Kyverno �

Kubernetes Native Policy Management

�

1

July, 2023

Luxembourg

Agenda

• Why Policies?
• Why Kyverno?
• Top use cases
• How Kyverno policies work
• Demo
• Summary
• Q&A

2

About us

3

Vishal Choudhary​​

Why policies?

The rise of Kubernetes platforms

5

96% of enterprises are using or evaluating Kubernetes – CNCF survey

The cost of missing Kubernetes guardrails

Confidential

6

https://www.cncf.io/blog/2022/02/02/the-cost-of-a-kubernetes-repair-in-development-vs-production/

7

Policies are a contract

Developers

Security

Operations

​

What policies provide

1. Separation of concerns across Dev-Sec-Ops roles
2. Security via validation and enforcement checks
3. Just-in-time automation

​

8

Why Kyverno?

Kyverno is the Kubernetes native policy engine

10

• 1.3 Billion+ image pulls
• 3.6K+ GitHub Stars
• 300+ contributors
• 1700+ Slack members
• 230+ policies

PAGE 10

CNCF project created and maintained by Nirmata

• Eliminate misconfigurations
• Prevent vs. detect
• Shift-left security

Why Kyverno?

1. Make K8s policies easy to write and manage
2. Make policy results easy to process
3. Validate (audit or enforce), Mutate, and Generate
4. Support all Kubernetes types including Custom Resources
5. Use Kubernetes patterns and practices �e.g. labels and selectors, annotations, events, ownerReferences, pod controllers, etc.

11

Kyverno simplifies K8s policy management!

CNCF Policy Engines: Kyverno or OPA?

Confidential

12

“Thank you all for Kyverno, It made K8s policy really easy, I struggled for months with OPA/Gatekeeper, I am glad I found Kyverno.” – GKE admin on community forums

Kubernetes Policy Management Tools Compared �OPA with Gatekeeper vs. Kyverno -- by Viktor Farcic

�

Top Use Cases

Kyverno Policy Management Use Cases

15

Admission Control & Background Scans

Command Line Checks

In-cluster

CI/CD pipelines

Top Use Cases

How Kyverno Policies Work

Kyverno Architecture

17

• Admission Controls
• Command Line (CLI)
• Runtime scans

A Kyverno Policy

18

A Kyverno Policy

19

apiVersion: kyverno.io/v1

kind: ClusterPolicy

metadata:

name: require-labels

spec:

validationFailureAction: Enforce

background: true

rules:

- name: require-team

match:

any:

- resources:

kinds:

- Pod

validate:

message: 'The label `team` is required.'

pattern:

metadata:

labels:

team: '?*'

​

Validate Policy

• Overlays with patterns specify desired state
• Matches all defined fields
• Patterns
• * : zero or more
• ? : any one
• Operators
• >, <, >=, <=, !, |(or)

20

Mutate Policy

• JSON Patch (RFC 6902)
• Use for precise updates
• StrategicMergePatch
• Use for describing intent
• Anchors for conditional logic
• “If-then-else”
• “if-not-defined”

21

Generate Policy

22

• Triggers when a new resource is created or based on label and metadata changes
• Useful in creating defaults for a namespace
• Clones existing resources or copies in-line data
• Can optionally keep data in-sync across namespaces

Image Verification Policy

• Native Sigstore support!
• Support for Notary!
• Match images using wildcards
• Verify multiple signatures
• Optional signature registry

​

23

Cleanup policies

• Delete resources based on flexible match/exclude and conditions
• Run checks periodically using Cron schedule format

​

Demos

�Additional Features

Additional Features

• Built-in and Custom Variables
• JMESPath Support
• API Lookups
• Cached ConfigMaps
• OCI Registry integrations
• OpenTelemetry Metrics and Spans
• Policy Reporter (In-cluster dashboard)
• YAML Signing
• Policy Exceptions

​

27

Summary

Key Takeaways

1. Policy is a must have for Kubernetes security and compliance
2. Kyverno is a CNCF policy engine built for Kubernetes
3. Kyverno is easy to get started and try out!

29

Join the Kyverno Community

• The Kyverno docs & samples: https://kyverno.io
• Slack Channel: https://slack.k8s.io/#kyverno
• Monthly office hours for Kyverno
• Weekly contributor meetings

​

30

Get Kyverno Certified!

• Free training and certification

https://learn.nirmata.com

Thanks!

https://kyverno.io

Q & A

https://kyverno.io