Are you tired of your developers not fixing their apps even when they know they're violating policies? Tired of harassing them via email or Slack? In this blog, I'll show you how you can use Kyverno to find and automatically remove those "bad" resources allowing you to take out your cluster's trash. One of the …

Read More

Getting detailed costs for Kubernetes is not a trivial task. Most solutions don't understand Kubernetes and so give you one lump cost for the entire cluster. As Kubernetes continues to be a platform for building other platforms and must support multi-tenancy let alone multi-team, a lump-sum type of approach just isn't …

Read More

If you've spent any time reading my blogs before, it's probably painfully apparent that one of the things I genuinely love doing is tinkering around and finding out how to do fun, but practical, things with various technologies. I did a post earlier in June about how you can use Kyverno as a one-time pass code system …

Read More

This post first appeared on nirmata.com Kyverno, a policy engine for Kubernetes, is increasingly becoming the defacto standard for how to apply policy in a Kubernetes environment as a result of it being specifically designed for Kubernetes. Since it does not require either policy authors or policy readers to learn any …

Read More

Resource mutation is a valuable ability and can be used to solve many different use cases, some of which I covered in the past here and here. The thing most mutations have in common, however, is that there needs to be some event to occur which triggers the mutation. This event is most commonly an AdmissionReview …

Read More

In real life, imposed rules often have cases where exceptions may be required but on a case-by-case basis. Policy is really no different here. While prevention of objectively "bad" behavior should be commonplace and enforced as widely as possible, there are valid situations where the rule may need to be bent slightly. …

Read More

Policy Exceptions are a new feature introduced in Kyverno 1.9 which allow decoupled, self-service, and granular exclusion of resources to one or more Kyverno policies. Because they effectively allow bypassing a policy, great care should be taken when employing them. In this post, I'll show how you can use another …

Read More

It seems just about everyone is doing GitOps in Kubernetes these days. With so many available tools and the maturity of them, it's hard to avoid it. But with only one tool being responsible for the actual creation in the cluster of the resources stored in git, it makes it difficult or impossible for someone to answer …

Read More

(This post first appeared on nirmata.com) One of the great new features in the recently-released Kyverno 1.9 is something we introduced called Policy Exceptions which decouples the policy itself from the workloads to which it applies. But what if you only want to enable policy exceptions for a brief period of time? …

Read More

There was an interesting poll I happened to stumble across on Twitter the other day from Ahmet Alp Balkan, a former staff software engineer and tech lead at Twitter's Kubernetes-based compute infrastructure team. Although I don't know Ahmet personally, I know him through his work on the popular (and terrific) krew as …

Read More