How To Build Kubernetes Policies To Ensure Compliance for Databases.pptx

1. How To Build Kubernetes
Policies To Ensure
Compliance for Databases

2. Agenda
Your Speaker:
What to expect today:
● How to run Database in Kubernetes
● Policy-as-Code with Kyverno
● GitOps pipelines with compliance enforced
● Demo
Nic Vermandé // @nvermande
Principal Developer Advocate
2

3. Is It a Good Idea to Run
Databases in Kubernetes?
3

4. 4
https://www.datadoghq.com/container-report

5. 5
https://www.datadoghq.com/container-report

6. Databases have many moving parts
6

7. Operators to Automate Kubernetes Automation
7

8. Operator Model Benefits
● Simplify deployment, scale-out, and scale-in of cloud-
native applications
● Automatically performs operations for stateful and critical
components
○ DB scale
○ Backup
○ Upgrade
● Enforce compliance by design
○ Reconciliation loop trusts the declarative intent, not the
imperative command.

9. Operator Challenges
● No standard for CRD
● Sprawl of Custom Resources
● Supply chain quality control
● Custom resource validation for compliance and best
practices
● Documentation!!!
9

10. Policy-as-Code with Kyverno
10
YAML

11. Policy-as-Code
● Decouples validation or enforcement from directive
decisions
● Declarative format
● Kubernetes already has YAML! 😅
● Can be Kube-Native or more generic
● Control and validate source before committing to the
cluster
● Optionally mutate the input
● OPA Gatekeeper, Kyverno, Datree
11

12. Example with Kyverno
12

13. A Wide Range of Capabilities
13
A mutate rule can be used to modify matching
resources and is written as either a RFC 6902
JSON Patch or a strategic merge patch.
Mutation
1
2
3
4
5
6
A generate rule can be used to create additional
resources when a new resource is created or
when the source is updated.
Generate Resources
The Kyverno verifyImages rule uses Cosign to
verify container image signatures, attestations
and more stored in an OCI registry.
Image Verification
When a new resource is created by a user or
process, the properties of that resource are
checked by Kyverno against the validate rule.
Validation
The primary use case for preconditions is in
mutate or generate rules when needing to
check and ensure a variable, typically from
AdmissionReview data, is not empty.
Preconditions
(pronounced “James path”) is the language that
Kyverno supports to perform more complex
selections of fields and values and also
manipulation thereof by using one or more filters.
JMESPath

14. GitOps
Build
Deploy
Kustomize
Application
Code
Kubernetes
Manifests
Dev
Platform
#Fluxv2
14

15. GitOps
Build
Deploy
Kustomize
Application
Code
Kubernetes
Manifests
Dev
Platform
#Fluxv2
15

16. Enforce Compliance:
When, Where, How?
16

17. Demo Time
● Create Flux Source and Kustomization
● Validate Application Manifest off-cluster
● Use an admission controller to
validate/mutate non-conformant Resources
17

18. Key Takeaways
18
● Kubernetes is ready for hosting databases and run
cloud-native data
● The key is to make sure you can reach the right
level of availability, scale and performance
● GitOps and Policy-as-Code principles provide
best-of-class paradigms to manage enterprise
application lifecycle
● Embrace these principles to enhance your platform
security, facilitate collaboration between development
teams, and experience faster innovation cycles

19. Call to Actions
● Want to test the lab?
○ https://play.instruqt.com/ondat/tracks/policy-as-
code-for-kubernetes-stateful-applications
● Want to learn more about Ondat?
○ Self-paced online lab:
https://play.instruqt.com/ondat
○ Test Ondat in your cluster:
https://docs.ondat.io/docs/self-eval
○ Ondat SaaS portal: https://portal.ondat.io/signup
○ Subscribe to the newsletter: https://www.ondat.io/
(enter your email address at the bottom of the page)
○ Chat with us on slack: https://storageos.slack.com

20. 20