SlideShare une entreprise Scribd logo

Docker Rosenheim Meetup: Policy & Governance for Kubernetes

Nico Meisenzahl
Nico Meisenzahl

In diesem Meetup möchten wir euch einen Überblick über Policy und Governance für Kubernetes geben. Hierbei gehen wir auf das Open Source Projekt Open Policy Agent Gatekeeper ein und zeigen euch wir ihr diesen nutzen könnten.

Technologie
1  sur  25
Télécharger pour lire hors ligne
Policy & Governance for Kubernetes Docker Rosenheim Meetup, June 2020
Nico Meisenzahl • Senior Cloud & DevOps Consultant at white duck • Microsoft MVP, GitLab Hero, Docker Community Leader • loves Kubernetes, DevOps and Cloud © white duck GmbH 2020 Phone: +49 8031 230159 0 Email: nico.meisenzahl@whiteduck.de Twitter: @nmeisenzahl LinkedIn: https://www.linkedin.com/in/nicomeisenzahl Blog: https://meisenzahl.org
Agenda • Cloud Governance? Why do we need it? • Governance for Kubernetes • Open Policy Agent – the foundation • OPA Gatekeeper – the Kubernetes implementation © white duck GmbH 2020
CLOUD GOVERNANCE Why do we need it? © white duck GmbH 2020
Cloud Governance … … is used to provide a set of rules that defines guidelines that can either be enforced or audited. © white duck GmbH 2020
Why do we need it? • decisions are made decentralized & taken at a rapid pace • therefore it is important to • reduce risk • control shadow IT • make it easier to manage cloud resources • reduce effort © white duck GmbH 2020
KUBERNETES GOVERNANCE Why do we need it? © white duck GmbH 2020
Governance for Kubernetes • Authorization with Role-based Access Control (RBAC) • is used to define who is allowed to do what • very granular • But: Kubernetes offers nothing to control/change the specification of resources • which is essential for successfully governing a cluster © white duck GmbH 2020
Some examples are • whitelist of trusted container registries, images or tags • required container security specifications • required labels to group resources • permit conflicting Ingress host resources • permit publicly exposed LoadBalancer services © white duck GmbH 2020
OPEN POLICY AGENT The foundation © white duck GmbH 2020
Open Policy Agent • “policy-based control for cloud native environments” • general-purpose policy engine • open-source project created by styra • CNCF project since 2018 • declarative policy language • decoupled • Golang library • REST API with sidecar or daemon © white duck GmbH 2020
© white duck GmbH 2020
Ecosystem • API and service authorization with Envoy, Kong or Traefik • Authorization policies for SQL, Kafka and others • Container Network authorization with Istio • Test policies for Terraform infrastructure changes • Polices for SSH and sudo • Policy and Governance for Kubernetes • and many more • https://www.openpolicyagent.org/docs/latest/ecosystem/ © white duck GmbH 2020
How OPA works © white duck GmbH 2020
How OPA works © white duck GmbH 2020 POST /api HTTP/1.1 Authorization: nico { “method”: “POST”, “path”: “api”, “user”: “nico” } { “allow”: “true” } { }
Rego • “ray-go” • inspired by Datalog with support for JSON • declarative Policy Language • ”is Nico allowed to POST a payload to /api” • Build-in functions • JWTs • date/time • Regex • … © white duck GmbH 2020 package app.abac default allow = false allow { action_is_post user_is_owner } action_is_post { input.method == ”POST" } user_is_owner { input.user == "nico" }
Rego in action © white duck GmbH 2020 POST /api HTTP/1.1 Authorization: nico { “method”: “POST”, “path”: “api”, “user”: “nico” } { “allow”: “true” } package app.abac default allow = false allow { action_is_post user_is_owner } action_is_post { input.method == ”POST" } user_is_owner { input.user == "nico" } { }
OPA Tips • OPA binary • opa run, opa test, … • Rego Playground • https://play.openpolicyagent.org/ • VS Code plugin • management APIs • bundle API à send policies and data to OPA • status API à for observability/monitoring • log API à for receiving audit logs © white duck GmbH 2020
OPA GATEKEEPER OPA Kubernetes implementation © white duck GmbH 2020
OPA Gatekeeper • Kubernetes implementation of OPA • build by Google, Microsoft, Red Hat, and styra • based on • Open Policy Agent daemon • Kubernetes Admission Controller • Custom Resource Definitions (CRDs) • AuthZ Webhook • based on OPA Constraint Framework • can be installed with Helm or kubectl apply • https://github.com/open-policy-agent/gatekeeper © white duck GmbH 2020
How Gatekeeper works © white duck GmbH 2020 https://kubernetes.io/blog/2019/08/06/opa-gatekeeper-policy-and-governance-for-kubernetes/
How Gatekeeper works © white duck GmbH 2020
How Gatekeeper works © white duck GmbH 2020
Demos • OPA Gatekeeper in action • example rules • required label • trusted images • unique ingress hosts • auditing © white duck GmbH 2020
Questions? Slides: https://www.slideshare.net/nmeisenzahl Demos: https://gitlab.com/nico-meisenzahl/opa-gatekeeper-sample Nico Meisenzahl (Senior Cloud & DevOps Consultant) Phone: +49 8031 230159 0 Email: nico.meisenzahl@whiteduck.de Twitter: @nmeisenzahl LinkedIn: https://www.linkedin.com/in/nicomeisenzahl Blog: https://meisenzahl.org © white duck GmbH 2020

Recommandé

Global Azure Virtual: Container & Kubernetes on Azure
Global Azure Virtual: Container & Kubernetes on AzureGlobal Azure Virtual: Container & Kubernetes on Azure
Global Azure Virtual: Container & Kubernetes on AzureNico Meisenzahl
 
Virtual Azure Community Day: Azure Kubernetes Service Basics
Virtual Azure Community Day: Azure Kubernetes Service BasicsVirtual Azure Community Day: Azure Kubernetes Service Basics
Virtual Azure Community Day: Azure Kubernetes Service BasicsNico Meisenzahl
 
DevOpsCon London: How containerized Pipelines can boost your CI/CD
DevOpsCon London: How containerized Pipelines can boost your CI/CDDevOpsCon London: How containerized Pipelines can boost your CI/CD
DevOpsCon London: How containerized Pipelines can boost your CI/CDNico Meisenzahl
 
DevOps Gathering - How Containerized Pipelines Can Boost Your CI/CD
DevOps Gathering - How Containerized Pipelines Can Boost Your CI/CDDevOps Gathering - How Containerized Pipelines Can Boost Your CI/CD
DevOps Gathering - How Containerized Pipelines Can Boost Your CI/CDNico Meisenzahl
 
The Future of Workflow Automation Is Now - Hassle-Free ARM Template Deploymen...
The Future of Workflow Automation Is Now - Hassle-Free ARM Template Deploymen...The Future of Workflow Automation Is Now - Hassle-Free ARM Template Deploymen...
The Future of Workflow Automation Is Now - Hassle-Free ARM Template Deploymen...Nico Meisenzahl
 
FestiveTechCalendar2021 - Have Yourself An​ Azure Container Registry
FestiveTechCalendar2021 - Have Yourself An​ Azure Container RegistryFestiveTechCalendar2021 - Have Yourself An​ Azure Container Registry
FestiveTechCalendar2021 - Have Yourself An​ Azure Container RegistryPhilip Welz
 
AzDevCom2021 - Bicep vs Terraform
AzDevCom2021 - Bicep vs TerraformAzDevCom2021 - Bicep vs Terraform
AzDevCom2021 - Bicep vs TerraformPhilip Welz
 
Cloud Native Day: Cloud-native Anwendungsentwicklung im Jahr 2021
Cloud Native Day: Cloud-native Anwendungsentwicklung im Jahr 2021Cloud Native Day: Cloud-native Anwendungsentwicklung im Jahr 2021
Cloud Native Day: Cloud-native Anwendungsentwicklung im Jahr 2021Nico Meisenzahl
 

Recommandé

Global Azure Virtual: Container & Kubernetes on Azure
Global Azure Virtual: Container & Kubernetes on AzureGlobal Azure Virtual: Container & Kubernetes on Azure
Global Azure Virtual: Container & Kubernetes on AzureNico Meisenzahl
 
Virtual Azure Community Day: Azure Kubernetes Service Basics
Virtual Azure Community Day: Azure Kubernetes Service BasicsVirtual Azure Community Day: Azure Kubernetes Service Basics
Virtual Azure Community Day: Azure Kubernetes Service BasicsNico Meisenzahl
 
DevOpsCon London: How containerized Pipelines can boost your CI/CD
DevOpsCon London: How containerized Pipelines can boost your CI/CDDevOpsCon London: How containerized Pipelines can boost your CI/CD
DevOpsCon London: How containerized Pipelines can boost your CI/CDNico Meisenzahl
 
DevOps Gathering - How Containerized Pipelines Can Boost Your CI/CD
DevOps Gathering - How Containerized Pipelines Can Boost Your CI/CDDevOps Gathering - How Containerized Pipelines Can Boost Your CI/CD
DevOps Gathering - How Containerized Pipelines Can Boost Your CI/CDNico Meisenzahl
 
The Future of Workflow Automation Is Now - Hassle-Free ARM Template Deploymen...
The Future of Workflow Automation Is Now - Hassle-Free ARM Template Deploymen...The Future of Workflow Automation Is Now - Hassle-Free ARM Template Deploymen...
The Future of Workflow Automation Is Now - Hassle-Free ARM Template Deploymen...Nico Meisenzahl
 
FestiveTechCalendar2021 - Have Yourself An​ Azure Container Registry
FestiveTechCalendar2021 - Have Yourself An​ Azure Container RegistryFestiveTechCalendar2021 - Have Yourself An​ Azure Container Registry
FestiveTechCalendar2021 - Have Yourself An​ Azure Container RegistryPhilip Welz
 
AzDevCom2021 - Bicep vs Terraform
AzDevCom2021 - Bicep vs TerraformAzDevCom2021 - Bicep vs Terraform
AzDevCom2021 - Bicep vs TerraformPhilip Welz
 
Cloud Native Day: Cloud-native Anwendungsentwicklung im Jahr 2021
Cloud Native Day: Cloud-native Anwendungsentwicklung im Jahr 2021Cloud Native Day: Cloud-native Anwendungsentwicklung im Jahr 2021
Cloud Native Day: Cloud-native Anwendungsentwicklung im Jahr 2021Nico Meisenzahl
 
DevOpsCon Berlin: Helm vs Operators – Do I Need to Decide?
DevOpsCon Berlin: Helm vs Operators – Do I Need to Decide?DevOpsCon Berlin: Helm vs Operators – Do I Need to Decide?
DevOpsCon Berlin: Helm vs Operators – Do I Need to Decide?Nico Meisenzahl
 
Virtual GitLab Meetup: How Containerized Pipelines and Kubernetes Can Boost Y...
Virtual GitLab Meetup: How Containerized Pipelines and Kubernetes Can Boost Y...Virtual GitLab Meetup: How Containerized Pipelines and Kubernetes Can Boost Y...
Virtual GitLab Meetup: How Containerized Pipelines and Kubernetes Can Boost Y...Nico Meisenzahl
 
Azure Rosenheim Meetup: Azure Service Operator
Azure Rosenheim Meetup: Azure Service OperatorAzure Rosenheim Meetup: Azure Service Operator
Azure Rosenheim Meetup: Azure Service OperatorNico Meisenzahl
 
Azure Zürich User Group: Azure Kubernetes Service – more than just a managed ...
Azure Zürich User Group: Azure Kubernetes Service – more than just a managed ...Azure Zürich User Group: Azure Kubernetes Service – more than just a managed ...
Azure Zürich User Group: Azure Kubernetes Service – more than just a managed ...Nico Meisenzahl
 
Azure Meetup Hamburg: Production-Ready Terraform Deployments on Azure
Azure Meetup Hamburg: Production-Ready Terraform Deployments on AzureAzure Meetup Hamburg: Production-Ready Terraform Deployments on Azure
Azure Meetup Hamburg: Production-Ready Terraform Deployments on AzureNico Meisenzahl
 
GitLab Commit: Enhance your Compliance with Policy-Based CI/CD
GitLab Commit: Enhance your Compliance with Policy-Based CI/CDGitLab Commit: Enhance your Compliance with Policy-Based CI/CD
GitLab Commit: Enhance your Compliance with Policy-Based CI/CDNico Meisenzahl
 
GitLab Commit DevOps: How GitLab Can Save your Kubernetes environment from Be...
GitLab Commit DevOps: How GitLab Can Save your Kubernetes environment from Be...GitLab Commit DevOps: How GitLab Can Save your Kubernetes environment from Be...
GitLab Commit DevOps: How GitLab Can Save your Kubernetes environment from Be...Nico Meisenzahl
 
