Kubernetes Policy As Code usando WebAssembly | Flavio Castelli

Dec 20, 20210 likes59 views

Mettere in sicurezza un cluster Kubernetes richiede l'uso di diverse strategie e di strumenti per attuarle. Tra queste, i Dynamic Admission Controllers giocano un ruolo fondamentale per garantire non solo la sicurezza di un cluster, ma anche la sua compliance. Infatti tramite di essi è possibile definire, ed applicare, regole personalizzate. Nonostante molte organizzazioni riconoscano l'importanza di abbracciare la "filosofia" Policy As Code, sono purtroppo poche le realtà in cui questa metodologia viene utilizzata in ambienti di produzione. Durante questo talk mostrerò come WebAssembly, una tecnologia nata originariamente per il Web, possa essere utilizzato per implementare strategie di Policy As Code in Kubernetes. Vedremo come l'adozione di WebAssembly semplifichi il processo di creazione, mantenimento e distribuzione di queste policy.

Copyright © SUSE 2021
Kubernetes Policy As Code
usando WebAssembly
N OVE M BE R 2021
Flavio Castelli
Distinguished Engineer
SUSE

Copyright © SUSE 2021 2
Kubernetes security: biggest concerns
1%
8%
12%
17%
19%
21%
23%
Other
Secrets management
Unpatched CVE in Kubernetes distribution
Control access to the cluster
Securing container images inside CI/CD pipelines
Securing workload at runtime
Applying policies consistently
Source: “The State of Kubernetes 2021” - VMware, June 2021

Copyright © SUSE 2021
— Role Based Access Control (RBAC)
— Pod Security Policy (PSP)
— Network Policy
— Admission Controller
3
Kubernetes Policy As Code

Copyright © SUSE 2021 4
Admission Controller: overview
JSON
object
Business logic
Accept
Reject
Mutate

Copyright © SUSE 2021 5
Who is responsible for Kubernetes’ security?
27%
21%
18% 18%
15%
DevOps Ops DevSecOps Security Developer
Source: “State of Kubernetes Security” – Red Hat, June 2021

Copyright © SUSE 2021 6
Introducing Kubewarden
A policy engine for Kubernetes.
Its mission is to simplify the adoption of Policy As Code.

Copyright © SUSE 2021
Copyright © SUSE 2021 7
Feel immediately productive
Policy Authors

Copyright © SUSE 2021
Copyright © SUSE 2021 11
Leverage SDKs
Policy Authors

Copyright © SUSE 2021 13
Policy configuration

Copyright © SUSE 2021 14
Validation of Policy configuration

Copyright © SUSE 2021
Copyright © SUSE 2021 15
Treat policies as regular code
Policy Authors

Copyright © SUSE 2021 16
Reuse known tools

Copyright © SUSE 2021 17
Integrate into CI/CD systems

Copyright © SUSE 2021
Copyright © SUSE 2021 18
How is that done?

Copyright © SUSE 2021 19
What is WebAssembly?
WebAssembly
module (Wasm)

Copyright © SUSE 2021 20
What is WebAssembly?
WebAssembly
module (Wasm)
Polyglot
C
Cpp
Rust
Javascript
Go
Swift
…
…
…
…
Build

Copyright © SUSE 2021 21
What is WebAssembly?
WebAssembly
module (Wasm)
Small
Go 300 Kb
Rust 1.5 Mb

Copyright © SUSE 2021 22
What is WebAssembly?
WebAssembly
module (Wasm)
Portable
x86_64 ARM64 ...
Linux Windows macOS
Browser Wasm runtime
Run

Copyright © SUSE 2021 23
What is WebAssembly?
WebAssembly
module (Wasm)
Secure

Copyright © SUSE 2021 24
What is WebAssembly? Secure
Sandbox Sandbox
Sandbox
Host process
— Memory safety
— Control-flow integrity
— Runtime isolation
More details here

Copyright © SUSE 2021
Copyright © SUSE 2021 25
Integrate with existing processes and tools
Kubernetes Operators

Copyright © SUSE 2021 26
Policy distribution
Kubernetes Cluster
Kubernetes Cluster
Kubewarden
native
policy
OCI Registry
Container
image

Copyright © SUSE 2021 27
Observability: tracing

Copyright © SUSE 2021 28
Observability: metrics

Copyright © SUSE 2021
Copyright © SUSE 2021 29
Provide flexibility, not complexity
Kubernetes Operators,
Policy Authors

Copyright © SUSE 2021
— First Policy engine for Kubernetes
— Policies written using Rego
30
OPA and Gatekeeper
policy.rego
opa build –t wasm
policy.wasm

Copyright © SUSE 2021 31
Kubewarden: the Universal Policy Platform
Kubewarden
native
policy
OCI Registry
policy #1
Wasm runtime
policy #2
Wasm runtime
policy #3
Wasm runtime
Kubewarden Policy Server
Kubewarden
OPA
policy
Kubewarden
Gatekeeper
policy

Copyright © SUSE 2021
Copyright © SUSE 2021 32
Live Demo

Copyright © SUSE 2021
— Main website: https://kubewarden.io
— Policy Hub: https://hub.kubewarden.io
— GitHub: kubewarden organization
— Slack: "kubewarden" channel on Kubernetes workspace
— Twitter: @kubewarden
33
How to get involved

Serverless is a good pattern when it comes to saving infrastructure resources: why should you run apps when there’s nothing to do? The open source project Knative is often used to run functions as serverless apps in Kubernetes clusters. In this talk, you’ll see how to leverage Knative for Kubernetes apps, not only functions. Check out how to apply serverless patterns to an existing Spring Boot / Nodejs app (backend / frontend) with a live demo.

