Skip to content

Details

We are back with a series focusing on Cloud Native security. In the first event we will discuss workload identities using the SPIFFE standard (and the SPIRE reference implementation) and the Kyverno policy engine.

Secure Production Identity Framework for Everyone, Zsolt Varga

Software development and production environments become more complex and dynamic in recent years with the emergence of microservices architecture, Kubernetes and container technologies in general. Establishing trust between many components within an environment is a great challenge for developers, operations and security teams. We'll talk about SPIFFE concepts and touch how the reference implementation called SPIRE works. SPIFFE is a set of open-source standards for securely identifying software systems in dynamic and heterogeneous environments, SPIRE is a production-ready implementation of the SPIFFE standards that performs node and workload attestation in order to securely issue SVIDs to workloads, and verify the SVIDs of other workloads, based on a predefined set of conditions.

What you will learn:

  • Understand SPIFFE concepts
  • What is SPIRE and how it works

Kyverno - policy enforcement, Lajos Papp

  • Hey why didn't you put a RedinessProbe on the deployment?
  • Hey why didn't you added a resource request and limit to your pod?
  • Why are you using "latest" container image?

Instead of letting developers sign off rules they should follow, let's create a programatic way of checking all those rules. Even better: how about adding missing configuration when it has meaningful defaults?

Kyverno is a policy engine designed for Kubernetes. With Kyverno, policies are managed as Kubernetes resources and no new language is required to write policies. Kyverno policies can validate, mutate, and generate Kubernetes resources.

You may also like