ensuring-success-with-kyverno-in-production-what-you-must-know-nanochang-hou-qi-kyverno-daepkun-ju-qiu-zha-tu-shuting-zhao-nirmata.pdf

1、Ensuring Success with Kyverno in ProductionWhat You Must KnowShuting Zhao,NirmataAbout MeShuting ZhaoNirmataKyverno MaintainerStaff E Kyverno means“Govern”in Greek Cloud Native Policy Management CNCF incubating project Fast growing community 5.5K+GitHub Stars 3100+Slack membersCloud Native Policy Ma

2、nagementDevelopDistributeEnforceObserveManagePolicy as CodeCloud Native Policy ManagementDevelopDistributeEnforceObserveManagePolicy as CodeDevelop:Low code policiesEasy to develop and test for Kubernetes admins and usersAddresses use cases across validation,mutation,generation,cleanup,image verific

3、ationJMESPath,CEL,and all features for complex logicCloud Native Policy ManagementDistribute:Use Kubernetes APIs to deploy and manage Works with any Kubernetes management tool Use kubectl,Kustomize,etc.Use GitOps workflowsDevelopDistributeEnforceObserveManagePolicy as CodeCloud Native Policy Managem

4、entPolicy as CodeEnforce:Enforce in CI/CD pipelines Enforce at admission controls Enforce via background scans DevelopDistributeEnforceObserveManageCloud Native Policy ManagementObserve:Policy reporting via Kubernetes APIs Policy events Policy metrics Engine health and metricsDevelopDistributeEnforc

5、eObserveManagePolicy as CodeCloud Native Policy ManagementManage:Flexible rollout for policies Policy exceptions Remediation Scalable enforcementDevelopDistributeEnforceObserveManagePolicy as CodeUse case:Pod Security Single cluster-wide policy Extends Pod Security Admission Enforce namespace labels

6、 Flexible exception managementUse case:Pod SecurityDisallow privilege escalationUse case:Sidecar InjectionUse case:Sidecar InjectionUse case:Multi-tenancyUse case:Multi-tenancyAuto-Generate RolebindingSoftware Supply Chain Securitykube-apiserveretcd Admission ReviewPoliciesbad im