Kyverno - Kubernetes native policy management for k8s admins

Suresh Kumar - Apr 22 '22 - - Dev Community

Kubernetes Policy management

As k8s cluster administrator, you would want to enforce certain protocols to be followed on the cluster like below

  • enforce standard best practices
  • improve security
  • eliminate misconfigurations
  • reduce configuration complexity
  • automate policy management
  • synchronize configurations across namespaces
  • block non-conformant resources using admission controls, or report policy violations
  • test policies and validate resources using the Kyverno CLI, in your CI/CD pipeline, before applying to your cluster
  • manage policies as code using familiar tools like git and kustomize

Kyverno

  • Kyverno is a Kubernetes-native policy engine that helps you define policies using k8s manifests.
  • Using Kyverno, platform team can define policies and ensure the configurations are compliant with their security and best practices standards.
  • Kyverno policies can be defined with declaratively like standard k8s manifests.
  • Kyverno can be easily integrated into your existing CI/CD Pipelines.
  • Under the hood kyverno makes use of k8s admission webhooks to manage and validate policies.

Kyverno Features

  • easy to write and manage policies with yaml manifests.
  • support all k8s resource types including Custom Resources.
  • Validate, Mutate, or Generate any resource using policy
  • Image Verify - verify container images for software supply chain security

Common use cases

  • Pod and workload security configurations
  • Best practice configurations
  • Fine-grained RBAC
  • Auto-Labeling resources
  • Image Signing and Supply Chain Security

Kyverno Architecture

Kyverno runs as a dynamic admission controller in a Kubernetes cluster. Kyverno receives validating and mutating admission webhook HTTP callbacks from the kube-apiserver and applies matching policies to return results that enforce admission policies or reject requests.

Kyverno policies can match resources using the resource kind, name, and label selectors.

Mutating policies can be written as overlays (similar to Kustomize) or as a RFC 6902 JSON Patch. Validating policies also use an overlay style syntax, with support for pattern matching and conditional (if-then-else) processing.

An admission controller is a piece of code that intercepts requests to the Kubernetes API server before the persistence(storing in ETCD) of the object, but after the request is authenticated and authorized(RBAC). It can be regarded as checkpoints for Kubernetes API requests and can completely deny/accept the requests or change the request object altogether.

Kubernetes also has some Dynamic Admission Controllers like ValidatingAdmissionWebhooks and MutatingAdmissionWebhooks, which can validate and mutate the requests sent by the user.

The following diagram below shows how the admission controller works after authorization/authentication and before persisting it to etcd.

kyverno architecture

References

In the next article, we will learn to install kyverno and write policy for kubernetes manifests.

If you like this article, subscribe to the newsletter and Connect with me on twitter to get updates on my future articles. ✅

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .