 Hi, welcome to the section in this session. We'll talk about how open policy agent gatekeeper can help you to strengthen your supply chain security. I'm Rita. Hello, I'm said touch via maintainers of the open gatekeeper project. So, first, you might ask, Well, what is gatekeeper. Well, gatekeeper is a customizable Kubernetes admission and mutation web hook. It helps us enforce policies and strengthen governance. It enforces policies executed by the open policy agent, a policy agent for cloud native environments, and it is a CNCF graduated project. So you can leverage it to extend supply chain security and governance in your Kubernetes environment. All right, so let's dive a little deeper in gatekeeper for supply chain security with external data feature gatekeeper can now be used for validating and mutating Kubernetes objects using the data that is coming from external data sources in a generic and gatekeeper is an interface to external data sources such as image registries and it is developed using a provider based model so that the specific external data logic can be written by providers outside of gatekeeper. And let's look at some potential use cases for validation for example we have image signing, you can check whether an image is signed or not. Another example is image vulnerabilities, you can check if an image of critical vulnerabilities, for example. On the mutation side, we can mutate an image to a digest, so which helping us to pin to a specific shot digest for a for an image. And another example of a mutation is we could use active directory or LDAP directory to mutate labels and or annotations to add owners so you can tell who created those communities objects. Do we get to see this in action. Yes, let's do a demo. Awesome. Yeah, let's start with our demo and we're going to look at take a look at our cluster first. Here you can see our gatekeeper controller manager and gatekeeper audit positive. And let's look at our providers next. Here you can see there are the registered providers with gatekeeper. They basically map to services that are running behind these deployments such as a preview provider or type digest provider. So in next we are going to look at our assigned CRD, which is the mutation CRD. One of the mutations CRD is for gatekeeper. So you can see that this. This object takes a image and for for all containers. And then it uses the external data data source which is value at location, which means the images images value by using the tag to digest provider to mutate the value of the image to the same value of the image, appended with appended with the image image digest. And in the next example, we are going to take a look at the, the deployment file. Here you can see the tag, which which does not have contain a shot in here is the one with the digest already included. So we should see the first one to mutate while the second one does not get mutated. So let's go ahead and deploy our deployment. And then let's take a look at the object. As I mentioned earlier, we could see the first container got mutated with the digest while second one still has the same digest. Very cool. And the next one we want to take a look at is the cosine provider cosine provider is a validation base provider where we can check the if an if a container image is signed or not using the cosine project in six store. And this is our gatekeeper constraint template, where we pass the container image to the external data source and we basically check the response from the external data provider. And then here you can see our constraint which has the enforcement action denied. So we should deny the deployment if it is not signed. And then here you can see a test deployment which is an unsigned image. This is a pause image which is not signed. So we're going to go ahead and deploy this. And you should see our container should be denied. Like we mentioned, it did get declined, because it does not contain a valid cosine image. And so let's look at a signed image. In this case, we're looking at the digital static with latest tag, and we're going to deploy that and this should go and be created. So next, let's look at how we can use this feature to block vulnerabilities. Here as you can see is a gatekeeper constraint template, which contains a regal that says, hey for any containers, we want to talk to the trivia provider, which provides us with vulnerability data, right. And Trivia does a lot of scanning and returns the number of vulnerabilities and the high, low or medium. And based on that, then, you know, in our policies we can decide if we want to deploy or block the vulnerability or not, or maybe return a warning, right. So here, next we're going to deploy this constraint template. And here, gatekeeper will basically reach out to Trivia provider. And then here as you can see we have a constraint. And the constraint says okay enforcement action is worn so I don't actually want to block but just give people a warning that they're deploying something bad. And here, as you can see is an example deployment that contains vote that may contain a vulnerability. And here we are using Alpine as our example image. And as soon as I deploy this, let's see what Trivia returns. All right, and here as you can see, it returns a warning is telling us hey, for this Alpine image, you have 30 vulnerabilities, but we're not actually going to block the deployment. All right. Next, let's see how it will work for a bone, an image that's not vulnerable right here as you can see we're using the static digital image. Let's see if, if we're right. Let's see if Trivia identifies any vulnerability. All right, so it was true. Yeah. All right, next we have the AAD use case, in which case, you know, a lot of companies a lot of organizations want to identify owners of Kubernetes resources. And here we are leveraging mutating the mutation feature in Gatekeeper, which, as you can see here is a custom resource called Assign Metadata which says, hey for, you know, for config maps that I'm deploying, I want to provide a label called AAD provider, and that data actually comes from a provider called AAD provider, right, and that data will then be mapped as would then be used as the owner label for these config map resources. So let's take a look at how that works. So we're going to apply this Assign Metadata resource. And then now as you can see we have a test config map. And once we apply it, let's see if it actually gives us the label. And it looks like you're applying that with a specific user. Yes, you're, and this is the user, the AAD user. All right, let's take a look if the mutation is working. It looks like the labels got mutated and that there's money. Yeah, it's you. So it works. Great. All right, that was a fun demo. I hope you enjoyed the demonstration of many, many use cases that you can actually start applying in your organization with Gatekeeper and the new external data feature. We will love to get feedback from the community. So definitely come give us feedback and open issues in GitHub and Slack and join us in our weekly community call. Thank you. Thank you.