GitHub Actions 101
GitHub Actions 101GitHub Actions 101
GitHub Actions 101Nico Meisenzahl
 
Hijack a Kubernetes Cluster - a Walkthrough
Hijack a Kubernetes Cluster - a WalkthroughHijack a Kubernetes Cluster - a Walkthrough
Hijack a Kubernetes Cluster - a WalkthroughNico Meisenzahl
 
Distributed Storage in the Cloud
Distributed Storage in the CloudDistributed Storage in the Cloud
Distributed Storage in the CloudAll Things Open
 
Enhance Your Kubernetes CI/CD Pipelines With GitLab & Open Source
Enhance Your Kubernetes CI/CD Pipelines With GitLab & Open SourceEnhance Your Kubernetes CI/CD Pipelines With GitLab & Open Source
Enhance Your Kubernetes CI/CD Pipelines With GitLab & Open SourceNico Meisenzahl
 
All Things Cloud Native Meetup: Azure Kubernetes Service Basics
All Things Cloud Native Meetup: Azure Kubernetes Service BasicsAll Things Cloud Native Meetup: Azure Kubernetes Service Basics
All Things Cloud Native Meetup: Azure Kubernetes Service BasicsNico Meisenzahl
 
Journey from on prem to the cloud with kubernetes
Journey from on prem to the cloud with kubernetesJourney from on prem to the cloud with kubernetes
Journey from on prem to the cloud with kubernetesLibbySchulze
 
GitLab Remote Meetup: Enhance Your Kubernetes CI/CD Pipelines with GitLab & ...
GitLab Remote Meetup: Enhance Your Kubernetes CI/CD Pipelines with GitLab & ...GitLab Remote Meetup: Enhance Your Kubernetes CI/CD Pipelines with GitLab & ...
GitLab Remote Meetup: Enhance Your Kubernetes CI/CD Pipelines with GitLab & ...Nico Meisenzahl
 
Continuous Lifecycle: Hijack Kubernetes
Continuous Lifecycle: Hijack KubernetesContinuous Lifecycle: Hijack Kubernetes
Continuous Lifecycle: Hijack KubernetesNico Meisenzahl
 
azdevcom - Hijack a Kubernetes Cluster
azdevcom - Hijack a Kubernetes Clusterazdevcom - Hijack a Kubernetes Cluster
azdevcom - Hijack a Kubernetes ClusterNico Meisenzahl
 
Building Cloud Native Applications Using Azure Kubernetes Service
Building Cloud Native Applications Using Azure Kubernetes ServiceBuilding Cloud Native Applications Using Azure Kubernetes Service
Building Cloud Native Applications Using Azure Kubernetes ServiceDennis Moon
 
Was ist ein Service Mesh und wie funktioniert es?
Was ist ein Service Mesh und wie funktioniert es?Was ist ein Service Mesh und wie funktioniert es?
Was ist ein Service Mesh und wie funktioniert es?Cloud Native Rosenheim Meetup
 
Event sourcing your React-Redux applications
Event sourcing your React-Redux applicationsEvent sourcing your React-Redux applications
Event sourcing your React-Redux applicationsMaurice De Beijer [MVP]
 
Putting The 'M' In MBaaS—Red Hat Mobile Client Development Platform (Jay Balu...
Putting The 'M' In MBaaS—Red Hat Mobile Client Development Platform (Jay Balu...Putting The 'M' In MBaaS—Red Hat Mobile Client Development Platform (Jay Balu...
Putting The 'M' In MBaaS—Red Hat Mobile Client Development Platform (Jay Balu...Red Hat Developers
 
Policy & Governance für Kubernetes
Policy & Governance für KubernetesPolicy & Governance für Kubernetes
Policy & Governance für KubernetesNico Meisenzahl
 
Continuous Lifecycle: Enhance Your Compliance and Governance With Policy-Base...
Continuous Lifecycle: Enhance Your Compliance and Governance With Policy-Base...Continuous Lifecycle: Enhance Your Compliance and Governance With Policy-Base...
Continuous Lifecycle: Enhance Your Compliance and Governance With Policy-Base...Nico Meisenzahl
 

Contenu connexe

Tendances

DevOpsCon Berlin: Helm vs Operators – Do I Need to Decide?
DevOpsCon Berlin: Helm vs Operators – Do I Need to Decide?DevOpsCon Berlin: Helm vs Operators – Do I Need to Decide?
DevOpsCon Berlin: Helm vs Operators – Do I Need to Decide?Nico Meisenzahl
 
Virtual GitLab Meetup: How Containerized Pipelines and Kubernetes Can Boost Y...
Virtual GitLab Meetup: How Containerized Pipelines and Kubernetes Can Boost Y...Virtual GitLab Meetup: How Containerized Pipelines and Kubernetes Can Boost Y...
Virtual GitLab Meetup: How Containerized Pipelines and Kubernetes Can Boost Y...Nico Meisenzahl
 
Azure Rosenheim Meetup: Azure Service Operator
Azure Rosenheim Meetup: Azure Service OperatorAzure Rosenheim Meetup: Azure Service Operator
Azure Rosenheim Meetup: Azure Service OperatorNico Meisenzahl
 
Azure Zürich User Group: Azure Kubernetes Service – more than just a managed ...
Azure Zürich User Group: Azure Kubernetes Service – more than just a managed ...Azure Zürich User Group: Azure Kubernetes Service – more than just a managed ...
Azure Zürich User Group: Azure Kubernetes Service – more than just a managed ...Nico Meisenzahl
 
Azure Meetup Hamburg: Production-Ready Terraform Deployments on Azure
Azure Meetup Hamburg: Production-Ready Terraform Deployments on AzureAzure Meetup Hamburg: Production-Ready Terraform Deployments on Azure
Azure Meetup Hamburg: Production-Ready Terraform Deployments on AzureNico Meisenzahl
 
GitLab Commit: Enhance your Compliance with Policy-Based CI/CD
GitLab Commit: Enhance your Compliance with Policy-Based CI/CDGitLab Commit: Enhance your Compliance with Policy-Based CI/CD
GitLab Commit: Enhance your Compliance with Policy-Based CI/CDNico Meisenzahl
 
