Top 10 Interactive Website Design Trends in 2024.pptx
How To Build Kubernetes Policies To Ensure Compliance for Databases.pptx
1. How To Build Kubernetes
Policies To Ensure
Compliance for Databases
2. Agenda
Your Speaker:
What to expect today:
● How to run Database in Kubernetes
● Policy-as-Code with Kyverno
● GitOps pipelines with compliance enforced
● Demo
Nic Vermandé // @nvermande
Principal Developer Advocate
2
3. Is It a Good Idea to Run
Databases in Kubernetes?
3
8. Operator Model Benefits
● Simplify deployment, scale-out, and scale-in of cloud-
native applications
● Automatically performs operations for stateful and critical
components
○ DB scale
○ Backup
○ Upgrade
● Enforce compliance by design
○ Reconciliation loop trusts the declarative intent, not the
imperative command.
9. Operator Challenges
● No standard for CRD
● Sprawl of Custom Resources
● Supply chain quality control
● Custom resource validation for compliance and best
practices
● Documentation!!!
9
11. Policy-as-Code
● Decouples validation or enforcement from directive
decisions
● Declarative format
● Kubernetes already has YAML! 😅
● Can be Kube-Native or more generic
● Control and validate source before committing to the
cluster
● Optionally mutate the input
● OPA Gatekeeper, Kyverno, Datree
11
13. A Wide Range of Capabilities
13
A mutate rule can be used to modify matching
resources and is written as either a RFC 6902
JSON Patch or a strategic merge patch.
Mutation
1
2
3
4
5
6
A generate rule can be used to create additional
resources when a new resource is created or
when the source is updated.
Generate Resources
The Kyverno verifyImages rule uses Cosign to
verify container image signatures, attestations
and more stored in an OCI registry.
Image Verification
When a new resource is created by a user or
process, the properties of that resource are
checked by Kyverno against the validate rule.
Validation
The primary use case for preconditions is in
mutate or generate rules when needing to
check and ensure a variable, typically from
AdmissionReview data, is not empty.
Preconditions
(pronounced “James path”) is the language that
Kyverno supports to perform more complex
selections of fields and values and also
manipulation thereof by using one or more filters.
JMESPath
17. Demo Time
● Create Flux Source and Kustomization
● Validate Application Manifest off-cluster
● Use an admission controller to
validate/mutate non-conformant Resources
17
18. Key Takeaways
18
● Kubernetes is ready for hosting databases and run
cloud-native data
● The key is to make sure you can reach the right
level of availability, scale and performance
● GitOps and Policy-as-Code principles provide
best-of-class paradigms to manage enterprise
application lifecycle
● Embrace these principles to enhance your platform
security, facilitate collaboration between development
teams, and experience faster innovation cycles
19. Call to Actions
● Want to test the lab?
○ https://play.instruqt.com/ondat/tracks/policy-as-
code-for-kubernetes-stateful-applications
● Want to learn more about Ondat?
○ Self-paced online lab:
https://play.instruqt.com/ondat
○ Test Ondat in your cluster:
https://docs.ondat.io/docs/self-eval
○ Ondat SaaS portal: https://portal.ondat.io/signup
○ Subscribe to the newsletter: https://www.ondat.io/
(enter your email address at the bottom of the page)
○ Chat with us on slack: https://storageos.slack.com