DEV Community

Cover image for Kubernetes policy management: III - Kyverno
Ashok Nagaraj
Ashok Nagaraj

Posted on • Edited on

3 2

Kubernetes policy management: III - Kyverno

This is the third post of the series.

Other parts:
I - Introduction
II - OPA Gatekeeper
IV - jsPolicy


Installation
❯ helm repo add kyverno https://kyverno.github.io/kyverno/
❯ helm install kyverno kyverno/kyverno --namespace kyverno --create-namespace
...
REVISION: 1
NOTES:
Thank you for installing kyverno v2.2.0 😀

Your release is named kyverno, app version v1.6.0
# Install the krew plugin
❯ kubectl krew install view-webhook
# Check the webhook details
❯ kubectl view-webhook

+------------+-----------------------------------------+------------------------------+-------------------------------------+----------------------+---------------+------------------------+
|    KIND    |                  NAME                   |           WEBHOOK            |               SERVICE               | RESOURCES&OPERATIONS | REMAINING DAY |       ACTIVE NS        |
+------------+-----------------------------------------+------------------------------+-------------------------------------+----------------------+---------------+------------------------+
| Mutating   | kyverno-policy-mutating-webhook-cfg     | mutate-policy.kyverno.svc    | └─┬kyverno-svc                      | ├──clusterpolicies/* | 52 weeks      | ✖ No Active Namespaces |
|            |                                         |                              |   ├──NS  : kyverno                  | └─┬policies/*        |               |                        |
|            |                                         |                              |   ├──Path: /policymutate            |   ├──+CREATE         |               |                        |
|            |                                         |                              |   └─┬IP  : 10.96.195.22 (ClusterIP) |   └──^UPDATE         |               |                        |
|            |                                         |                              |     └──443/TCP                      |                      |               |                        |
+            +-----------------------------------------+------------------------------+-------------------------------------+----------------------+               +                        +
|            | kyverno-resource-mutating-webhook-cfg   | mutate.kyverno.svc-ignore    | └─┬kyverno-svc                      |                      |               |                        |
|            |                                         |                              |   ├──NS  : kyverno                  |                      |               |                        |
|            |                                         |                              |   ├──Path: /mutate                  |                      |               |                        |
|            |                                         |                              |   └─┬IP  : 10.96.195.22 (ClusterIP) |                      |               |                        |
|            |                                         |                              |     └──443/TCP                      |                      |               |                        |
+            +                                         +------------------------------+                                     +----------------------+               +                        +
|            |                                         | mutate.kyverno.svc-fail      |                                     |                      |               |                        |
|            |                                         |                              |                                     |                      |               |                        |
|            |                                         |                              |                                     |                      |               |                        |
|            |                                         |                              |                                     |                      |               |                        |
|            |                                         |                              |                                     |                      |               |                        |
+            +-----------------------------------------+------------------------------+-------------------------------------+----------------------+               +                        +
|            | kyverno-verify-mutating-webhook-cfg     | monitor-webhooks.kyverno.svc | └─┬kyverno-svc                      | └─┬deployments/*     |               |                        |
|            |                                         |                              |   ├──NS  : kyverno                  |   └──^UPDATE         |               |                        |
|            |                                         |                              |   ├──Path: /verifymutate            |                      |               |                        |
|            |                                         |                              |   └─┬IP  : 10.96.195.22 (ClusterIP) |                      |               |                        |
|            |                                         |                              |     └──443/TCP                      |                      |               |                        |
+------------+-----------------------------------------+------------------------------+-------------------------------------+----------------------+               +                        +
| Validating | kyverno-policy-validating-webhook-cfg   | validate-policy.kyverno.svc  | └─┬kyverno-svc                      | ├──clusterpolicies/* |               |                        |
|            |                                         |                              |   ├──NS  : kyverno                  | └─┬policies/*        |               |                        |
|            |                                         |                              |   ├──Path: /policyvalidate          |   └──^UPDATE         |               |                        |
|            |                                         |                              |   └─┬IP  : 10.96.195.22 (ClusterIP) |                      |               |                        |
|            |                                         |                              |     └──443/TCP                      |                      |               |                        |
+            +-----------------------------------------+------------------------------+-------------------------------------+----------------------+               +                        +
|            | kyverno-resource-validating-webhook-cfg | validate.kyverno.svc-ignore  | └─┬kyverno-svc                      |                      |               |                        |
|            |                                         |                              |   ├──NS  : kyverno                  |                      |               |                        |
|            |                                         |                              |   ├──Path: /validate                |                      |               |                        |
|            |                                         |                              |   └─┬IP  : 10.96.195.22 (ClusterIP) |                      |               |                        |
|            |                                         |                              |     └──443/TCP                      |                      |               |                        |
+            +                                         +------------------------------+                                     +----------------------+               +                        +
|            |                                         | validate.kyverno.svc-fail    |                                     |                      |               |

