Felipe Alves
Senior Staff Software Engineer at ServiceNow
Athlone, Ireland
Actions
Originally from Brazil and a Radio Engineer, I've made my way to Software Engineering once it began swallowing Mobile Networks.
Most of my time has been spent provisioning, maintaining and supporting Kubernetes Platforms, specially in the area of Fleet Management.
Area of Expertise
Topics
Extending Kubernetes Admission Control: Dynamic Cross-Resource Policy Validation
Kubernetes’ ValidatingAdmissionPolicy API enables powerful declarative policy enforcement, but managing ValidatingAdmissionPolicyBindings at scale is challenging. At ServiceNow, we found that we would need to deploy and constantly maintain hundreds of bindings per policy in each of our clusters.
To solve this, we built an operator to integrate with the ValidatingAdmissionPolicy API by modifying the resource referenced in ValidatingAdmissionPolicyBinding's paramRef, enabling dynamic cross-resource validation. The operator transfers data from source-of-truth resources into paramRef resource of the ValidatingAdmissionPolicyBindings, keeping policies consistent and replacing the need for hundreds of bindings to distinct resources.
We’ll dive deep into the solution and demo how the operator provides a manageable way to implement sophisticated validation scenarios, such as implementing policy exemption mechanisms or tying the policy management configuration to your fleet-management system.
ValidatingAdmissionPolicies at Scale: Enterprise-Grade K8s Policy Framework in Three Steps
Many organizations struggle to implement effective policy enforcement at scale due to the challenges of managing ValidatingAdmissionPolicies in complex enterprise environments.
Are you struggling to implement effective policy enforcement at scale, so were we! Learn how we leveraged ValidatingAdmissionPolicies to create an enterprise-grade policy framework that scales. We'll cover the three-component architecture developed to address the complexities of developing, deploying and maintaining ValidatingAdmissionPolicies:
1. Policy Generation and Testing: How we use CUE and declarative code to create and maintain policies with comprehensive test coverage, enabling security teams to focus on business logic rather than CEL syntax
2. Enterprise-Integrated Exemption Management: Our approach to policy exceptions that integrates directly with Fleet Management systems, providing a unified interface for both application configuration and security requirements
3. Pre-Deployment Compliance Validation: How we validate existing Kubernetes resources prior to deploying the policies, enabling their safe deployment in brownfield environments
Our framework addresses enterprise realities: brownfield deployments, legacy applications, urgent business needs, and the balance between security and developer velocity.
Join us to see how our comprehensive policy framework creates the foundation necessary for effective Kubernetes policy implementation in enterprise environments. Learn how our three-tiered approach for policy generation, exemption management and policy auditing transforms ValidatingAdmissionPolicies from a isolated security controls into an integrated, business-aligned policy enforcement system that delivers measurable security benefits while respecting operational realities.
Please note that Sessionize is not responsible for the accuracy or validity of the data provided by speakers. If you suspect this profile to be fake or spam, please let us know.
Jump to top