Organizations rely on Admission Controllers like Kyverno and Static Analysis tools to enforce a wide range of security best practices, but these measures alone may not protect against future vulnerabilities. When new vulnerabilities are discovered, application upgrades often take time, and it can be more effective to sandbox these vulnerabilities than to wait for upstream fixes.

Preventing application downtime due to vulnerabilities is crucial, and virtual patching helps by containing and preventing the exploitation of vulnerabilities at runtime without impacting application behavior or deployment processes.

In this talk, we will explore live examples using well-known vulnerabilities such as Log4j, PwnKit, xz, and Leaky Vessels. We will demonstrate how to use Kyverno to identify vulnerable workloads, leverage results from image vulnerability scanners, and generate KubeArmor policies to apply virtual patches to specific deployments, ensuring security without disrupting operations.