Why Kyverno Exists
Kyverno is a policy engine designed for Kubernetes. Unlike OPA/Gatekeeper, policies are written in YAML — no Rego to learn. Validate, mutate, generate, and clean up resources with familiar K8s syntax.
Install
helm repo add kyverno https://kyverno.github.io/kyverno/
helm install kyverno kyverno/kyverno -n kyverno --create-namespace
Require Labels on All Pods
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: require-labels
spec:
validationFailureAction: Enforce
rules:
- name: require-team-label
match:
any:
- resources:
kinds: ["Pod"]
validate:
message: "label 'team' is required"
pattern:
metadata:
labels:
team: "?*"
Auto-Add Labels (Mutate)
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: add-default-labels
spec:
rules:
- name: add-env-label
match:
any:
- resources:
kinds: ["Pod"]
mutate:
patchStrategicMerge:
metadata:
labels:
environment: dev
Block Latest Tag
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: disallow-latest-tag
spec:
validationFailureAction: Enforce
rules:
- name: no-latest
match:
any:
- resources:
kinds: ["Pod"]
validate:
message: "Using 'latest' tag is not allowed"
pattern:
spec:
containers:
- image: "!*:latest"
Generate Resources Automatically
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: generate-network-policy
spec:
rules:
- name: default-deny
match:
any:
- resources:
kinds: ["Namespace"]
generate:
kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
name: default-deny
namespace: "{{request.object.metadata.name}}"
data:
spec:
podSelector: {}
policyTypes: ["Ingress", "Egress"]
Key Features
- YAML policies — no Rego, no new language
- Validate — block non-compliant resources
- Mutate — auto-fix resources on admission
- Generate — create resources from templates
- Verify images — cosign signature verification
- CNCF Incubating — production-ready
Resources
Need to audit Kubernetes policies, extract cluster configs, or compliance data? Check out my Apify tools or email spinov001@gmail.com for custom solutions.
Top comments (0)