lfx-mentorship-showcase-open-to-all-attendees-no-additional-fee-or-registration-required-lfxtian-daelke-daehsha-gui-shen-zhi-daelg.pptx

《lfx-mentorship-showcase-open-to-all-attendees-no-additional-fee-or-registration-required-lfxtian-daelke-daehsha-gui-shen-zhi-daelg.pptx》由会员分享，可在线阅读，更多相关《lfx-mentorship-showcase-open-to-all-attendees-no-additional-fee-or-registration-required-lfxtian-daelke-daehsha-gui-shen-zhi-daelg.pptx（9页珍藏版）》请在三个皮匠报告上搜索。

1、Enable Fine-grained Pod Security Admission in Kyverno,Liang Deng-,What is Kyverno,A K8s native policy engine,CNCF incubating project:Make policies easy to write and manageMake policy results easy to processValidate(audit or enforce),Mutate,Generate,VerifyImagesSupport all Kubernetes types including

2、Custom ResourcesUse Kubernetes patterns and practices(e.g.labels and selectors,annotations,events,ownerReferences,pod controllers,etc.),Kyverno simplifies K8s policy management!,Fast growing community5.5K+GitHub Stars330+contributors3100+Slack members,What is PSA,The Kubernetes Pod Security Standard

3、s(PSS)define different isolation levels for Pods.Kubernetes offers a built-in Pod Security Admission(PSA)to enforce the Pod Security Standards.Shortcomings of PSA:It cannot provide fine-grained controls,such as allowing a user to apply the Restricted PSS to the selected namespaces test and staging b

4、ut skip checking the Capabilities control for pods running ghcr.io/example/nginx:1.2.3.,Kyverno not only integrates PSA but also implements fine-grained PSA.,Integrate pod security admission,Blog:Securing Services Meshes Easier with Kyverno,Implementing Fine-Grained PSA,Refactored the PSA library an

5、d submitted a PR to Kubernetes,and finally integrated it with Kyverno.,Contributing code to Kubernetes is a challenging and lengthy process,Kyverno Top Use Cases,Command Line Checks,In-cluster,CI/CD pipelines,Top Use Cases,Admission Control&Background Scans,Join the Kyverno community,The Kyverno docs&samples:https:/kyverno.ioSlack Channel:https:/slack.k8s.io/#kyvernoWeekly meetings:https:/,Thanks,Thank you for listening,Thanks to my mentor Shuting Zhao,Kyverno Community and The Linux Foundation,