DEV Community

Jeg
Jeg

Posted on

Kyverno - Namespace restriction policy

#kyverno #kubernetes #namespacerestriction #clusterpolicy

Following are the helm commands to install kyverno using helm:


helm repo add kyverno https://kyverno.github.io/kyverno
helm repo update
helm install kyverno kyverno/kyverno -n kyverno --create-namespace

To uninstall kyverno from helm:
helm uninstall kyverno -n kyverno
Enter fullscreen mode Exit fullscreen mode

Chart version: 3.4.1
Kyverno version: v1.14.1

The following components will get installed in the cluster:

  • CRDs
  • Admission controller
  • Reports controller
  • Cleanup controller
  • Background controller

kyverno.yaml:

apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: namespace-restriction
spec:
  rules:
  - name: require namespace standard names
    match:
      any:
      - resources:
          kinds:
          - Namespace
    validate:
      failureAction: Enforce
      message: "You must have the proper naming standard for namespace creation"
      pattern:
        metadata:
            name: dev
Enter fullscreen mode Exit fullscreen mode

Adding multiple values with "or" condition for the namespace names:


apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: namespace-restriction
spec:
  rules:
  - name: require namespace standard names
    match:
      any:
      - resources:
          kinds:
          - Namespace
    validate:
      failureAction: Enforce
      message: "You must have the proper naming standard for namespace creation"
      pattern:
        metadata:
            name: app-poc-* | app-prod-* | app-test*
Enter fullscreen mode Exit fullscreen mode 
kubectl get ClusterPolicy
NAME                    ADMISSION   BACKGROUND   READY   AGE     MESSAGE

namespace-restriction   true        true         True    2m49s   Ready
Enter fullscreen mode Exit fullscreen mode

The namespace yaml is now created with a different namespace name:

namespace.yaml:


apiVersion: v1
kind: Namespace
metadata:
  name: development
  labels:
    name: development
Enter fullscreen mode Exit fullscreen mode

Following is the error thrown:

Error from server: error when creating "namespace.yaml": admission webhook "validate.kyverno.svc-fail" denied the request: 

resource Namespace//development was blocked due to the following policies 

namespace-restriction:
  require namespace standard names: 'validation error: You must have the proper naming
    standard for namespace creation. rule require namespace standard names failed
    at path /metadata/name/'
Enter fullscreen mode Exit fullscreen mode

By applying the policy, the existing pods and namespace will not get disturbed. The cluster policy is for the entire cluster.

Yaml file to install kyverno from Argocd:

apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
  name: kyverno
  namespace: argocd
spec:
  destination:
    namespace: kyverno
    server: https://kubernetes.default.svc
  project: default
  source:
    chart: kyverno
    repoURL: https://kyverno.github.io/kyverno
    targetRevision: 3.4.1
  syncPolicy:
    automated:
      prune: true
      selfHeal: false
    syncOptions:
      - CreateNamespace=true
      - Replace=true
Enter fullscreen mode Exit fullscreen mode

Top comments (0)