A policy engine designed for Kubernetes

Kyverno

Kubernetes supports declarative validation, mutation, and generation of resource configurations using policies written as Kubernetes resources.

Kyverno can be used to scan existing workloads for best practices, or can be used to enforce best practices by blocking or mutating API requests.Kyverno allows cluster adminstrators to manage environment specific configurations independently of workload configurations and enforce configuration best practices for their clusters.

Kyverno policies are Kubernetes resources that can be written in YAML or JSON. Kyverno policies can validate, mutate, and generate any Kubernetes resources.

Kyverno runs as a dynamic admission controller in a Kubernetes cluster. Kyverno receives validating and mutating admission webhook HTTP callbacks from the kube-apiserver and applies matching policies to return results that enforce admission policies or reject requests.

Kyverno policies can match resources using the resource kind, name, and label selectors. Wildcards are supported in names.

Mutating policies can be written as overlays (similar to Kustomize) or as a JSON Patch. Validating policies also use an overlay style syntax, with support for pattern matching and conditional (if-then-else) processing.

Policy enforcement is captured using Kubernetes events. Kyverno also reports policy violations for existing resources.

Examples

1. Validating resources

This policy requires that all pods have CPU and memory resource requests and limits:

apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: check-cpu-memory
spec:
  rules:
  - name: check-pod-resources
    match:
      resources:
        kinds:
        - Pod
    validate:
      message: "CPU and memory resource requests and limits are required"
      pattern:
        spec:
          containers:
          # 'name: *' selects all containers in the pod
          - name: "*"
            resources:
              limits:
                # '?' requires 1 alphanumeric character and '*' means that there can be 0 or more characters.
                # Using them together e.g. '?*' requires at least one character. 
                memory: "?*"
                cpu: "?*"
              requests:
                memory: "?*"
                cpu: "?*"

2. Mutating resources

This policy sets the imagePullPolicy to Always if the image tag is latest:

apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: set-image-pull-policy
spec:
  rules:
  - name: set-image-pull-policy
    match:
      resources:
        kinds:
        - Deployment
    mutate:
      overlay:
        spec:
          template:
            spec:
              containers:
                # match images which end with :latest   
                - (image): "*:latest"
                  # set the imagePullPolicy to "Always"
                  imagePullPolicy: "Always"

3. Generating resources

This policy sets the Zookeeper and Kafka connection strings for all namespaces with a label key 'kafka'.

apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: "zk-kafka-address"
spec:
  rules:
  - name: "zk-kafka-address"
    match:
      resources:
        kinds:
          - Namespace
        selector:
          matchExpressions:
          - {key: kafka, operator: Exists}
    generate:
      kind: ConfigMap
      name: zk-kafka-address
      # create the resource in the new namespace
      namespace: "{{request.object.metadata.name}}"
      data:
        kind: ConfigMap
        data:
          ZK_ADDRESS: "192.168.10.10:2181,192.168.10.11:2181,192.168.10.12:2181"
          KAFKA_ADDRESS: "192.168.10.13:9092,192.168.10.14:9092,192.168.10.15:9092"