PostHole
Compose
Login
SE Radio 634: Jim Bugwadia on Kubernetes Policy as Code
Jim Bugwadia, CEO of Nirmata and a committer to the Kyverno projects, joins host Robert Blumen for a discussion of policy-as-code and the open source Kyverno project. The discussion covers the nature of policies; policies and security; policies and compliance to standards; security scans that generate reports compared to tools that allow or deny operations at run time; Kyverno as a kubernetes service; the Kyverno helm charts; the components of Kyverno; bootstrapping a kubernetes cluster with Kyverno; installing policies; implementing policies; customizing policies; packaging and installing policies; kubernetes dynamic admission controllers; the Kyverno admission controller; securing Kyverno itself; observability of Kyverno; types of reports and messages available to cluster users. This episode is sponsored by QA Wolf.
Jim Bugwadia, CEO of Nirmata and a committer to the kyverno projects, joins host Robert Blumen for a discussion of policy-as-code and the open source Kyverno project. The discussion covers the nature of policies; policies and security; policies and compliance to standards; security scans that generate reports compared to tools that allow or deny operations at run time; Kyverno as a kubernetes service; the Kyverno helm charts; the components of Kyverno; bootstrapping a kubernetes cluster with Kyverno; installing policies; implementing policies; customizing policies; packaging and installing policies; kubernetes dynamic admission controllers; the Kyverno admission controller; securing Kyverno itself; observability of Kyverno; types of reports and messages available to cluster users.
This episode is sponsored by QA Wolf.
Show Notes
Related Episodes
Transcript
Transcript brought to you by IEEE Software magazine and IEEE Computer Society. This transcript was automatically generated. To suggest improvements in the text, please contact [email protected] and include the episode number.
Robert Blumen 00:00:19 For Software Engineering Radio, this is Robert Blumen. Today I have with me Jim Bugwadia. Jim is the co-founder and CEO of Nirmata. He’s an advocate for cloud native computing best practices. He’s a chair of two working groups of the Cloud Native Computing Foundation, Kubernetes Multi-Tenancy and Kubernetes policy. And he’s a committer on the open-source Kyverno project. He’s a frequent speaker at conferences such as Cloud Native Security Con. Jim, welcome to Software Engineering Radio.
Jim Bugwadia 00:00:54 Thanks for having me, Robert. Pleasure to be here.
Robert Blumen 00:00:57 We will be talking about policy as code and Kyverno today. Before we get started, is there anything else about your background that you’d like to share with listeners?
Jim Bugwadia 00:01:08 Sure. So I’m a software engineer, still actively, of course, contributing to multiple projects. I started my career in software engineering in the telecommunication space, so building distributed systems in a very different manner than what we see today. So I worked at companies like Motorola, Bell Labs, Lucent, and now as you mentioned, focus more on cloud-native systems.
Robert Blumen 00:01:33 Great. And that’s what we will be talking about today. I know from reading the documentation that Kyverno is a policy management tool for Kubernetes. We’re going to get all into that, but let’s start high level talking about policies. When we are talking about these kinds of policies, what are we talking about and how are these managed policies distinct from, there are a number of things in the Kubernetes space that are also called policy.
Jim Bugwadia 00:02:00 Right? Yeah. So policy is quite an abstract and vague term, right? But if you kind of think about it, in our real lives, in our day-to-day work, we have policies for things like expenses and vacations and things like that, which are just written somewhere. These are documents that we share, and we all want to abide by within an organization. So similarly, if you think about what’s happened in IT in the last let’s say 10 or so years, we’ve moved from system administration to DevOps to DevSecOps. So we have more and more collaboration across different teams, different groups, that’s required. And what that brings in is as you are sharing configuration, as you’re managing these increasingly complex and large systems, you need some form of digital policy, which everybody is going to look at in the organization and abide by. And some of these policies may be because of regulatory compliance, even across the industry like PCI, HIPAA, et cetera, which are in financial systems, in healthcare, or they might be internal best practices, which are set up. But then again, in this form of policy, we’re really talking about a digital artifact, which all different collaborators can look at, can understand what that means, and know exactly how to apply that within their domains itself.
Robert Blumen 00:03:27 It might help if we could get more specific. I noticed in the documentation site for Kyverno, there’s a section which lists perhaps several dozen categories of policies. What are some of the categories of policies that are managed by Kyverno?
Jim Bugwadia 00:03:44 Yeah, great question, right. So Kyverno started life in Kubernetes within the CNCF. And as you may know, within Kubernetes that the unit of deployment and management of any workload is a pod. So in Kubernetes also all configuration is very declarative. So you tell the system how you would like it to behave, and then various controllers go off and do their job and try to bring the current state of the system to the desired state. So starting with that context, if you kind of go back to every workload and developers want to specify the configuration for their workload, they would write several different things for in and Kubernetes declarations are in YAML format. So they would write things about how many replicas their pod might have, what types of resources their pod has, which container images the pod needs to run.
[...]