Kyverno
Kyverno is a Kubernetes-native policy engine that allows you to write policies as Kubernetes resources. Unlike OPA/Gatekeeper, Kyverno uses YAML and doesn’t require learning a special policy language.
What is Kyverno?
Kyverno (Greek for “govern”) provides:
- Kubernetes-native - Policies are Kubernetes CRDs
- YAML-based - No special language to learn
- Validation - Reject non-compliant resources
- Mutation - Automatically fix resources
- Generation - Create resources automatically
Installing Kyverno
kubectl create namespace kyverno
kubectl apply -f https://github.com/kyverno/kyverno/releases/latest/download/install.yaml
Or using Helm:
helm repo add kyverno https://kyverno.github.io/kyverno/
helm install kyverno kyverno/kyverno -n kyverno
Policy Structure
Kyverno policies have three types:
Validation Policies
Reject resources that don’t meet criteria:
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: require-labels
spec:
validationFailureAction: enforce
rules:
- name: check-team-label
match:
resources:
kinds:
- Deployment
validate:
message: "All Deployments must have a 'team' label"
pattern:
metadata:
labels:
team: "?*"
Mutation Policies
Automatically modify resources:
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: add-default-resources
spec:
rules:
- name: add-resource-limits
match:
resources:
kinds:
- Pod
mutate:
patchStrategicMerge:
spec:
containers:
- (name): "*"
resources:
limits:
memory: "512Mi"
cpu: "500m"
requests:
memory: "256Mi"
cpu: "250m"
Generation Policies
Create resources automatically:
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: generate-networkpolicy
spec:
rules:
- name: generate-np
match:
resources:
kinds:
- Namespace
generate:
kind: NetworkPolicy
name: default-deny
namespace: "{{request.object.metadata.name}}"
data:
spec:
podSelector: {}
policyTypes:
- Ingress
- Egress
Common Policies
Require Non-Root
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: require-non-root
spec:
validationFailureAction: enforce
rules:
- name: check-security-context
match:
resources:
kinds:
- Pod
validate:
message: "Containers must run as non-root"
pattern:
spec:
securityContext:
runAsNonRoot: true
containers:
- name: "*"
securityContext:
runAsNonRoot: true
Block Privileged Containers
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: block-privileged
spec:
validationFailureAction: enforce
rules:
- name: check-privileged
match:
resources:
kinds:
- Pod
validate:
message: "Privileged containers are not allowed"
pattern:
spec:
containers:
- name: "*"
securityContext:
privileged: "false"
Require Resource Limits
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: require-resource-limits
spec:
validationFailureAction: enforce
rules:
- name: check-resources
match:
resources:
kinds:
- Pod
validate:
message: "All containers must have resource limits"
pattern:
spec:
containers:
- name: "*"
resources:
limits:
memory: "?*"
cpu: "?*"
Image Verification
Kyverno can verify container image signatures:
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: verify-images
spec:
validationFailureAction: enforce
rules:
- name: verify-signature
match:
resources:
kinds:
- Pod
verifyImages:
- imageReferences:
- "*"
attestors:
- count: 1
entries:
- keys:
publicKeys: |-
-----BEGIN PUBLIC KEY-----
...
-----END PUBLIC KEY-----
Best Practices
- Start with audit mode - Use
validationFailureAction: auditfirst - Use clear messages - Help users understand why resources are rejected
- Test policies - Test policies in non-production first
- Use patterns - Leverage Kyverno’s pattern matching
- Document policies - Explain what each policy does
See Also
- Policy Enforcement - Overview of policy enforcement
- OPA/Gatekeeper - Alternative policy engine
- Policy Patterns - Common policy patterns