Cloud Native Rejekts EU (Valencia) 2022

Harshita Sharma

Harshita Sharma is currently a Kubernetes and Golang Developer at Kubermatic working on multi cluster management and automation - Kubermatic Kubernetes Platform

Harshita is an OpenSource Enthusiast and has an interest in Developer Advocacy.

Harshita has previously given talks in FOSDEM and CNCF meetups.
Over the past 3 years, she has worked on a variety of Open Source Projects like Kubermatic Kubernetes Platform, KubeEdge, Velero, OpenEBS, OPA Gatekeeper, etc.

Social media:

The speaker's profile picture


Automate Updating Nonconformants in Your k8s Cluster (Policy Enforcement)

Have you ever encountered missing or incorrect security policies on your k8s cluster?
Maybe you found yourself in a k8s resources chaos where you don't know which resource is created by who?
Maybe you forgot to set some key attributes on your k8s cluster.

With PodSecurityPolicy deprecation, OPA Gatekeeper has become one the most popular alternative as a Policy Controller.
Until recently, it enabled us to validate incoming resources, audit the existing policy violations, and reject nonconformant ones based on user-defined policies present as CRDs. This is great but still left the burden of updating the faulty resources manually. With the new mutation feature, updating nonconformant resources can be automated with customizable mutation policies like "Setting security context of a specific container in a Pod in a namespace to be non-privileged" etc.

In this talk, Harshita will share her experiments with OPA Gatekeeper Mutation policies and lessons learned in developing a k8s native solution to completely automate and simplify policy enforcement across a cluster stack using OPA Gatekeeper.