GitLab Commit DevOps: How GitLab Can Save your Kubernetes environment from Be...
GitLab Commit DevOps: How GitLab Can Save your Kubernetes environment from Be...GitLab Commit DevOps: How GitLab Can Save your Kubernetes environment from Be...
GitLab Commit DevOps: How GitLab Can Save your Kubernetes environment from Be...Nico Meisenzahl
 
Hijack a Kubernetes Cluster - a Walkthrough
Hijack a Kubernetes Cluster - a WalkthroughHijack a Kubernetes Cluster - a Walkthrough
Hijack a Kubernetes Cluster - a WalkthroughNico Meisenzahl
 
Distributed Storage in the Cloud
Distributed Storage in the CloudDistributed Storage in the Cloud
Distributed Storage in the CloudAll Things Open
 
Enhance Your Kubernetes CI/CD Pipelines With GitLab & Open Source
Enhance Your Kubernetes CI/CD Pipelines With GitLab & Open SourceEnhance Your Kubernetes CI/CD Pipelines With GitLab & Open Source
Enhance Your Kubernetes CI/CD Pipelines With GitLab & Open SourceNico Meisenzahl
 
All Things Cloud Native Meetup: Azure Kubernetes Service Basics
All Things Cloud Native Meetup: Azure Kubernetes Service BasicsAll Things Cloud Native Meetup: Azure Kubernetes Service Basics
All Things Cloud Native Meetup: Azure Kubernetes Service BasicsNico Meisenzahl
 
Journey from on prem to the cloud with kubernetes
Journey from on prem to the cloud with kubernetesJourney from on prem to the cloud with kubernetes
Journey from on prem to the cloud with kubernetesLibbySchulze
 
GitLab Remote Meetup: Enhance Your Kubernetes CI/CD Pipelines with GitLab & ...
GitLab Remote Meetup: Enhance Your Kubernetes CI/CD Pipelines with GitLab & ...GitLab Remote Meetup: Enhance Your Kubernetes CI/CD Pipelines with GitLab & ...
GitLab Remote Meetup: Enhance Your Kubernetes CI/CD Pipelines with GitLab & ...Nico Meisenzahl
 
Continuous Lifecycle: Hijack Kubernetes
Continuous Lifecycle: Hijack KubernetesContinuous Lifecycle: Hijack Kubernetes
Continuous Lifecycle: Hijack KubernetesNico Meisenzahl
 
azdevcom - Hijack a Kubernetes Cluster
azdevcom - Hijack a Kubernetes Clusterazdevcom - Hijack a Kubernetes Cluster
azdevcom - Hijack a Kubernetes ClusterNico Meisenzahl
 
Building Cloud Native Applications Using Azure Kubernetes Service
Building Cloud Native Applications Using Azure Kubernetes ServiceBuilding Cloud Native Applications Using Azure Kubernetes Service
Building Cloud Native Applications Using Azure Kubernetes ServiceDennis Moon
 
Event sourcing your React-Redux applications
Event sourcing your React-Redux applicationsEvent sourcing your React-Redux applications
Event sourcing your React-Redux applicationsMaurice De Beijer [MVP]
 
Putting The 'M' In MBaaS—Red Hat Mobile Client Development Platform (Jay Balu...
Putting The 'M' In MBaaS—Red Hat Mobile Client Development Platform (Jay Balu...Putting The 'M' In MBaaS—Red Hat Mobile Client Development Platform (Jay Balu...
Putting The 'M' In MBaaS—Red Hat Mobile Client Development Platform (Jay Balu...Red Hat Developers
 

Tendances (20)

DevOpsCon Berlin: Helm vs Operators – Do I Need to Decide?
DevOpsCon Berlin: Helm vs Operators – Do I Need to Decide?DevOpsCon Berlin: Helm vs Operators – Do I Need to Decide?
DevOpsCon Berlin: Helm vs Operators – Do I Need to Decide?
 
Virtual GitLab Meetup: How Containerized Pipelines and Kubernetes Can Boost Y...
Virtual GitLab Meetup: How Containerized Pipelines and Kubernetes Can Boost Y...Virtual GitLab Meetup: How Containerized Pipelines and Kubernetes Can Boost Y...
Virtual GitLab Meetup: How Containerized Pipelines and Kubernetes Can Boost Y...
 
Azure Rosenheim Meetup: Azure Service Operator
Azure Rosenheim Meetup: Azure Service OperatorAzure Rosenheim Meetup: Azure Service Operator
Azure Rosenheim Meetup: Azure Service Operator
 
Azure Zürich User Group: Azure Kubernetes Service – more than just a managed ...
Azure Zürich User Group: Azure Kubernetes Service – more than just a managed ...Azure Zürich User Group: Azure Kubernetes Service – more than just a managed ...
Azure Zürich User Group: Azure Kubernetes Service – more than just a managed ...
 
Azure Meetup Hamburg: Production-Ready Terraform Deployments on Azure
Azure Meetup Hamburg: Production-Ready Terraform Deployments on AzureAzure Meetup Hamburg: Production-Ready Terraform Deployments on Azure
Azure Meetup Hamburg: Production-Ready Terraform Deployments on Azure
 
GitLab Commit: Enhance your Compliance with Policy-Based CI/CD
GitLab Commit: Enhance your Compliance with Policy-Based CI/CDGitLab Commit: Enhance your Compliance with Policy-Based CI/CD
GitLab Commit: Enhance your Compliance with Policy-Based CI/CD
 
GitLab Commit DevOps: How GitLab Can Save your Kubernetes environment from Be...
GitLab Commit DevOps: How GitLab Can Save your Kubernetes environment from Be...GitLab Commit DevOps: How GitLab Can Save your Kubernetes environment from Be...
GitLab Commit DevOps: How GitLab Can Save your Kubernetes environment from Be...
 
