Final slide and demos for 20231103

nicholasdille · nicholasdille · commit 3f91b24033b6 · 2023-11-06T21:28:59.000+01:00
diff --git a/120_kubernetes/kyverno/slides.md b/120_kubernetes/kyverno/slides.md
@@ -59,4 +59,24 @@ Start with namespaced policies
 
 Migrate to cluster-wide policies for well-tested settings
 
-Continue with cluster-wide policies and exclusions
+Continue with cluster-wide policies and exclusions
+
+---
+
+## Using Kyverno with GitOps
+
+Considerations in the official documentation [](https://kyverno.io/docs/writing-policies/mutate/#gitops-considerations)
+
+### flux
+
+Flux performs a server-side dry-run to determine state
+
+Kyverno operates during dry-run as well
+
+Flux will natively accomodate for mutating admission controllers
+
+### ArgoCD
+
+ArgoCD does not support server-side dry-run yet (see [argoproj/argo-cd#11574](https://github.com/argoproj/argo-cd/issues/11574))
+
+Applications must use `ignoreDifferences` to ignore mutations [](https://kyverno.io/docs/writing-policies/mutate/#argocd)
diff --git a/120_kubernetes/kyverno/validation_automountServiceAccountToken.demo b/120_kubernetes/kyverno/validation_automountServiceAccountToken.demo
@@ -1,4 +1,4 @@
-# Disable automount of service account token
+# Prevent automount of service account token
 
 # Deploy policy
 cat <<EOF | kubectl apply -f -
@@ -18,16 +18,14 @@ spec:
           - Pod
     preconditions:
       any:
-      - key: "{{ request.object.spec.serviceAccount || 'default' }}"
+      - key: "{{ request.object.spec.serviceAccountName || 'default' }}"
         operator: Equals
         value: "default"
-    mutate:
-      patchStrategicMerge:
+    validate:
+      message: "FOO"
+      pattern:
         spec:
           automountServiceAccountToken: false
-          serviceAccount: ""
-          serviceAccountName: ""
-          serviceAccountToken: ""
 EOF
 
 # Deploy pod
diff --git a/120_kubernetes/kyverno/validation_automountServiceAccountToken.md b/120_kubernetes/kyverno/validation_automountServiceAccountToken.md
@@ -10,6 +10,6 @@ Unwanted Kubernetes API access can leak to privilege escalation
 
 Those pods should not mount service account
 
-### Demo [<i class="fa fa-comment-code"></i>](https://github.com/nicholasdille/container-slides/blob/master/120_kubernetes/kyverno/mutation_automountServiceAccountToken.demo "mutation_automountServiceAccountToken.demo")
+### Demo [<i class="fa fa-comment-code"></i>](https://github.com/nicholasdille/container-slides/blob/master/120_kubernetes/kyverno/validation_automountServiceAccountToken.demo "validation_automountServiceAccountToken.demo")
 
-Add `automountServiceAccountToken` to pods
+Deny pods without `automountServiceAccountToken` when `serviceAccountName` is not specified or equals `default`
diff --git a/120_kubernetes/rbac/service_account.md b/120_kubernetes/rbac/service_account.md
@@ -48,7 +48,7 @@ automountServiceAccountToken: false
 #...
 ```
 
-Can be overridden by specifying `automountServiceAccountToken: false` in the pod spec
+Can be overridden by specifying `automountServiceAccountToken: true` in the pod spec
 
 ### DEMO [<i class="fa fa-comment-code"></i>](https://github.com/nicholasdille/container-slides/blob/master/120_kubernetes/rbac/service_account.demo "service_account.demo")
 
diff --git a/2023-11-03_heise-Kubernetes-absichern.html b/2023-11-03_heise-Kubernetes-absichern.html
@@ -67,10 +67,10 @@
 </textarea></section>
 <section data-markdown="120_kubernetes/kyverno/slides.md" data-separator="^---$" data-separator-vertical="^--$"></section>
 <section data-markdown="120_kubernetes/kyverno/mutation.md" data-separator="^---$" data-separator-vertical="^--$"></section>
-<section data-markdown="120_kubernetes/kyverno/mutation_automountServiceAccountToken.md" data-separator="^---$" data-separator-vertical="^--$"></section>
 <section data-markdown="120_kubernetes/kyverno/mutation_imagepullsecrets.md" data-separator="^---$" data-separator-vertical="^--$"></section>
 <section data-markdown="120_kubernetes/kyverno/validation_labels.md" data-separator="^---$" data-separator-vertical="^--$"></section>
 <section data-markdown="120_kubernetes/kyverno/validation_latest.md" data-separator="^---$" data-separator-vertical="^--$"></section>
+<section data-markdown="120_kubernetes/kyverno/validation_automountServiceAccountToken.md" data-separator="^---$" data-separator-vertical="^--$"></section>
 <section data-markdown="120_kubernetes/kyverno/validation_naked_pods.md" data-separator="^---$" data-separator-vertical="^--$"></section>
 <section data-markdown="120_kubernetes/kyverno/validation_resources.md" data-separator="^---$" data-separator-vertical="^--$"></section>
 
diff --git a/2023-11-03_heise-Kubernetes-absichern.md b/2023-11-03_heise-Kubernetes-absichern.md
