Generation Rules: This is where you can create new resources based on templates defined within a policy.

    • Use Cases:
      • Creating a copy of a secret when a new namespace is created – super useful for ensuring consistent access controls!
      • Synchronizing resources, meaning if you update one, a related resource is automatically updated too.
      • Creating limit resources or horizontal pod autoscalers.
      • Cloning secrets from a “test” namespace to any newly created namespace.

Real-World Applications and Best Practices ✨

These policies aren’t just theoretical. Let’s look at how they can be applied:

  • Cluster Policy Example: Imagine a cluster policy that adds an image pull secret for images from a specific registry. Or one that adds labels to both new and existing pods. The ability to mutate existing resources is a game-changer!

  • Destructive Deletion: While it sounds intense, this feature is invaluable for cleanup.

    • Good Practice: Enable audit mode first to see what would be deleted.
    • Use Cases:
      • Deleting completed or failed jobs older than a day.
      • Deleting ingress resources or replications that are no longer needed.
      • Deleting pods older than a specific time.

  • Time-to-Live (TTL) for Resources: You can define policies to automatically delete resources after a certain period. For example, deleting specific jobs or pods after a week.

  • Software Supply Chain Security: This is a critical area where policies shine.

    • Image Verification: Ensure that container images are verified with digests, which are more secure than tags.
    • Mutation for Security: Mutate images to use digests, preventing the use of potentially compromised images.
    • Best Practice: Activate edit mode before applying policies to verify images and check for known vulnerabilities (SBOMs).

The Future is Open and Encouraging 🌐

Our speaker’s journey is a testament to the power of curiosity and the beauty of open-source contributions. They’ve created a new way of explaining complex technical concepts, making them accessible and inspiring others.

The core message? Encourage your own imagination! Don’t be afraid to explore, experiment, and contribute. The world of Kubernetes policy is vast and full of potential.

Key Takeaways:

  • Open-source native policy in Kubernetes offers powerful ways to manage and secure your clusters.
  • Policies can validate, mutate, and even generate resources, providing fine-grained control.
  • Tools like Kiveno are evolving, with migration paths to ensure existing policies remain compatible.
  • Prioritize security by verifying container images and using digests.
  • Embrace experimentation and contribute to the open-source community!

The speaker has a book coming out and will be hosting sessions on November 10th and 12th. Don’t miss the opportunity to dive deeper into this fascinating topic!

Appendix