Policy Engines for Kubernetes: Picking One Without Losing Your Mind - Nabarun Pal, Broadcom

less than 1 minute read

Abstract

Enforcing Kubernetes policies sounds simple until you actually have to do it. Block privileged pods? Sure. Inject sidecars automatically? Easy, right? There’s more to consider than you’d think. This talk will explore the prominent options people use: native Validating/Mutating Admission Policies, Kyverno, OPA/Gatekeeper, Kubewarden. Each has its pros and makes different tradeoffs. Native k8s policies need no extra services but require CEL knowledge. Kyverno uses simple YAML for validation and mutation. OPA offers maximum flexibility with Rego, but adds a learning curve. Kubewarden uses WebAssembly, allowing to write policies in any Wasm-compatible language and distribute via OCI registries. We’ll dig into performance at scale because that additional overhead matters when you’re deploying 1000s of pods. I’ll share lessons running them in production, beyond what usually doesn’t make it to elevator pitches. You’ll leave knowing which engine fits your situation.

Sched URL

Video

Share on

X Facebook LinkedIn Bluesky

About

Conferences

Policy Engines for Kubernetes: Picking One Without Losing Your Mind - Nabarun Pal, Broadcom

Abstract

Video

Share on

You May Also Enjoy

The Shared Service Blueprint: A Guide to Multi-Tenancy, Illustrated With KEDA - Aya Igarashi, Preferred Networks, Inc.

Tailor Made: Dynamic Fine-Grained Authorization for API Traffic - Erica Hughberg, Tetrate & Andres Aguiar, Okta

SPIFFE Meets OAuth: Federated Identity for Cloud Native Workloads - Yoshiyuki Tabata, Hitachi, Ltd.

SB💣💣M: Making SBOMs Play Together - Jacopo Bufalino, CNAM & Agathe Blaise, Thales SIX GTS France