Cloud Governance With Infrastructure As Code (IaC) With Kyverno And Crossplane

The presentation discusses the benefits and challenges of Infrastructure as Code (IAC) and how Crossplane can address these challenges by using Kubernetes API to provision and manage infrastructure.

• IAC eliminates human errors and reduces costs by automating infrastructure deployment and management
• Configuration drift can occur in manual deployment and management, which can jeopardize deployment cycles and increase project vulnerability
• Crossplane uses Kubernetes API and declarative approach to automate infrastructure deployment and management, ensuring consistency and alignment between developers and operations
• However, there are security risks associated with IAC, and bridging the gap between DevOps and SecOps can be a challenge
• Crossplane addresses these challenges by using Version Control configuration, providing visibility and applying guardrails and rules
• Crossplane can create infrastructure and policies using simple YAML files, such as EC2 instances and S3 buckets
• Composite resources can be used to create more complex infrastructure, such as EKS clusters
• Crossplane extends the functionality of Kubernetes clusters and provides self-service to developers

The presenter demonstrated how easy it is to create an EC2 instance and an S3 bucket using simple YAML files and Cube CDL apply command. The YAML files contain all the necessary configurations, such as subnet, security group, and roles, eliminating the need for manual configuration. The presenter also showed how Crossplane provides visibility and details of the resources created, such as the event and status of the S3 bucket. This demonstrates how Crossplane simplifies infrastructure deployment and management for developers.

While self-service clusters are desirable, there are many cloud resources that need to be created for a cluster. In an enterprise, these may fall under a different team’s responsibilities. So, how does a cloud or infrastructure team provide the necessary guardrails to ensure that the Kubernetes environments created by developers are compliant with the organization’s security, governance, and cost management standards? In this talk, Dolis shares an approach where Crossplane and Kyverno, both CNCF projects, can be used to provide self-service Kubernetes environments on the cloud for developers with necessary checks and restrictions in place. While Crossplane, an increasingly popular IaC orchestrator running using Kubernetes, is used to provision different infrastructure resources, Kyverno can be utilized to provide governance on what type of resources can be created, by whom, and how the resources are configured. We can automate resource provisioning with governance using Crossplane and Kyverno. In addition to deploying and managing cloud resources, you can also create Kyerno policies to ensure that the generated resources are compliant with your company’s requirements.