Enter fullscreen mode Exit fullscreen mode
Architecture

Image description


Creating and instantiating policies

Validating policy

# Mandate presence of label:app.kubernetes.io/name
❯ kubectl create -f- << EOF
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: require-labels
spec:
  validationFailureAction: enforce
  rules:
  - name: check-for-labels
    match:
      any:
      - resources:
          kinds:
          - Pod
    validate:
      message: "label 'app.kubernetes.io/name' is required"
      pattern:
        metadata:
          labels:
            app.kubernetes.io/name: "?*"
EOF
clusterpolicy.kyverno.io/require-labels created
# List the policy
❯ kubectl get cpol
NAME             BACKGROUND   ACTION    READY
require-labels   true         enforce   true
# Test the policy
❯ kubectl run pod test-pod --image=alpine --restart=Never
Error from server: admission webhook "validate.kyverno.svc-fail" denied the request:

resource Pod/default/pod was blocked due to the following policies

require-labels:
  check-for-labels: 'validation error: label ''app.kubernetes.io/name'' is required.
    Rule check-for-labels failed at path /metadata/labels/app.kubernetes.io/name/'
❯ echo $?
1
Enter fullscreen mode Exit fullscreen mode

Mutating policy

# Policy to add some labels by default
❯  k create -f- << EOF
heredoc> apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: add-labels
  annotations:
    policies.kyverno.io/title: Add Labels
    policies.kyverno.io/category: Sample
    policies.kyverno.io/severity: medium
    policies.kyverno.io/subject: Label
    policies.kyverno.io/description: >-
      Labels are used as an important source of metadata describing objects in various ways
      or triggering other functionality. Labels are also a very basic concept and should be
      used throughout Kubernetes. This policy performs a simple mutation which adds a label
      `foo=bar` to Pods, Services, ConfigMaps, and Secrets.
spec:
  rules:
  - name: add-labels
    match:
      resources:
        kinds:
        - Pod
        - Service
        - ConfigMap
        - Secret
    mutate:
      patchStrategicMerge:
        metadata:
          labels:
            foo: bar

heredoc> EOF
clusterpolicy.kyverno.io/add-labels created
# Create a sample pod
❯ kubectl run test-pod --image=alpine --restart=Never
pod/test-pod created
# Test the application
❯ kubectl get pod test-pod --show-labels
NAME       READY   STATUS      RESTARTS   AGE   LABELS
test-pod   0/1     Completed   0          18s   foo=bar,run=test-pod
Enter fullscreen mode Exit fullscreen mode

All policies
Adding a created-by label


Kyverno CLI
From the documentation

The Kyverno Command Line Interface (CLI) is designed to validate and test policy behavior to resources prior to adding them to a cluster. The CLI can be used in CI/CD pipelines to assist with the resource authoring process to ensure they conform to standards prior to them being deployed. It can be used as a kubectl plugin or as a standalone CLI


Testing for CI

You need the kyverno cli

  • To test yamls in a given-folder/
❯ kyverno test given-folder/
Enter fullscreen mode Exit fullscreen mode
  • To test yamls in a git repo
❯ kyverno test https://<repo-url>
Enter fullscreen mode Exit fullscreen mode
  • To test yamls in a given branch of a git-repo where yamls are in a given folder/
❯ kyverno test https://<repo-url>/<folder> --git-branch <BRANCH>
Enter fullscreen mode Exit fullscreen mode

test documentation


More info

Documentation
Excellent tutorial


I love the policy library that has a lot of specific examples

AWS Security LIVE!

Join us for AWS Security LIVE!

Discover the future of cloud security. Tune in live for trends, tips, and solutions from AWS and AWS Partners.

Learn More

Top comments (0)

A Workflow Copilot. Tailored to You.

Pieces.app image

Our desktop app, with its intelligent copilot, streamlines coding by generating snippets, extracting code from screenshots, and accelerating problem-solving.

Read the docs

👋 Kindness is contagious

Please leave a ❤️ or a friendly comment on this post if you found it helpful!

Okay