GitHub Actions 101
GitHub Actions 101GitHub Actions 101
GitHub Actions 101
 
Hijack a Kubernetes Cluster - a Walkthrough
Hijack a Kubernetes Cluster - a WalkthroughHijack a Kubernetes Cluster - a Walkthrough
Hijack a Kubernetes Cluster - a Walkthrough
 
Distributed Storage in the Cloud
Distributed Storage in the CloudDistributed Storage in the Cloud
Distributed Storage in the Cloud
 
Enhance Your Kubernetes CI/CD Pipelines With GitLab & Open Source
Enhance Your Kubernetes CI/CD Pipelines With GitLab & Open SourceEnhance Your Kubernetes CI/CD Pipelines With GitLab & Open Source
Enhance Your Kubernetes CI/CD Pipelines With GitLab & Open Source
 
All Things Cloud Native Meetup: Azure Kubernetes Service Basics
All Things Cloud Native Meetup: Azure Kubernetes Service BasicsAll Things Cloud Native Meetup: Azure Kubernetes Service Basics
All Things Cloud Native Meetup: Azure Kubernetes Service Basics
 
Journey from on prem to the cloud with kubernetes
Journey from on prem to the cloud with kubernetesJourney from on prem to the cloud with kubernetes
Journey from on prem to the cloud with kubernetes
 
GitLab Remote Meetup: Enhance Your Kubernetes CI/CD Pipelines with GitLab & ...
GitLab Remote Meetup: Enhance Your Kubernetes CI/CD Pipelines with GitLab & ...GitLab Remote Meetup: Enhance Your Kubernetes CI/CD Pipelines with GitLab & ...
GitLab Remote Meetup: Enhance Your Kubernetes CI/CD Pipelines with GitLab & ...
 
Continuous Lifecycle: Hijack Kubernetes
Continuous Lifecycle: Hijack KubernetesContinuous Lifecycle: Hijack Kubernetes
Continuous Lifecycle: Hijack Kubernetes
 
azdevcom - Hijack a Kubernetes Cluster
azdevcom - Hijack a Kubernetes Clusterazdevcom - Hijack a Kubernetes Cluster
azdevcom - Hijack a Kubernetes Cluster
 
Building Cloud Native Applications Using Azure Kubernetes Service
Building Cloud Native Applications Using Azure Kubernetes ServiceBuilding Cloud Native Applications Using Azure Kubernetes Service
Building Cloud Native Applications Using Azure Kubernetes Service
 
Was ist ein Service Mesh und wie funktioniert es?
Was ist ein Service Mesh und wie funktioniert es?Was ist ein Service Mesh und wie funktioniert es?
Was ist ein Service Mesh und wie funktioniert es?
 
Event sourcing your React-Redux applications
Event sourcing your React-Redux applicationsEvent sourcing your React-Redux applications
Event sourcing your React-Redux applications
 
Putting The 'M' In MBaaS—Red Hat Mobile Client Development Platform (Jay Balu...
Putting The 'M' In MBaaS—Red Hat Mobile Client Development Platform (Jay Balu...Putting The 'M' In MBaaS—Red Hat Mobile Client Development Platform (Jay Balu...
Putting The 'M' In MBaaS—Red Hat Mobile Client Development Platform (Jay Balu...
 

Similaire à Docker Rosenheim Meetup: Policy & Governance for Kubernetes

Policy & Governance für Kubernetes
Policy & Governance für KubernetesPolicy & Governance für Kubernetes
Policy & Governance für KubernetesNico Meisenzahl
 
Continuous Lifecycle: Enhance Your Compliance and Governance With Policy-Base...
Continuous Lifecycle: Enhance Your Compliance and Governance With Policy-Base...Continuous Lifecycle: Enhance Your Compliance and Governance With Policy-Base...
Continuous Lifecycle: Enhance Your Compliance and Governance With Policy-Base...Nico Meisenzahl
 
GitLab Remote Meetup: Enhance Your Kubernetes CI/CD Pipelines with GitLab & O...
GitLab Remote Meetup: Enhance Your Kubernetes CI/CD Pipelines with GitLab & O...GitLab Remote Meetup: Enhance Your Kubernetes CI/CD Pipelines with GitLab & O...
GitLab Remote Meetup: Enhance Your Kubernetes CI/CD Pipelines with GitLab & O...Cloud Native Rosenheim Meetup
 
KCD Munich 2022: How to Prevent Your Kubernetes Cluster From Being Hacked
KCD Munich 2022: How to Prevent Your Kubernetes Cluster From Being HackedKCD Munich 2022: How to Prevent Your Kubernetes Cluster From Being Hacked
KCD Munich 2022: How to Prevent Your Kubernetes Cluster From Being HackedNico Meisenzahl
 
How to Prevent Your Kubernetes Cluster From Being Hacked
How to Prevent Your Kubernetes Cluster From Being HackedHow to Prevent Your Kubernetes Cluster From Being Hacked
How to Prevent Your Kubernetes Cluster From Being HackedNico Meisenzahl
 
Azure Service Operator - Provision Your Resources in a Cloud-Native Way
Azure Service Operator - Provision Your Resources in a Cloud-Native WayAzure Service Operator - Provision Your Resources in a Cloud-Native Way
Azure Service Operator - Provision Your Resources in a Cloud-Native WayNico Meisenzahl
 
Container Days: Hijack a Kubernetes Cluster - a Walkthrough
Container Days: Hijack a Kubernetes Cluster - a WalkthroughContainer Days: Hijack a Kubernetes Cluster - a Walkthrough
Container Days: Hijack a Kubernetes Cluster - a WalkthroughNico Meisenzahl
 
Hijack a Kubernetes Cluster - a Walkthrough
Hijack a Kubernetes Cluster - a WalkthroughHijack a Kubernetes Cluster - a Walkthrough
Hijack a Kubernetes Cluster - a WalkthroughNico Meisenzahl
 
OpenFaaS 2019 Project Update
OpenFaaS 2019 Project UpdateOpenFaaS 2019 Project Update
OpenFaaS 2019 Project UpdateAlex Ellis
 
AzDevCom 2022 - YAMLize your infrastructure with the Azure Service Operator a...
AzDevCom 2022 - YAMLize your infrastructure with the Azure Service Operator a...AzDevCom 2022 - YAMLize your infrastructure with the Azure Service Operator a...
AzDevCom 2022 - YAMLize your infrastructure with the Azure Service Operator a...Philip Welz
 
Microsoft DevOps Forum 2021 – DevOps & Security
Microsoft DevOps Forum 2021 – DevOps & Security Microsoft DevOps Forum 2021 – DevOps & Security
Microsoft DevOps Forum 2021 – DevOps & SecurityNico Meisenzahl
 
GitLab London Meetup: How Containerized Pipelines and Kubernetes Can Boost Yo...
GitLab London Meetup: How Containerized Pipelines and Kubernetes Can Boost Yo...GitLab London Meetup: How Containerized Pipelines and Kubernetes Can Boost Yo...
GitLab London Meetup: How Containerized Pipelines and Kubernetes Can Boost Yo...Nico Meisenzahl
 