M.Montalbano/M.Colombo Speroni/S.Sala - Combining React and Websocket to buil...Codemotion

Sempre più spesso è presente l'esigenza di costruire applicativi dinamici, interattivi e veloci al punto tale da risultare istantanei e in grado di permettere la fruizione di informazioni aggiornate in tempo reale. Durante il talk vedremo un esempio concreto di come sia possibile creare un’applicazione production ready, basata su uno use-case che rispetti queste esigenze e sfruttando alcune delle principali tecnologie offerte dal mercato come React, Flux, WebSocket e MongoDB.

Multi-Clusters Made Easy with Liqo: Getting Rid of Your Clusters Keeping Them...KCDItaly

Many companies are experiencing a dramatic increase in the number of their Kubernetes clusters, for reasons such as geographical/legislative constraints, data/service replication, etc. However, when the number of clusters increases, the complexity of deploying apps, managing the entire multi-cluster infrastructure, and keeping its state under control, becomes rapidly an unmanageable problem. A possible solution is Liqo, an open-source project that simplifies the creation of multi-cluster topologies by replicating the Kubernetes “cattle” model also to clusters. Liqo creates a virtual cluster that spans multiple real clusters, either on-prem or managed (AKS, EKS, GKE), and instantiates the desired applications seamlessly in the appropriate cluster. This talk will discuss the potentials and roadblocks of this vision and highlight how Liqo brings multi- cluster transparency to the users.

Openstack days sv building highly available services using kubernetes (preso)Allan Naim

This document discusses Google Cloud Platform's Kubernetes and how it can be used to build highly available services. It provides an overview of Kubernetes concepts like pods, labels, replica sets, volumes, and services. It then describes how Kubernetes Cluster Federation allows deploying applications across multiple Kubernetes clusters for high availability, geographic scaling, and other benefits. It outlines how to create clusters, configure the federated control plane, add clusters to the federation, deploy federated services and backends, and perform cross-cluster service discovery.

Securing and Automating Kubernetes with KyvernoSaim Safder

Kyverno is a CNCF Sandbox Project Created by Nirmata. Kyverno is a policy engine designed for Kubernetes. With Kyverno, policies are managed as Kubernetes resources and no new language is required to write policies. This allows using familiar tools such as kubectl, git, and kustomize to manage policies. Kyverno policies can validate, mutate, and generate Kubernetes resources. The Kyverno CLI can be used to test policies and validate resources as part of a CI/CD pipeline. In this session Shuting Zhao and Jim Bugwadia, both of whom are Kyverno maintainers will provide an overview of Kyverno and describe how you can get started with using it.

Kubernetes SecurityKarthik Gaekwad

Kubescape single pane of glassLibbySchulze1

This webinar discusses Kubescape, an open-source Kubernetes security tool that provides a single pane of glass for monitoring and securing Kubernetes clusters. It can check for misconfigurations, vulnerabilities, RBAC issues, secrets, and network policies. The webinar demonstrates how to run Kubescape with read-only access in 3 minutes to scan a cluster. It also outlines Kubescape's capabilities for compliance monitoring, risk analysis, image scanning, and RBAC visualization. Future roadmap items include admission control, audit logging, vulnerability relevancy, and a dashboard.

Kubernetes Networking 101Kublr

Kubernetes (K8s) is a powerful, flexible and portable open source framework for distributed containerized applications delivery and management. An important part of the services provided by most Kubernetes clusters is the containers’ networking stack. In most cases and for many applications it “just works”, but this seeming simplicity is backed by a complex stack of technologies that provide many capabilities beyond the basics. This presentation accompanies the meetup and webinar where Oleg Chunikhin, CTO at Kublr, shows how Kubernetes networking stack works, describes main components, interfaces and extensibility options. What is covered: - general notions of Kubernetes networking - Pods and Network Policies - implementation of Kubernetes networking - CNI, CNI plugins, and Linux network namespaces - some Kubernetes CNI providers: Calico, Weave, Flanel, and Canal - K8S networking extensibility for advanced and “exotic” use-cases with Multus CNI plugin as an example

Gatekeeper: API gatewayChengHui Weng

Load Balancing in the Cloud using Nginx & KubernetesLee Calcote

Metal³ – Metal Kubed, Bare Metal Provisioning for Kubernetes | Kim Bảo LongVietnam Open Infrastructure User Group

This document summarizes a presentation given at Vietnam OpenInfra Days 2019 about Metal3, an open source project that provides bare metal provisioning capabilities for Kubernetes. The presentation covers Metal3 architecture, deployment models, and workflow. It relies on Cluster API and the Ironic bare metal management service. The speaker demonstrates provisioning a new Kubernetes node on a simulated bare metal server using Metal3 and related projects.

