In this article we will learn about Kyverno which is a Kubernetes policy engine. It is used to create, test and apply policies. It also provides mechanisms for reporting, monitoring and security. There is a Kyverno cli which is used to run commands.
Installation
1. Using Latest release (could be non-stable)
kubectl create -f https://raw.githubusercontent.com/kyverno/kyverno/main/config/install.yaml
2. Using Helm
# Add the Helm repository helm repo add kyverno https://kyverno.github.io/kyverno/ # Scan your Helm repositories to fetch the latest available charts. helm repo update # Install the Kyverno Helm chart into a new namespace called "kyverno" helm install kyverno kyverno/kyverno -n kyverno --create-namespace
Make sure that you use the correct version of kyverno for your kubernetes. Use this compatibility matrix.
Creating a Policy
A policy is a collection of rules which validates a condition.
Let’s create a policy where there is a validation rule that all clusters should have a label – iamunderpolicy.
We will block all the API requests which do not comply with it using validationFailureAction attribute. We can set it to these two values –
- enforce – It will block the invalid requests.
- audit – Will let the request run but report violation
kubectl create -f- << EOF
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: require-labels
spec:
validationFailureAction: enforce
rules:
- name: check-for-labels
match:
any:
- resources:
kinds:
- Pod
validate:
message: "label 'iamunderpolicy' is required"
pattern:
metadata:
labels:
iamunderpolicy: "?*"
EOF
?* is for validating all the patterns.
What happens if deployed without satisfying policy?
Let’s deploy an image without label, iamunderpolicy –
kubectl create deployment nginx --image=nginx
This will raise the following error –
error: failed to create deployment: admission webhook "validate.kyverno.svc-fail" denied the request:
resource Deployment/default/nginx was blocked due to the following policies
require-labels:
autogen-check-for-labels: 'validation error: label ''iamunderpolicy'' is
required. Rule autogen-check-for-labels failed at path /spec/template/metadata/labels/iamunderpolicy/'
Now let’s create a pod with label –
kubectl run nginx --image nginx --labels iamunderpolicy=nginx
This will run without any issues.
Deleting Policies
For deleting all cluster policies, use this command –
kubectl delete cpol --all
Applying Policies
A policy could be applied using apply command. It is used to check policy effectiveness by performing a dry run over some resources. When we get satisfactory results, we can deploy the policy in cluster.
1. Applying policy to a single resource –
kyverno apply /path/to/policy.yaml --resource /path/to/resource.yaml
2. Applying to all matching resources –
kyverno apply /path/to/policy.yaml --cluster
3. Multiple policies applied to multiple resources –
kyverno apply /path/to/policy1.yaml /path/to/folderFullOfPolicies --resource /path/to/resource1.yaml --resource /path/to/resource2.yaml --cluster
Testing Policies
To test policies, you can use test command in kyverno cli. This command runs the test over provided git repository or a folder.
1. Testing on a local file
kyverno test .
2. Testing on a directory
kyverno test /path/to/folderContainingTestYamls
3. Testing on a GIT repository
kyverno test https://github.com/kyverno/policies/release-1.6
4. Testing on a GIT branch
kyverno test https://github.com/kyverno/policies/pod-security/restricted -b branch_name
Reporting
Reporting provides the information regarding the validations and tests. It can give results by namespace (PolicyReport) or cluster-level (ClusterPolicyReport). Entries in a policy report contain a result field which can be either pass, skip, warn, error, or fail.
To view summary of policy reports, run this command –
kubectl get policyreport -A # or kubectl get polr -A
The result will be –
NAMESPACE NAME PASS FAIL WARN ERROR SKIP AGE default polr-ns-default 338 2 0 0 0 28h flux-system polr-ns-flux-system 135 5 0 0 0 28h
To view cluster wide reports –
kubectl get clusterpolicyreport
Monitoring
Monitoring is beneficial as it allows to visualize and alert on any applied policies. You can use Prometheus with it.
Security
You should always keep your kyverno secure and monitor regularly. Verify that the kyverno image is signed properly using cosign.
Kyverno CLI
User kyverno-cli to run commands for testing and applying policies.
Installing Kyverno CLI
1. Via Krew
# Install Kyverno CLI using kubectl krew plugin manager kubectl krew install kyverno # test the Kyverno CLI kubectl kyverno version
2. Via AUR
yay -S kyverno-git
3. Via Homebrew
brew install kyverno
4. From Source
git clone https://github.com/kyverno/kyverno cd kyverno make cli mv ./cmd/cli/kubectl-kyverno/kyverno /usr/local/bin/kyverno
Various CLI commands are –
- apply
- test
- jp
- version
Conclusion
Kyverno is a powerful tool for kubernetes to create and test policies. In this article we saw how to quickly get started with Kyverno with a sample policy. You may learn more about it in official documentation.
Kubernetes Series
- Introduction to Kubernetes
- Introduction to Docker, Containers, Images & Repository
- Install and Run Docker Images
- Docker Image – FROM, RUN, COPY, ENTRYPOINT, CMD, EXPOSE explained
- Why docker run or start command not running my container?
- How to list all docker images in system?
- How to list all docker containers?
- How to start/stop a docker container?
- Difference between docker run and docker start
- How to bind docker container port with host?
- How to get logs of docker container?
- How to live stream logs of docker container?
- Set custom name to a docker container
- Access docker container filesystem & terminal
- Getting docker details using docker inspect
- Kyverno – Installation, Policies, Testing, Reporting, Monitoring, Security
- Complete Kubernetes Project Step By Step
- Introduction to Kubernetes Objects