Migrating from IBM API Connect v5 to v2018
Migrating from IBM API Connect v5 to v2018Migrating from IBM API Connect v5 to v2018
Migrating from IBM API Connect v5 to v2018Natalia Kataoka
 
The Current And Future State Of Service Mesh
The Current And Future State Of Service MeshThe Current And Future State Of Service Mesh
The Current And Future State Of Service MeshRam Vennam
 
Build A Cloud Day London - Introduction
Build A Cloud Day London - IntroductionBuild A Cloud Day London - Introduction
Build A Cloud Day London - IntroductionShapeBlue
 
Effiziente CI/CD-Pipelines – mit den richtigen Tools klappt das
Effiziente CI/CD-Pipelines – mit den richtigen Tools klappt dasEffiziente CI/CD-Pipelines – mit den richtigen Tools klappt das
Effiziente CI/CD-Pipelines – mit den richtigen Tools klappt dasNico Meisenzahl
 
OpenStack + Cloud Foundry for the OpenStack Boston Meetup
OpenStack + Cloud Foundry for the OpenStack Boston MeetupOpenStack + Cloud Foundry for the OpenStack Boston Meetup
OpenStack + Cloud Foundry for the OpenStack Boston Meetupragss
 
DEVNET-1149 Leveraging Rapid Development with PaaS on Cisco Cloud
DEVNET-1149 Leveraging Rapid Development with PaaS on Cisco CloudDEVNET-1149 Leveraging Rapid Development with PaaS on Cisco Cloud
DEVNET-1149 Leveraging Rapid Development with PaaS on Cisco CloudCisco DevNet
 
WSO2 Product Release webinar - WSO2 BAM 2.5
WSO2 Product Release webinar - WSO2 BAM 2.5WSO2 Product Release webinar - WSO2 BAM 2.5
WSO2 Product Release webinar - WSO2 BAM 2.5WSO2
 
Webex Teams Widgets Technical Drill down - Cisco Live Orlando 2018 - DEVNET-3891
Webex Teams Widgets Technical Drill down - Cisco Live Orlando 2018 - DEVNET-3891Webex Teams Widgets Technical Drill down - Cisco Live Orlando 2018 - DEVNET-3891
Webex Teams Widgets Technical Drill down - Cisco Live Orlando 2018 - DEVNET-3891Cisco DevNet
 

Similaire à Docker Rosenheim Meetup: Policy & Governance for Kubernetes (20)

Policy & Governance für Kubernetes
Policy & Governance für KubernetesPolicy & Governance für Kubernetes
Policy & Governance für Kubernetes
 
Continuous Lifecycle: Enhance Your Compliance and Governance With Policy-Base...
Continuous Lifecycle: Enhance Your Compliance and Governance With Policy-Base...Continuous Lifecycle: Enhance Your Compliance and Governance With Policy-Base...
Continuous Lifecycle: Enhance Your Compliance and Governance With Policy-Base...
 
GitLab Remote Meetup: Enhance Your Kubernetes CI/CD Pipelines with GitLab & O...
GitLab Remote Meetup: Enhance Your Kubernetes CI/CD Pipelines with GitLab & O...GitLab Remote Meetup: Enhance Your Kubernetes CI/CD Pipelines with GitLab & O...
GitLab Remote Meetup: Enhance Your Kubernetes CI/CD Pipelines with GitLab & O...
 
KCD Munich 2022: How to Prevent Your Kubernetes Cluster From Being Hacked
KCD Munich 2022: How to Prevent Your Kubernetes Cluster From Being HackedKCD Munich 2022: How to Prevent Your Kubernetes Cluster From Being Hacked
KCD Munich 2022: How to Prevent Your Kubernetes Cluster From Being Hacked
 
How to Prevent Your Kubernetes Cluster From Being Hacked
How to Prevent Your Kubernetes Cluster From Being HackedHow to Prevent Your Kubernetes Cluster From Being Hacked
How to Prevent Your Kubernetes Cluster From Being Hacked
 
Azure Service Operator - Provision Your Resources in a Cloud-Native Way
Azure Service Operator - Provision Your Resources in a Cloud-Native WayAzure Service Operator - Provision Your Resources in a Cloud-Native Way
Azure Service Operator - Provision Your Resources in a Cloud-Native Way
 
Container Days: Hijack a Kubernetes Cluster - a Walkthrough
Container Days: Hijack a Kubernetes Cluster - a WalkthroughContainer Days: Hijack a Kubernetes Cluster - a Walkthrough
Container Days: Hijack a Kubernetes Cluster - a Walkthrough
 
Hijack a Kubernetes Cluster - a Walkthrough
Hijack a Kubernetes Cluster - a WalkthroughHijack a Kubernetes Cluster - a Walkthrough
Hijack a Kubernetes Cluster - a Walkthrough
 
OpenFaaS 2019 Project Update
OpenFaaS 2019 Project UpdateOpenFaaS 2019 Project Update
OpenFaaS 2019 Project Update
 
AzDevCom 2022 - YAMLize your infrastructure with the Azure Service Operator a...
AzDevCom 2022 - YAMLize your infrastructure with the Azure Service Operator a...AzDevCom 2022 - YAMLize your infrastructure with the Azure Service Operator a...
AzDevCom 2022 - YAMLize your infrastructure with the Azure Service Operator a...
 
Microsoft DevOps Forum 2021 – DevOps & Security
Microsoft DevOps Forum 2021 – DevOps & Security Microsoft DevOps Forum 2021 – DevOps & Security
Microsoft DevOps Forum 2021 – DevOps & Security
 
GitLab London Meetup: How Containerized Pipelines and Kubernetes Can Boost Yo...
GitLab London Meetup: How Containerized Pipelines and Kubernetes Can Boost Yo...GitLab London Meetup: How Containerized Pipelines and Kubernetes Can Boost Yo...
GitLab London Meetup: How Containerized Pipelines and Kubernetes Can Boost Yo...
 