Kubernetes meetup geneva june 2021SebastienSEYMARC

The document summarizes a Kubernetes meetup that took place on June 9th 2021 in Geneva. The meetup aimed to bring together Kubernetes enthusiasts to discuss the Kubernetes ecosystem, share best practices and demonstrations. The agenda included presentations from KubeCon Europe 2021 on topics like multi-cluster, security, GitOps, service mesh and machine learning. Upcoming meetups were announced for September with the goal of meeting in person. Attendees were encouraged to propose future presentation topics.

Zero-downtime deployment of Micro-services with KubernetesWojciech Barczyński

Kubernetes 1.21 releaseLibbySchulze

Kubernetes 1.21 included 51 enhancements, including 13 features graduating to stable and 15 graduating to beta. Major themes included CronJobs graduating to stable, immutable secrets and configmaps, dual-stack IPv4/IPv6 support, graceful node shutdown, and the persistent volume health monitor. The 1.22 release timeline was also outlined, with enhancements freeze on May 13th and code freeze on July 8th, targeting August 4th for release. Various SIG updates provided information on enhancements for API machinery, apps, auth, CLI, cloud providers, instrumentation, network, node, scheduling and storage.

Ultimate Guide to Microservice Architecture on Kuberneteskloia

This document provides an overview of microservice architecture on Kubernetes. It discusses: 1. Benefits of microservice architecture like independent deployability and scalability compared to monolithic applications. 2. Best practices for microservices including RESTful design, distributed configuration, client code generation, and API gateways. 3. Tools for microservices on Kubernetes including Prometheus for monitoring, Elasticsearch (ELK) stack for logging, service meshes, and event sourcing with CQRS.

Luca Relandini - Microservices and containers networking: Contiv, deep dive a...Codemotion

Contiv provides a higher level of networking abstraction for microservices: it provides built-in service discovery and service routing for scale out services, working with schedulers like Docker Swarm, Kubernetes, Mesos and Openshift. A powerful policy-based management that makes networking on large scale easy. We will see some code examples, use cases and an easy tutorial on the web. This session is a follow up to the successful sessions at Codemotion Rome and Amsterdam in 2016: we'll go deeper into the architecture and the use cases.

Managing traffic routing with istio and envoy workshopOpsta

Breaking tradition the future of package management with kubernetesLibbySchulze

This document discusses the future of package management for Kubernetes applications. It envisions declarative Kubernetes APIs that enable automated updates of packaged software. Packages would be distributed as immutable bundles in OCI registries so the exact software versions are known. A layered approach is proposed where different tools can be used for their intended purpose, such as using Kubernetes resources, YAML, or the kapp CLI. The imgpkg CLI is demonstrated as a tool for pushing, copying, and pulling bundles stored in OCI registries. The document encourages readers to help build the future of package management through the Carvel project.

DCSF19 Kubernetes Security with OPA Docker, Inc.

The document discusses using Open Policy Agent (OPA) to enforce guardrails and security policies in Kubernetes clusters. It provides examples of sample policies for OPA that restrict which image registries pods can use and prevent conflicting ingress hosts. It also summarizes key features of OPA such as its declarative policy language, sidecar deployment model, and community support from many major companies using it for admission control, authorization, risk management and other use cases.

Kubernetes: від знайомства до використання у CI/CDStfalcon Meetups

Kubernetes: від знайомства до використання у CI/CD Олександр Занічковський Technical Lead у компанії SoftServe 14+ років досвіду розробки різноманітного програмного забезпечення, як для десктопа, так і для веб Працював фріланс-програмістом та в команді Цікавиться архітектурою ПЗ, автоматизацією процесів інтеграції та доставки нових версій продукту, хмарними технологіями Віднедавна займається менторінгом майбутніх техлідів У вільний від роботи час грає на гітарі і мріє про велику сцену Олександр поділиться власним досвідом роботи з Kubernetes: ознайомить з базовими поняттями та примітивами K8S опише можливі сценарії використання Kubernetes для CI/CD на прикладі GitLab покаже, як можна використовувати постійне сховище, збирати метрики контейнерів, використовувати Ingress для роутинга запитів за певними правилами покаже, як можна самому встановити K8S для ознайомлення чи локальної роботи

Kubernetes Securityinovex GmbH

This document discusses how to secure a Kubernetes platform. It covers setting up authentication and authorization using RBAC and certificates. It also discusses implementing network policies and pod security policies to restrict traffic and resources. Additional topics include integrating Vault for secrets management and using admission controllers and auditing to intercept and modify API requests for security purposes.

MongoDB.local DC 2018: MongoDB Ops Manager + KubernetesMongoDB

MongoDB Ops Manager is an enterprise-grade end-to-end database management, monitoring, and backup solution. Kubernetes has clearly won the orchestration-platform "wars". In this session we'll take a deep dive on how you can leverage both these technologies to host your MongoDB deployments within your Kubernetes infrastructure whether that's OpenShift, PKS, Azure AKS, or just upstream. This talk will review the core technologies, such as containers, Kubernetes, and MongoDB Ops Manager. You'll also have a chance to see real-live demos of MongoDB running on Kubernetes and managed with MongoDB Ops Manager with the MongoDB Enterprise Kubernetes Operator.

From Code to KubernetesDaniel Oliveira Filho

Slides from the talk given to the Startup Berlin Slack Group that demonstrates how TruckIN is implementing its continuous delivery workflow using technologies and open-source tools. Topics that are covered: Automated Cloud Provisioning (Network, Subnets, VMs, Kubernetes Cluster, Firewall, Disks, Credentials, Private Docker Registry); Configuration Management (Salt Stack), Continuous Integration (Jenkins CI), Continuous Delivery/Deployment (Salt API/Reactor + Kubernetes) to a Google Cloud Kubernetes Cluster, Remote Application Debugging, Managing Google Cloud Kubernetes Cluster, Logging, Monitoring and ChatOps (Slack and operable.io)

Operatorhub.io and your Kubernetes cluster | DevNation Tech TalkRed Hat Developers

The document discusses Kubernetes operators and the Operator Lifecycle Manager. Operators are automated software managers that manage the entire lifecycle of Kubernetes applications. The Operator Lifecycle Manager allows publishing and subscribing to operators from an Operator Hub, which provides a catalog of community and commercial operators that can easily be installed and managed. Operators improve time to value, reduce upgrade risks, and provide cloud-like services on Kubernetes.

MongoDB.local Austin 2018: MongoDB Ops Manager + KubernetesMongoDB

Presented by: Jason Mimick Technical Director, MongoDB MongoDB Ops Manager is an enterprise-grade end-to-end database management, monitoring, and backup solution. Kubernetes has clearly won the orchestration-platform "wars". In this session we'll take a deep dive on how you can leverage both these technologies to host your MongoDB deployments within your Kubernetes infrastructure whether that's OpenShift, PKS, Azure AKS, or just upstream. This talk will review the core technologies, such as containers, Kubernetes, and MongoDB Ops Manager. You'll also have a chance to see real-live demos of MongoDB running on Kubernetes and managed with MongoDB Ops Manager with the MongoDB Enterprise Kubernetes Operator.

Azure dev ops_demoAbhishek Sahu

Google Cloud Platform and KubernetesKasper Nissen

The document provides an overview of cloud platforms and Kubernetes. It introduces cloud computing concepts like virtualization, deployment models, and service models. It then discusses Kubernetes, including concepts like pods, services, labels, replica sets, and deployments. It demonstrates how Kubernetes manages and scales containers across nodes and provides a demo of Kubernetes on a Raspberry Pi cluster and Google Container Engine.

KubeCon EU 2016: ITNW (If This Now What): Orchestrating an EnterpriseKubeAcademy

With growing demand for containers in the enterprise, build pipelines are a bottleneck to success. Traditional workflows can't release application candidates quickly enough to fulfill demand. With over 400 development teams across many different business units, Pearson had to move away from massive installs of traditional build pipeline tools and rethink the entire concept. In this talk we'll demonstrate how we have built in security compliance, performance testing, quality assurance, abstracted away complexity, reduced overhead, aim to recover 10% of developers time and turned build tools into cattle. This represents the story to date of an in-flight engineering project to modernise the digital estate of a global enterprise organisation and how scale of the operation is leading us to challenge many established beliefs. Attendees will walk away with everything from workflows to code which they can use to get started in their own endeavors. Sched Link:

Presentation de NeuVector 5.0SUSE

Rancher Rodeo 13 mai 2022SUSE

More Related Content

What's hot (20)

Gatekeeper: API gatewayChengHui Weng

Load Balancing in the Cloud using Nginx & KubernetesLee Calcote

Metal³ – Metal Kubed, Bare Metal Provisioning for Kubernetes | Kim Bảo LongVietnam Open Infrastructure User Group

Kubernetes meetup geneva june 2021SebastienSEYMARC

Zero-downtime deployment of Micro-services with KubernetesWojciech Barczyński

Kubernetes 1.21 releaseLibbySchulze

Ultimate Guide to Microservice Architecture on Kuberneteskloia

Luca Relandini - Microservices and containers networking: Contiv, deep dive a...Codemotion

Managing traffic routing with istio and envoy workshopOpsta

Breaking tradition the future of package management with kubernetesLibbySchulze

DCSF19 Kubernetes Security with OPA Docker, Inc.

