DEV Community

Cover image for Kubernetes policy management: III - Kyverno
Ashok Nagaraj
Ashok Nagaraj

Posted on • Edited on

3 2

Kubernetes policy management: III - Kyverno

This is the third post of the series.

Other parts:
I - Introduction
II - OPA Gatekeeper
IV - jsPolicy


Installation
❯ helm repo add kyverno https://kyverno.github.io/kyverno/
❯ helm install kyverno kyverno/kyverno --namespace kyverno --create-namespace
...
REVISION: 1
NOTES:
Thank you for installing kyverno v2.2.0 😀

Your release is named kyverno, app version v1.6.0
# Install the krew plugin
❯ kubectl krew install view-webhook
# Check the webhook details
❯ kubectl view-webhook

+------------+-----------------------------------------+------------------------------+-------------------------------------+----------------------+---------------+------------------------+
|    KIND    |                  NAME                   |           WEBHOOK            |               SERVICE               | RESOURCES&OPERATIONS | REMAINING DAY |       ACTIVE NS        |
+------------+-----------------------------------------+------------------------------+-------------------------------------+----------------------+---------------+------------------------+
| Mutating   | kyverno-policy-mutating-webhook-cfg     | mutate-policy.kyverno.svc    | └─┬kyverno-svc                      | ├──clusterpolicies/* | 52 weeks      | ✖ No Active Namespaces |
|            |                                         |                              |   ├──NS  : kyverno                  | └─┬policies/*        |               |                        |
|            |                                         |                              |   ├──Path: /policymutate            |   ├──+CREATE         |               |                        |
|            |                                         |                              |   └─┬IP  : 10.96.195.22 (ClusterIP) |   └──^UPDATE         |               |                        |
|            |                                         |                              |     └──443/TCP                      |                      |               |                        |
+            +-----------------------------------------+------------------------------+-------------------------------------+----------------------+               +                        +
|            | kyverno-resource-mutating-webhook-cfg   | mutate.kyverno.svc-ignore    | └─┬kyverno-svc                      |                      |               |                        |
|            |                                         |                              |   ├──NS  : kyverno                  |                      |               |                        |
|            |                                         |                              |   ├──Path: /mutate                  |                      |               |                        |
|            |                                         |                              |   └─┬IP  : 10.96.195.22 (ClusterIP) |                      |               |                        |
|            |                                         |                              |     └──443/TCP                      |                      |               |                        |
+            +                                         +------------------------------+                                     +----------------------+               +                        +
|            |                                         | mutate.kyverno.svc-fail      |                                     |                      |               |                        |
|            |                                         |                              |                                     |                      |               |                        |
|            |                                         |                              |                                     |                      |               |                        |
|            |                                         |                              |                                     |                      |               |                        |
|            |                                         |                              |                                     |                      |               |                        |
+            +-----------------------------------------+------------------------------+-------------------------------------+----------------------+               +                        +
|            | kyverno-verify-mutating-webhook-cfg     | monitor-webhooks.kyverno.svc | └─┬kyverno-svc                      | └─┬deployments/*     |               |                        |
|            |                                         |                              |   ├──NS  : kyverno                  |   └──^UPDATE         |               |                        |
|            |                                         |                              |   ├──Path: /verifymutate            |                      |               |                        |
|            |                                         |                              |   └─┬IP  : 10.96.195.22 (ClusterIP) |                      |               |                        |
|            |                                         |                              |     └──443/TCP                      |                      |               |                        |
+------------+-----------------------------------------+------------------------------+-------------------------------------+----------------------+               +                        +
| Validating | kyverno-policy-validating-webhook-cfg   | validate-policy.kyverno.svc  | └─┬kyverno-svc                      | ├──clusterpolicies/* |               |                        |
|            |                                         |                              |   ├──NS  : kyverno                  | └─┬policies/*        |               |                        |
|            |                                         |                              |   ├──Path: /policyvalidate          |   └──^UPDATE         |               |                        |
|            |                                         |                              |   └─┬IP  : 10.96.195.22 (ClusterIP) |                      |               |                        |
|            |                                         |                              |     └──443/TCP                      |                      |               |                        |
+            +-----------------------------------------+------------------------------+-------------------------------------+----------------------+               +                        +
|            | kyverno-resource-validating-webhook-cfg | validate.kyverno.svc-ignore  | └─┬kyverno-svc                      |                      |               |                        |
|            |                                         |                              |   ├──NS  : kyverno                  |                      |               |                        |
|            |                                         |                              |   ├──Path: /validate                |                      |               |                        |
|            |                                         |                              |   └─┬IP  : 10.96.195.22 (ClusterIP) |                      |               |                        |
|            |                                         |                              |     └──443/TCP                      |                      |               |                        |
+            +                                         +------------------------------+                                     +----------------------+               +                        +
|            |                                         | validate.kyverno.svc-fail    |                                     |                      |               |

