Policy Exceptions are a new feature introduced in Kyverno 1.9 which allow decoupled, self-service, and granular exclusion of resources to one or more Kyverno policies. Because they effectively allow bypassing a policy, great care should be taken when employing them. In this post, I'll show how you can use another …

Read More

It seems just about everyone is doing GitOps in Kubernetes these days. With so many available tools and the maturity of them, it's hard to avoid it. But with only one tool being responsible for the actual creation in the cluster of the resources stored in git, it makes it difficult or impossible for someone to answer …

Read More

(This post first appeared on nirmata.com) One of the great new features in the recently-released Kyverno 1.9 is something we introduced called Policy Exceptions which decouples the policy itself from the workloads to which it applies. But what if you only want to enable policy exceptions for a brief period of time? …

Read More

There was an interesting poll I happened to stumble across on Twitter the other day from Ahmet Alp Balkan, a former staff software engineer and tech lead at Twitter's Kubernetes-based compute infrastructure team. Although I don't know Ahmet personally, I know him through his work on the popular (and terrific) krew as …

Read More

KubeCon 2022 North America, the largest Kubernetes-centric conference, just wrapped up in Detroit, Michigan at the end of October of this year. I had the good fortune of attending for another year but this time in a role fully dedicated to the Kyverno project for which I serve as one of the maintainers. These are some …

Read More

(This post first appeared on nirmata.com) Policy is commonly thought of as being primarily (if not solely) useful in the area of security, blocking the "bad" while allowing the "good". This misconception is understandable because many tools which operate by implementing "policy" are often …

Read More

(Last Updated August 2022) The subject of vulnerabilities in container images is a serious business. As an image author yourself, one of the things you should be doing is ensuring you know what those vulnerabilities are and that you aren't relying on what a scan told you three months ago to make decisions about running …

Read More

Pod Security Admission is a new-ish feature in Kubernetes which provides out-of-the-box controls for the Pod Security Standards. I touch on its behavior a bit, but as it has been covered already elsewhere, in this article I really wanted to collect the pros and cons and then frame it in context of an admission …

Read More

Unless you've been living under a rock, you're probably aware that Sigstore has been making waves in the software supply chain space—and that's a great thing because we definitely need more in this area. With their Cosign tool, it allows for ensuring many of these practices are implemented such as image signing. …

Read More

I've been hearing a couple things in the community that I wanted to take a few lines to dispel. The first is that Kyverno is fine for Kubernetes "out-of-the-box" resources like Pods and Deployments but is somehow either not capable or severely disadvantaged when it comes to working with CustomResources (CRs) …

Read More