Kubernetes: від знайомства до використання у CI/CDStfalcon Meetups

Kubernetes Securityinovex GmbH

MongoDB.local DC 2018: MongoDB Ops Manager + KubernetesMongoDB

From Code to KubernetesDaniel Oliveira Filho

Operatorhub.io and your Kubernetes cluster | DevNation Tech TalkRed Hat Developers

MongoDB.local Austin 2018: MongoDB Ops Manager + KubernetesMongoDB

Azure dev ops_demoAbhishek Sahu

Google Cloud Platform and KubernetesKasper Nissen

KubeCon EU 2016: ITNW (If This Now What): Orchestrating an EnterpriseKubeAcademy

Gatekeeper: API gatewayChengHui Weng

Load Balancing in the Cloud using Nginx & KubernetesLee Calcote

Metal³ – Metal Kubed, Bare Metal Provisioning for Kubernetes | Kim Bảo LongVietnam Open Infrastructure User Group

Kubernetes meetup geneva june 2021SebastienSEYMARC

Zero-downtime deployment of Micro-services with KubernetesWojciech Barczyński

Kubernetes 1.21 releaseLibbySchulze

Ultimate Guide to Microservice Architecture on Kuberneteskloia

Luca Relandini - Microservices and containers networking: Contiv, deep dive a...Codemotion

Managing traffic routing with istio and envoy workshopOpsta

Breaking tradition the future of package management with kubernetesLibbySchulze

DCSF19 Kubernetes Security with OPA Docker, Inc.

Kubernetes: від знайомства до використання у CI/CDStfalcon Meetups

Kubernetes Securityinovex GmbH

MongoDB.local DC 2018: MongoDB Ops Manager + KubernetesMongoDB

From Code to KubernetesDaniel Oliveira Filho

Operatorhub.io and your Kubernetes cluster | DevNation Tech TalkRed Hat Developers

MongoDB.local Austin 2018: MongoDB Ops Manager + KubernetesMongoDB

Azure dev ops_demoAbhishek Sahu

Google Cloud Platform and KubernetesKasper Nissen

KubeCon EU 2016: ITNW (If This Now What): Orchestrating an EnterpriseKubeAcademy

Similar to Kubernetes Policy As Code usando WebAssembly | Flavio Castelli (20)

Presentation de NeuVector 5.0SUSE

Rancher Rodeo 13 mai 2022SUSE

Rancher RodeoSUSE

Rancher Rodéo FranceSUSE

Lancement HarvesterSUSE

Enabling Production Grade Containerized Applications through Policy Based Inf...Docker, Inc.

This session covers the solution addressing the needs of enabling product-grade containerized applications. You will learn how operations teams running containerized applications in a shared infrastructure can define and enforce policies to provide security, monitoring, and performance for network, storage, and computing. You will learn about Contiv and Mantl, open source projects that create a framework for cloud native application development and infrastructure with application intent and operational policies. Contiv integrates Cisco infrastructure (UCS, Nexus, and ACI) with Docker Datacenter to help enterprises adopt containers at a larger scale.

Innovate everywhere - SUSE edgeSUSE

Microservices and containers networking: Contiv, an industry leading open sou...Codemotion

This document summarizes a presentation about Contiv, an open source container networking solution. It introduces Contiv as a way to define and enforce network policies across infrastructure to integrate application intent with operational intent. Key features of Contiv highlighted include providing container networking for schedulers like Kubernetes and Docker, distributed policy enforcement, integration with physical infrastructure, and supporting rich network policies, tenants, and microservices. The presentation concludes with a demo of Contiv's network isolation and policy capabilities.

Code Factory avec GitLab CI et RancherSUSE

Rancher et Kubernetes sont le moteur de la majorité des applications modernes en production. Mais la chaine d'automatisation permettant de livrer du code l'esprit léger commence bien plus en amont grace à un outillage Open Source. Au programme : - Commit Code : Avec Gitlab et les outils de collaboration - Build Image : Toujours plus de fiabilité avec les images SLE Base Container Image - Store in Registry : Archivage et scan de vulnérabilité avec Harbor - Test & Go : Livraison en continue avec le mode GitOps et Rancher Fleet

Code Factory avec GitLab CI et RancherSUSE

This document discusses SUSE and Rancher integration and continuous integration. It provides an overview of SUSE's portfolio, defines continuous integration, and describes the components involved. It then demonstrates a code assembly pipeline where code is committed, built into a container image, pushed to a registry, deployed to a Kubernetes cluster, and tested. The pipeline is triggered by code commits and managed by GitLab.

So you think you know SUSE?Kangaroot

We all love the chameleon, and SUSE is long known for its Linux OS - but there is so much more in the world of SUSE. In this session Jurriën will dive into how SUSE is helping organizations accelerate their digital transformation through container management, hybrid cloud IT infrastructure, and IT operations at the Edge. Because from core, to cloud, to Edge, SUSE is helping firms to innovate everywhere.

Aquarium introduction-asia-summit-2021Alex Lau

Microservices and containers networking: Contiv, an industry leading open sou...Codemotion

Intro to kubernetesElad Hirsch

Kubernetes for the VI AdminKendrick Coleman

This document provides an overview of Kubernetes and how it compares to VMware technologies. It begins with an analogy that containers are to operating systems what virtual machines are to server hardware. It then discusses how Kubernetes orchestrates multiple containers across nodes by splitting applications into smaller services. The remainder of the document discusses key Kubernetes concepts like pods, replica sets, deployments and services. It provides a mapping of how Kubernetes concepts compare to VMware concepts like vCenter and vSphere hosts. It also discusses considerations for installing Kubernetes and operating it at scale.