Enter fullscreen mode Exit fullscreen mode
Architecture

Image description


Creating and instantiating policies

Validating policy

# Mandate presence of label:app.kubernetes.io/name
❯ kubectl create -f- << EOF
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: require-labels
spec:
  validationFailureAction: enforce
  rules:
  - name: check-for-labels
    match:
      any:
      - resources:
          kinds:
          - Pod
    validate:
      message: "label 'app.kubernetes.io/name' is required"
      pattern:
        metadata:
          labels:
            app.kubernetes.io/name: "?*"
EOF
clusterpolicy.kyverno.io/require-labels created
# List the policy
❯ kubectl get cpol
NAME             BACKGROUND   ACTION    READY
require-labels   true         enforce   true
# Test the policy
❯ kubectl run pod test-pod --image=alpine --restart=Never
Error from server: admission webhook "validate.kyverno.svc-fail" denied the request:

resource Pod/default/pod was blocked due to the following policies

require-labels:
  check-for-labels: 'validation error: label ''app.kubernetes.io/name'' is required.
    Rule check-for-labels failed at path /metadata/labels/app.kubernetes.io/name/'
❯ echo $?
1
Enter fullscreen mode Exit fullscreen mode

Mutating policy

# Policy to add some labels by default
❯  k create -f- << EOF
heredoc> apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: add-labels
  annotations:
    policies.kyverno.io/title: Add Labels
    policies.kyverno.io/category: Sample
    policies.kyverno.io/severity: medium
    policies.kyverno.io/subject: Label
    policies.kyverno.io/description: >-
      Labels are used as an important source of metadata describing objects in various ways
      or triggering other functionality. Labels are also a very basic concept and should be
      used throughout Kubernetes. This policy performs a simple mutation which adds a label
      `foo=bar` to Pods, Services, ConfigMaps, and Secrets.
spec:
  rules:
  - name: add-labels
    match:
      resources:
        kinds:
        - Pod
        - Service
        - ConfigMap
        - Secret
    mutate:
      patchStrategicMerge:
        metadata:
          labels:
            foo: bar

heredoc> EOF
clusterpolicy.kyverno.io/add-labels created
# Create a sample pod
❯ kubectl run test-pod --image=alpine --restart=Never
pod/test-pod created
# Test the application
❯ kubectl get pod test-pod --show-labels
NAME       READY   STATUS      RESTARTS   AGE   LABELS
test-pod   0/1     Completed   0          18s   foo=bar,run=test-pod
Enter fullscreen mode Exit fullscreen mode

All policies
Adding a created-by label


Kyverno CLI
From the documentation

The Kyverno Command Line Interface (CLI) is designed to validate and test policy behavior to resources prior to adding them to a cluster. The CLI can be used in CI/CD pipelines to assist with the resource authoring process to ensure they conform to standards prior to them being deployed. It can be used as a kubectl plugin or as a standalone CLI


Testing for CI

You need the kyverno cli

  • To test yamls in a given-folder/
❯ kyverno test given-folder/
Enter fullscreen mode Exit fullscreen mode
  • To test yamls in a git repo
❯ kyverno test https://<repo-url>
Enter fullscreen mode Exit fullscreen mode
  • To test yamls in a given branch of a git-repo where yamls are in a given folder/
❯ kyverno test https://<repo-url>/<folder> --git-branch <BRANCH>
Enter fullscreen mode Exit fullscreen mode

test documentation


More info

Documentation
Excellent tutorial


I love the policy library that has a lot of specific examples

Image of Timescale

Timescale – the developer's data platform for modern apps, built on PostgreSQL

Timescale Cloud is PostgreSQL optimized for speed, scale, and performance. Over 3 million IoT, AI, crypto, and dev tool apps are powered by Timescale. Try it free today! No credit card required.

Try free

Top comments (0)

Billboard image

The Next Generation Developer Platform

Coherence is the first Platform-as-a-Service you can control. Unlike "black-box" platforms that are opinionated about the infra you can deploy, Coherence is powered by CNC, the open-source IaC framework, which offers limitless customization.

Learn more

👋 Kindness is contagious

Dive into an ocean of knowledge with this thought-provoking post, revered deeply within the supportive DEV Community. Developers of all levels are welcome to join and enhance our collective intelligence.

Saying a simple "thank you" can brighten someone's day. Share your gratitude in the comments below!

On DEV, sharing ideas eases our path and fortifies our community connections. Found this helpful? Sending a quick thanks to the author can be profoundly valued.

Okay