Migrating from IBM API Connect v5 to v2018
Migrating from IBM API Connect v5 to v2018Migrating from IBM API Connect v5 to v2018
Migrating from IBM API Connect v5 to v2018
 
The Current And Future State Of Service Mesh
The Current And Future State Of Service MeshThe Current And Future State Of Service Mesh
The Current And Future State Of Service Mesh
 
Build A Cloud Day London - Introduction
Build A Cloud Day London - IntroductionBuild A Cloud Day London - Introduction
Build A Cloud Day London - Introduction
 
Effiziente CI/CD-Pipelines – mit den richtigen Tools klappt das
Effiziente CI/CD-Pipelines – mit den richtigen Tools klappt dasEffiziente CI/CD-Pipelines – mit den richtigen Tools klappt das
Effiziente CI/CD-Pipelines – mit den richtigen Tools klappt das
 
OpenStack + Cloud Foundry for the OpenStack Boston Meetup
OpenStack + Cloud Foundry for the OpenStack Boston MeetupOpenStack + Cloud Foundry for the OpenStack Boston Meetup
OpenStack + Cloud Foundry for the OpenStack Boston Meetup
 
DEVNET-1149 Leveraging Rapid Development with PaaS on Cisco Cloud
DEVNET-1149 Leveraging Rapid Development with PaaS on Cisco CloudDEVNET-1149 Leveraging Rapid Development with PaaS on Cisco Cloud
DEVNET-1149 Leveraging Rapid Development with PaaS on Cisco Cloud
 
WSO2 Product Release webinar - WSO2 BAM 2.5
WSO2 Product Release webinar - WSO2 BAM 2.5WSO2 Product Release webinar - WSO2 BAM 2.5
WSO2 Product Release webinar - WSO2 BAM 2.5
 
Webex Teams Widgets Technical Drill down - Cisco Live Orlando 2018 - DEVNET-3891
Webex Teams Widgets Technical Drill down - Cisco Live Orlando 2018 - DEVNET-3891Webex Teams Widgets Technical Drill down - Cisco Live Orlando 2018 - DEVNET-3891
Webex Teams Widgets Technical Drill down - Cisco Live Orlando 2018 - DEVNET-3891
 

Plus de Nico Meisenzahl

Cloud-Native & Sustainability: How and Why to Build Sustainable Workloads
Cloud-Native & Sustainability: How and Why to Build Sustainable WorkloadsCloud-Native & Sustainability: How and Why to Build Sustainable Workloads
Cloud-Native & Sustainability: How and Why to Build Sustainable WorkloadsNico Meisenzahl
 
Container Day Security: How to Prevent Your Kubernetes Cluster From Being Hacked
Container Day Security: How to Prevent Your Kubernetes Cluster From Being HackedContainer Day Security: How to Prevent Your Kubernetes Cluster From Being Hacked
Container Day Security: How to Prevent Your Kubernetes Cluster From Being HackedNico Meisenzahl
 
Festive Tech Calendar: Festive time with AKS networking
Festive Tech Calendar: Festive time with AKS networkingFestive Tech Calendar: Festive time with AKS networking
Festive Tech Calendar: Festive time with AKS networkingNico Meisenzahl
 
ContainerConf 2022: Hijack Kubernetes
ContainerConf 2022: Hijack KubernetesContainerConf 2022: Hijack Kubernetes
ContainerConf 2022: Hijack KubernetesNico Meisenzahl
 
ContainerConf 2022: Kubernetes is awesome - but...
ContainerConf 2022: Kubernetes is awesome - but...ContainerConf 2022: Kubernetes is awesome - but...
ContainerConf 2022: Kubernetes is awesome - but...Nico Meisenzahl
 
KCD Munich 2022: Hijack a Kubernetes Cluster - a Walkthrough
KCD Munich 2022: Hijack a Kubernetes Cluster - a WalkthroughKCD Munich 2022: Hijack a Kubernetes Cluster - a Walkthrough
KCD Munich 2022: Hijack a Kubernetes Cluster - a WalkthroughNico Meisenzahl
 
Cloud Love Conference: Kubernetes is awesome, but...
Cloud Love Conference: Kubernetes is awesome, but...Cloud Love Conference: Kubernetes is awesome, but...
Cloud Love Conference: Kubernetes is awesome, but...Nico Meisenzahl
 
Hijack a Kubernetes Cluster - a Walkthrough
Hijack a Kubernetes Cluster - a WalkthroughHijack a Kubernetes Cluster - a Walkthrough
Hijack a Kubernetes Cluster - a WalkthroughNico Meisenzahl
 
Azure Saturday Hamburg: Containerize Your .NET Microservice - the Right Way!
Azure Saturday Hamburg: Containerize Your .NET Microservice - the Right Way!Azure Saturday Hamburg: Containerize Your .NET Microservice - the Right Way!
Azure Saturday Hamburg: Containerize Your .NET Microservice - the Right Way!Nico Meisenzahl
 
Die Evolution von Container Image Builds
Die Evolution von Container Image BuildsDie Evolution von Container Image Builds
Die Evolution von Container Image BuildsNico Meisenzahl
 

Plus de Nico Meisenzahl (10)

Cloud-Native & Sustainability: How and Why to Build Sustainable Workloads
Cloud-Native & Sustainability: How and Why to Build Sustainable WorkloadsCloud-Native & Sustainability: How and Why to Build Sustainable Workloads
Cloud-Native & Sustainability: How and Why to Build Sustainable Workloads
 
Container Day Security: How to Prevent Your Kubernetes Cluster From Being Hacked
Container Day Security: How to Prevent Your Kubernetes Cluster From Being HackedContainer Day Security: How to Prevent Your Kubernetes Cluster From Being Hacked
Container Day Security: How to Prevent Your Kubernetes Cluster From Being Hacked
 
Festive Tech Calendar: Festive time with AKS networking
Festive Tech Calendar: Festive time with AKS networkingFestive Tech Calendar: Festive time with AKS networking
Festive Tech Calendar: Festive time with AKS networking
 
ContainerConf 2022: Hijack Kubernetes
ContainerConf 2022: Hijack KubernetesContainerConf 2022: Hijack Kubernetes
ContainerConf 2022: Hijack Kubernetes
 
ContainerConf 2022: Kubernetes is awesome - but...
ContainerConf 2022: Kubernetes is awesome - but...ContainerConf 2022: Kubernetes is awesome - but...
ContainerConf 2022: Kubernetes is awesome - but...
 
KCD Munich 2022: Hijack a Kubernetes Cluster - a Walkthrough
KCD Munich 2022: Hijack a Kubernetes Cluster - a WalkthroughKCD Munich 2022: Hijack a Kubernetes Cluster - a Walkthrough
KCD Munich 2022: Hijack a Kubernetes Cluster - a Walkthrough
 
Cloud Love Conference: Kubernetes is awesome, but...
Cloud Love Conference: Kubernetes is awesome, but...Cloud Love Conference: Kubernetes is awesome, but...
Cloud Love Conference: Kubernetes is awesome, but...
 
Hijack a Kubernetes Cluster - a Walkthrough
Hijack a Kubernetes Cluster - a WalkthroughHijack a Kubernetes Cluster - a Walkthrough
Hijack a Kubernetes Cluster - a Walkthrough
 
Azure Saturday Hamburg: Containerize Your .NET Microservice - the Right Way!
Azure Saturday Hamburg: Containerize Your .NET Microservice - the Right Way!Azure Saturday Hamburg: Containerize Your .NET Microservice - the Right Way!
Azure Saturday Hamburg: Containerize Your .NET Microservice - the Right Way!
 
Die Evolution von Container Image Builds
Die Evolution von Container Image BuildsDie Evolution von Container Image Builds
Die Evolution von Container Image Builds
 

Dernier

Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?Antenna Manufacturer Coco
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUK Journal
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilV3cube
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024The Digital Insurer
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessPixlogix Infotech
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAndrey Devyatkin
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?Igalia
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProduct Anonymous
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 

Dernier (20)

Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of Brazil
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your Business
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 

Docker Rosenheim Meetup: Policy & Governance for Kubernetes

  • 1. Policy & Governance for Kubernetes Docker Rosenheim Meetup, June 2020
  • 2. Nico Meisenzahl • Senior Cloud & DevOps Consultant at white duck • Microsoft MVP, GitLab Hero, Docker Community Leader • loves Kubernetes, DevOps and Cloud © white duck GmbH 2020 Phone: +49 8031 230159 0 Email: nico.meisenzahl@whiteduck.de Twitter: @nmeisenzahl LinkedIn: https://www.linkedin.com/in/nicomeisenzahl Blog: https://meisenzahl.org
  • 3. Agenda • Cloud Governance? Why do we need it? • Governance for Kubernetes • Open Policy Agent – the foundation • OPA Gatekeeper – the Kubernetes implementation © white duck GmbH 2020
  • 4. CLOUD GOVERNANCE Why do we need it? © white duck GmbH 2020
  • 5. Cloud Governance … … is used to provide a set of rules that defines guidelines that can either be enforced or audited. © white duck GmbH 2020
  • 6. Why do we need it? • decisions are made decentralized & taken at a rapid pace • therefore it is important to • reduce risk • control shadow IT • make it easier to manage cloud resources • reduce effort © white duck GmbH 2020
  • 7. KUBERNETES GOVERNANCE Why do we need it? © white duck GmbH 2020
  • 8. Governance for Kubernetes • Authorization with Role-based Access Control (RBAC) • is used to define who is allowed to do what • very granular • But: Kubernetes offers nothing to control/change the specification of resources • which is essential for successfully governing a cluster © white duck GmbH 2020
  • 9. Some examples are • whitelist of trusted container registries, images or tags • required container security specifications • required labels to group resources • permit conflicting Ingress host resources • permit publicly exposed LoadBalancer services © white duck GmbH 2020
  • 10. OPEN POLICY AGENT The foundation © white duck GmbH 2020
  • 11. Open Policy Agent • “policy-based control for cloud native environments” • general-purpose policy engine • open-source project created by styra • CNCF project since 2018 • declarative policy language • decoupled • Golang library • REST API with sidecar or daemon © white duck GmbH 2020
  • 12. © white duck GmbH 2020
  • 13. Ecosystem • API and service authorization with Envoy, Kong or Traefik • Authorization policies for SQL, Kafka and others • Container Network authorization with Istio • Test policies for Terraform infrastructure changes • Polices for SSH and sudo • Policy and Governance for Kubernetes • and many more • https://www.openpolicyagent.org/docs/latest/ecosystem/ © white duck GmbH 2020
  • 14. How OPA works © white duck GmbH 2020
  • 15. How OPA works © white duck GmbH 2020 POST /api HTTP/1.1 Authorization: nico { “method”: “POST”, “path”: “api”, “user”: “nico” } { “allow”: “true” } { }
  • 16. Rego • “ray-go” • inspired by Datalog with support for JSON • declarative Policy Language • ”is Nico allowed to POST a payload to /api” • Build-in functions • JWTs • date/time • Regex • … © white duck GmbH 2020 package app.abac default allow = false allow { action_is_post user_is_owner } action_is_post { input.method == ”POST" } user_is_owner { input.user == "nico" }
  • 17. Rego in action © white duck GmbH 2020 POST /api HTTP/1.1 Authorization: nico { “method”: “POST”, “path”: “api”, “user”: “nico” } { “allow”: “true” } package app.abac default allow = false allow { action_is_post user_is_owner } action_is_post { input.method == ”POST" } user_is_owner { input.user == "nico" } { }
  • 18. OPA Tips • OPA binary • opa run, opa test, … • Rego Playground • https://play.openpolicyagent.org/ • VS Code plugin • management APIs • bundle API à send policies and data to OPA • status API à for observability/monitoring • log API à for receiving audit logs © white duck GmbH 2020
  • 19. OPA GATEKEEPER OPA Kubernetes implementation © white duck GmbH 2020
  • 20. OPA Gatekeeper • Kubernetes implementation of OPA • build by Google, Microsoft, Red Hat, and styra • based on • Open Policy Agent daemon • Kubernetes Admission Controller • Custom Resource Definitions (CRDs) • AuthZ Webhook • based on OPA Constraint Framework • can be installed with Helm or kubectl apply • https://github.com/open-policy-agent/gatekeeper © white duck GmbH 2020
  • 21. How Gatekeeper works © white duck GmbH 2020 https://kubernetes.io/blog/2019/08/06/opa-gatekeeper-policy-and-governance-for-kubernetes/
  • 22. How Gatekeeper works © white duck GmbH 2020
  • 23. How Gatekeeper works © white duck GmbH 2020
  • 24. Demos • OPA Gatekeeper in action • example rules • required label • trusted images • unique ingress hosts • auditing © white duck GmbH 2020
  • 25. Questions? Slides: https://www.slideshare.net/nmeisenzahl Demos: https://gitlab.com/nico-meisenzahl/opa-gatekeeper-sample Nico Meisenzahl (Senior Cloud & DevOps Consultant) Phone: +49 8031 230159 0 Email: nico.meisenzahl@whiteduck.de Twitter: @nmeisenzahl LinkedIn: https://www.linkedin.com/in/nicomeisenzahl Blog: https://meisenzahl.org © white duck GmbH 2020