Igalia and WebKit: Status update and plansIgalia

Episode 2: Deploying Kubernetes at ScaleMesosphere Inc.

Learn about the challenges the come with deploying and operating Kubernetes at scale and how the Mesosphere DC/OS Kubernetes integration helps solve them. During this presentation, Joerg Schad discusses: 1. Common challenges associated with getting a Kubernetes cluster up and running 2. The basics of running Kubernetes on Mesosphere DC/OS 3. How failure recovery works with the DC/OS-Kubernetes solution

컨테이너 및 서버리스를 위한 효율적인 CI/CD 아키텍처 구성하기 - 현창훈 데브옵스 엔지니어, Flex / 송주영 데브옵스 엔지니어, W...Amazon Web Services Korea

최근에 컨테이너 및 서버리스 환경의 지속적 통합 및 배포 (CI/CD)에 대한 관심이 늘어나고 있습니다. 본 세션에서는 Amazon EKS를 기반한 효율적인 CI/CD를 구축하기 위해, Statefulset으로 Jenkins/Argocd로 배포 시간 단축 및 기능별 브랜치로 테스트 인프라 구성사례를 소개합니다. DevOpsArt의 오픈소스 프로젝트 중 하나인 klocusts는 로드테스팅 도구인 Locust 를 쉽게 관리하기 위한 도구입니다. 이를 통해 EKS 기반 Fargate 활용사례도 같이 알아봅니다.

PKS: The What and How of Enterprise-Grade KubernetesVMware Tanzu

SpringOne Platform 2017 Cornelia Davis, Pivotal; Fred Melo, Pivotal Because of its well thought out and powerful abstractions, robust and cloud-native architecture, and the vibrant community around it, the use of Kubernetes for containerized workloads has surged. And while Kubernetes is theoretically ready to run applications in production, the actual viability is highly dependent on how Kubernetes itself is managed. In this session Cornelia and Fred will cover role of the container orchestration system in your IT landscape, and they’ll dive under the covers to show how it provides the enterprise-class Kubernetes services you need to trust your most critical workloads to it. Yes, technical details revealed!

Security for cloud native workloadsRuncy Oommen

Runcy Oommen discusses security for cloud native workloads and containers. Some key points include: 1) The shared responsibility model where cloud providers and customers both have responsibilities for security. 2) Securing the container lifecycle from build to deploy to run through measures like limiting access, resource management, and network segmentation. 3) Kubernetes security improvements such as disabling anonymous authentication, configuring admission controllers, pod security policies, enabling RBAC, and using network policies.

Presentation de NeuVector 5.0SUSE

Rancher Rodeo 13 mai 2022SUSE

Rancher RodeoSUSE

Rancher Rodéo FranceSUSE

Lancement HarvesterSUSE

Enabling Production Grade Containerized Applications through Policy Based Inf...Docker, Inc.

Innovate everywhere - SUSE edgeSUSE

Microservices and containers networking: Contiv, an industry leading open sou...Codemotion

Code Factory avec GitLab CI et RancherSUSE

So you think you know SUSE?Kangaroot

Aquarium introduction-asia-summit-2021Alex Lau

Microservices and containers networking: Contiv, an industry leading open sou...Codemotion

Intro to kubernetesElad Hirsch

Kubernetes for the VI AdminKendrick Coleman

Igalia and WebKit: Status update and plansIgalia

Episode 2: Deploying Kubernetes at ScaleMesosphere Inc.

컨테이너 및 서버리스를 위한 효율적인 CI/CD 아키텍처 구성하기 - 현창훈 데브옵스 엔지니어, Flex / 송주영 데브옵스 엔지니어, W...Amazon Web Services Korea

PKS: The What and How of Enterprise-Grade KubernetesVMware Tanzu

Security for cloud native workloadsRuncy Oommen

Recently uploaded (20)

UiPath Community Berlin: Orchestrator API, Swagger, and Test Manager APIUiPathCommunity

Join this UiPath Community Berlin meetup to explore the Orchestrator API, Swagger interface, and the Test Manager API. Learn how to leverage these tools to streamline automation, enhance testing, and integrate more efficiently with UiPath. Perfect for developers, testers, and automation enthusiasts! 📕 Agenda Welcome & Introductions Orchestrator API Overview Exploring the Swagger Interface Test Manager API Highlights Streamlining Automation & Testing with APIs (Demo) Q&A and Open Discussion Perfect for developers, testers, and automation enthusiasts! 👉 Join our UiPath Community Berlin chapter: https://community.uipath.com/berlin/ This session streamed live on April 29, 2025, 18:00 CET. Check out all our upcoming UiPath Community sessions at https://community.uipath.com/events/.

