Kyverno — A Kubernetes native policy manager (Policy as Code)
Problem Statement
While working with the Kubernetes cluster, there are many problem statements such as -
- If one of the applications is having really high CPU & memory utilization, how the other applications will run?
- A user is changing the default network policies which can result in open gates to the attackers. How can we prevent that?
- Developers are not using the best practices for the applications such as using the latest tags for the docker images.
- Checking if we are putting the proper configuration to the k8s resources according to the need to project.
How can we tackle such situations? How can we put policies to the cluster? 🤔
Solution
To handle such situations, we can enforce a policy management solution to the Kubernetes cluster that can handle many problems related to policies.
There are many policy management solutions are available such as OPA Gatekeeper but there is a cloud-native solution available for k8s i.e. Kyverno (https://kyverno.io/)
Kyverno Overview
Kyverno is a policy engine designed for Kubernetes. With Kyverno, policies are managed as Kubernetes resources and no new language is required to write policies. This allows using familiar tools such as kubectl, git, and kustomize to manage policies.
Kyverno policies can perform the following operations on generated Kubernetes resources-
- Validation
- Mutation
- Generation
The Kyverno CLI can be used to test policies and validate resources as part of a CI/CD pipeline.
For more reference — https://kyverno.io/docs/introduction/
Kyverno Installation
Prerequisites
To install Kyverno, we need a functional Kubernetes cluster. For this purpose, we can either use local k8s clusters such as Minikube, Kind etc. or any cluster running on the cloud.
Kyverno can be installed using the installation methods mentioned at https://kyverno.io/docs/installation/
Helm Installation
In order o install kyverno using helm, perform the following steps -
- Add the Kyverno helm repository
helm repo add kyverno https://kyverno.github.io/kyverno/- Scan the helm for the latest charts for Kyverno
helm repo update- For the kyverno version ≥ 1.4.2, we need to add kyverno-crds separately before installing the kyverno
YAML Installation
If you want to install the kyverno without Helm directly using manifest, we can deploy the latest release using the following command
kubectl create -f https://raw.githubusercontent.com/kyverno/kyverno/main/definitions/release/install.yaml
Kyverno Operations
Let's have a deeper look into the operations that can be performed using Kyverno.
Validation
Using validation, we can tackle the situation such as high CPU, memory usage or avoid altering default network policies etc. We can apply the kyverno policy to do such validation.
Here is the sample ClusterPolicy definition to avoid creating k8s resource, if resource definitions are not defined -
Once this policy will be applied, no one cannot create any Kubernetes resources without the resource definitions for the containers. This will avoid the overutilization of a single application.
More kyverno validation policies can be found here — https://kyverno.io/policies/?policytypes=validate
Mutation
Using mutation, we can modify the resources if a certain condition matches. For example, we can change the imagePullPolicy to Always if the image tag is latest.
More kyverno mutation policies can be found here — https://kyverno.io/policies/?policytypes=mutate
Generation
Using generation, we can generate new resources in the Kubernetes cluster, if a condition has been met.
For example, if a new namespace is created, we might want to create ResourceQuota and LimitRange resources for the namespace.
This policy will generate the respective resources whenever a new namespace will be created.
More kyverno generation policies can be found here — https://kyverno.io/policies/?policytypes=generate
Hands-On
Now we will see the kyverno in action. To check whether kyverno is installed properly, check all the resources in the kyverno namespace -
Applying Policies
Once kyverno installation has been verified, we will try to create some policies and apply them to the cluster.
Now, we want to apply a policy that will disallow resource creation in the default namespace.
Resource Creation Testing
Once the policies are applied to the cluster, we can proceed with the testing of the resource creation.
Since we have applied the policies to ensure that no resource can be created in the default namespace, so we will try to create a pod in the default namespace.
As the above error provides the information that we are not allowed to create the resource in the default namespace.
Now we will try to create the same pod in the kyverno namespace and see if that is working.
As we can see that we can create the pod in any namespace other than the default one.
Note
There is one important option while applying the policies — Validation Failure Action which provides the option how the user should be impacted if the policies are applied. If we set the value of this option to enforce then the end user will not able to create the resource while with the option audit, end user can create the resources but the warning will be logged into the events.
Refernce — https://kyverno.io/docs/writing-policies/validate/#validation-failure-action
Conclusion
As we can see that Kyverno is an awesome Policy as Code or Policy Management tool that is native to Kubernetes. We can easily apply policies and best practices into our Kubernetes clusters. Since the policies are written in YAML, it is quite easy to write and come up with less complexity.
Thanks for reading. Hope you got good insights about Kyverno.
