Policy As Code on Kubernetes With Kyverno

Policy As Code on Kubernetes With Kyverno

Kyverno is an Open Source, Kubernetes Native Policy Engine that defines policies using Kubernetes manifests. Enforce Kubernetes best practices for your organisation with CRD. Kubernetes has been able to revolutionise the cloud-native ecosystem by allowing people to run distributed applications at scale.

Kubernetes has been able to revolutionise the cloud-native ecosystem by allowing people to run distributed applications at scale. Though Kubernetes is a feature-rich and robust container orchestration platform, it does come with its own set of complexities. Managing Kubernetes at scale with multiple teams working on it is not easy, and ensuring that people do the right thing and do not cross their line is difficult to manage.

Kyverno is just the right tool for this. It is an open source, Kubernetes-native policy engine that helps you define policies using simple Kubernetes manifests. It can validate, mutate, and generate Kubernetes resources. Therefore, it can allow organisations to define and enforce policies so that developers and admin maintain a certain standard.

How Does Kyverno Work?

Kyverno works by using a dynamic admission controller that checks every request you send via Kubectl to the Kube API server. If the request matches the policy, Kyverno applies it. Otherwise, it rejects the request with a defined message.

So this enables Kyverno to provide features such as:

  • Checking for CPU and memory limits.
  • Ensuring that users don’t change default network policies.
  • Checking if the resource name matches a particular pattern.
  • Ensuring that specific resources always contain a specific label.
  • Denying deletes and changes for particular resources.
  • Automatically change imagePullPolicy to Always if the image tag is latest.
  • Generate a default network policy for every new namespace.

Kyverno uses custom resource definitions to define policies, and writing policies is as simple as applying them using kubectl.

There are three main functions provided by Kyverno:

  • Validation
  • Mutation
  • Generation

Let’s have a look at some example manifests for each.

Validation

An excellent use case for this is to ensure that all pods should have a resource request and limit set. The following example explains it beautifully:

apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: check-resources
spec:
  validationFailureAction: enforce
  rules:
    - name: check-pod-resources
      match:
        resources:
          kinds:
            - Pod
      validate:
        message: "CPU and memory resource requests and limits are required"
        pattern:
          spec:
            containers:
              - name: "*"
                resources:
                  limits:
                    memory: "?*"
                    cpu: "?*"
                  requests:
                    memory: "?*"
                    cpu: "?*"

While most of it is self-explanatory, the validationFailureAction specifies whether to enforce this requirement (by using enforce) or only audit it (by using audit) and report violations.

Mutation

Mutation means changing resources if they match a particular scenario. A great example of this is to change the imagePullPolicy to Always if the image tag is latest.

apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: image-pull-policy-always
spec:
  rules:
    - name: image-pull-policy-latest
      match:
        resources:
          kinds:
            - Pod
      mutate:
        overlay:
          spec:
            containers:
              - (image): "*:latest"
                imagePullPolicy: "Always"

Generate

Generate, as the name suggests, generates a resource against a particular event. For example, if someone creates a new namespace, we might want to enforce a default network policy.

apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: "default"
spec:
  rules:
  - name: "default-deny"
    match:
      resources: 
        kinds:
        - Namespace
        name: "*"
    exclude:
      namespaces:
        - "kube-system"
        - "default"
        - "kube-public"
        - "kyverno"
    generate: 
      kind: NetworkPolicy
      name: default-deny-all-traffic
      namespace: "{{request.object.metadata.namespace}}" 
      data:  
        spec:
          podSelector: {}
          policyTypes: 
          - Ingress
          - Egress

kubernetes devops

Bootstrap 5 Complete Course with Examples

Bootstrap 5 Tutorial - Bootstrap 5 Crash Course for Beginners

Nest.JS Tutorial for Beginners

Hello Vue 3: A First Look at Vue 3 and the Composition API

Building a simple Applications with Vue 3

Deno Crash Course: Explore Deno and Create a full REST API with Deno

How to Build a Real-time Chat App with Deno and WebSockets

Convert HTML to Markdown Online

HTML entity encoder decoder Online

50+ Useful Kubernetes Tools for 2020 - Part 2

Our original Kubernetes tool list was so popular that we've curated another great list of tools to help you improve your functionality with the platform.

How to Extend your DevOps Strategy For Success in the Cloud?

DevOps and Cloud computing are joined at the hip, now that fact is well appreciated by the organizations that engaged in SaaS cloud and developed applications in the Cloud. During the COVID crisis period, most of the organizations have started using cloud computing services and implementing a cloud-first strategy to establish their remote operations. Similarly, the extended DevOps strategy will make the development process more agile with automated test cases.

What Is DevOps and Is Enterprise DevOps Any Good?

What is DevOps? How are organizations transitioning to DevOps? Is it possible for organizations to shift to enterprise DevOps? Read more to find out!

DevOps Basics: What You Should Know

What is DevOps? What are the goals it helps achieves? What are its benefits? This article has answers!

Why You Should Be Adopting a DevOps Culture in 2020 - DZone DevOps

The year 2020 has arrived, and its arrival brings a lot of innovations and transformations in the Information and Technology (IT) sector to DevOps technologies.