AI Changes Everything – Talk at Cardiff Metropolitan University, 29th April 2...Alan Dix

Talk at the final event of Data Fusion Dynamics: A Collaborative UK-Saudi Initiative in Cybersecurity and Artificial Intelligence funded by the British Council UK-Saudi Challenge Fund 2024, Cardiff Metropolitan University, 29th April 2025 https://alandix.com/academic/talks/CMet2025-AI-Changes-Everything/ Is AI just another technology, or does it fundamentally change the way we live and think? Every technology has a direct impact with micro-ethical consequences, some good, some bad. However more profound are the ways in which some technologies reshape the very fabric of society with macro-ethical impacts. The invention of the stirrup revolutionised mounted combat, but as a side effect gave rise to the feudal system, which still shapes politics today. The internal combustion engine offers personal freedom and creates pollution, but has also transformed the nature of urban planning and international trade. When we look at AI the micro-ethical issues, such as bias, are most obvious, but the macro-ethical challenges may be greater. At a micro-ethical level AI has the potential to deepen social, ethnic and gender bias, issues I have warned about since the early 1990s! It is also being used increasingly on the battlefield. However, it also offers amazing opportunities in health and educations, as the recent Nobel prizes for the developers of AlphaFold illustrate. More radically, the need to encode ethics acts as a mirror to surface essential ethical problems and conflicts. At the macro-ethical level, by the early 2000s digital technology had already begun to undermine sovereignty (e.g. gambling), market economics (through network effects and emergent monopolies), and the very meaning of money. Modern AI is the child of big data, big computation and ultimately big business, intensifying the inherent tendency of digital technology to concentrate power. AI is already unravelling the fundamentals of the social, political and economic world around us, but this is a world that needs radical reimagining to overcome the global environmental and human challenges that confront us. Our challenge is whether to let the threads fall as they may, or to use them to weave a better future.

Electronic_Mail_Attacks-1-35.pdf by xploitniftliyevhuseyn

Procurement Insights Cost To Value Guide.pptxJon Hansen

HCL Nomad Web – Best Practices and Managing Multiuser Environmentspanagenda

Webinar Recording: https://www.panagenda.com/webinars/hcl-nomad-web-best-practices-and-managing-multiuser-environments/ HCL Nomad Web is heralded as the next generation of the HCL Notes client, offering numerous advantages such as eliminating the need for packaging, distribution, and installation. Nomad Web client upgrades will be installed “automatically” in the background. This significantly reduces the administrative footprint compared to traditional HCL Notes clients. However, troubleshooting issues in Nomad Web present unique challenges compared to the Notes client. Join Christoph and Marc as they demonstrate how to simplify the troubleshooting process in HCL Nomad Web, ensuring a smoother and more efficient user experience. In this webinar, we will explore effective strategies for diagnosing and resolving common problems in HCL Nomad Web, including - Accessing the console - Locating and interpreting log files - Accessing the data folder within the browser’s cache (using OPFS) - Understand the difference between single- and multi-user scenarios - Utilizing Client Clocking

Increasing Retail Store Efficiency How can Planograms Save Time and Money.pptxAnoop Ashok

Splunk Security Update | Public Sector Summit Germany 2025Splunk

IEDM 2024 Tutorial2_Advances in CMOS Technologies and Future Directions for C...organizerofv

Andrew Marnell: Transforming Business Strategy Through Data-Driven InsightsAndrew Marnell

SAP Modernization: Maximizing the Value of Your SAP S/4HANA Migration.pdfPrecisely

Build Your Own Copilot & Agents For DevsBrian McKeiver

Quantum Computing Quick Research Guide by Arthur MorganArthur Morgan

This is a Quick Research Guide (QRG). QRGs include the following: - A brief, high-level overview of the QRG topic. - A milestone timeline for the QRG topic. - Links to various free online resource materials to provide a deeper dive into the QRG topic. - Conclusion and a recommendation for at least two books available in the SJPL system on the QRG topic. QRGs planned for the series: - Artificial Intelligence QRG - Quantum Computing QRG - Big Data Analytics QRG - Spacecraft Guidance, Navigation & Control QRG (coming 2026) - UK Home Computing & The Birth of ARM QRG (coming 2027) Any questions or comments? - Please contact Arthur Morgan at [email protected]. 100% human made.

Rusty Waters: Elevating Lakehouses Beyond Sparkcarlyakerly1

Spark is a powerhouse for large datasets, but when it comes to smaller data workloads, its overhead can sometimes slow things down. What if you could achieve high performance and efficiency without the need for Spark? At S&P Global Commodity Insights, having a complete view of global energy and commodities markets enables customers to make data-driven decisions with confidence and create long-term, sustainable value. 🌍 Explore delta-rs + CDC and how these open-source innovations power lightweight, high-performance data applications beyond Spark! 🚀

Big Data Analytics Quick Research Guide by Arthur MorganArthur Morgan

ThousandEyes Partner Innovation Updates for May 2025ThousandEyes

Greenhouse_Monitoring_Presentation.pptx.hpbmnnxrvb

Technology Trends in 2025: AI and Big Data AnalyticsInData Labs

At InData Labs, we have been keeping an ear to the ground, looking out for AI-enabled digital transformation trends coming our way in 2025. Our report will provide a look into the technology landscape of the future, including: -Artificial Intelligence Market Overview -Strategies for AI Adoption in 2025 -Anticipated drivers of AI adoption and transformative technologies -Benefits of AI and Big data for your business -Tips on how to prepare your business for innovation -AI and data privacy: Strategies for securing data privacy in AI models, etc. Download your free copy nowand implement the key findings to improve your business.

DevOpsDays Atlanta 2025 - Building 10x Development Organizations.pptxJustin Reock

Building 10x Organizations with Modern Productivity Metrics 10x developers may be a myth, but 10x organizations are very real, as proven by the influential study performed in the 1980s, ‘The Coding War Games.’ Right now, here in early 2025, we seem to be experiencing YAPP (Yet Another Productivity Philosophy), and that philosophy is converging on developer experience. It seems that with every new method we invent for the delivery of products, whether physical or virtual, we reinvent productivity philosophies to go alongside them. But which of these approaches actually work? DORA? SPACE? DevEx? What should we invest in and create urgency behind today, so that we don’t find ourselves having the same discussion again in a decade?

Mobile App Development Company in Saudi ArabiaSteve Jonas

EmizenTech is a globally recognized software development company, proudly serving businesses since 2013. With over 11+ years of industry experience and a team of 200+ skilled professionals, we have successfully delivered 1200+ projects across various sectors. As a leading Mobile App Development Company In Saudi Arabia we offer end-to-end solutions for iOS, Android, and cross-platform applications. Our apps are known for their user-friendly interfaces, scalability, high performance, and strong security features. We tailor each mobile application to meet the unique needs of different industries, ensuring a seamless user experience. EmizenTech is committed to turning your vision into a powerful digital product that drives growth, innovation, and long-term success in the competitive mobile landscape of Saudi Arabia.

2025-05-Q4-2024-Investor-Presentation.pptxSamuele Fogagnolo

UiPath Community Berlin: Orchestrator API, Swagger, and Test Manager APIUiPathCommunity

AI Changes Everything – Talk at Cardiff Metropolitan University, 29th April 2...Alan Dix

Electronic_Mail_Attacks-1-35.pdf by xploitniftliyevhuseyn

Procurement Insights Cost To Value Guide.pptxJon Hansen

HCL Nomad Web – Best Practices and Managing Multiuser Environmentspanagenda

Increasing Retail Store Efficiency How can Planograms Save Time and Money.pptxAnoop Ashok

Splunk Security Update | Public Sector Summit Germany 2025Splunk

IEDM 2024 Tutorial2_Advances in CMOS Technologies and Future Directions for C...organizerofv

Andrew Marnell: Transforming Business Strategy Through Data-Driven InsightsAndrew Marnell

SAP Modernization: Maximizing the Value of Your SAP S/4HANA Migration.pdfPrecisely

Build Your Own Copilot & Agents For DevsBrian McKeiver

Quantum Computing Quick Research Guide by Arthur MorganArthur Morgan

Rusty Waters: Elevating Lakehouses Beyond Sparkcarlyakerly1

Big Data Analytics Quick Research Guide by Arthur MorganArthur Morgan

ThousandEyes Partner Innovation Updates for May 2025ThousandEyes

Greenhouse_Monitoring_Presentation.pptx.hpbmnnxrvb

Technology Trends in 2025: AI and Big Data AnalyticsInData Labs

DevOpsDays Atlanta 2025 - Building 10x Development Organizations.pptxJustin Reock

Mobile App Development Company in Saudi ArabiaSteve Jonas

2025-05-Q4-2024-Investor-Presentation.pptxSamuele Fogagnolo

Kubernetes Policy As Code usando WebAssembly | Flavio Castelli

2. Copyright © SUSE 2021 2 Kubernetes security: biggest concerns 1% 8% 12% 17% 19% 21% 23% Other Secrets management Unpatched CVE in Kubernetes distribution Control access to the cluster Securing container images inside CI/CD pipelines Securing workload at runtime Applying policies consistently Source: “The State of Kubernetes 2021” - VMware, June 2021

31. Copyright © SUSE 2021 31 Kubewarden: the Universal Policy Platform Kubewarden native policy OCI Registry policy #1 Wasm runtime policy #2 Wasm runtime policy #3 Wasm runtime Kubewarden Policy Server Kubewarden OPA policy Kubewarden Gatekeeper policy

33. Copyright © SUSE 2021 — Main website: https://kubewarden.io — Policy Hub: https://hub.kubewarden.io — GitHub: kubewarden organization — Slack: "kubewarden" channel on Kubernetes workspace — Twitter: @kubewarden 33 How to get involved

34. Copyright © SUSE 2021 Thank You S E P T E M BE R 2021 © 2020 SUSE LLC. All Rights Reserved. SUSE and the SUSE logo are registeredtrademarks of SUSE LLCin the UnitedStates and other countries. All third-party trademarks are the property of their respective owners. For more information, contact SUSE at: +1 800 796 3700 (U.S./Canada) Maxfeldstrasse 5 90409 Nuremberg www.suse.com

Kubernetes Policy As Code usando WebAssembly | Flavio Castelli

Recommended

More Related Content

What's hot (20)

Similar to Kubernetes Policy As Code usando WebAssembly | Flavio Castelli (20)

Recently uploaded (20)

Kubernetes Policy As Code usando WebAssembly | Flavio Castelli