Kyverno�

1

Kyverno Workshop �KCD Bengaluru

April 9, 2022

Kyverno workshop hosts

2

Vyankatesh Kudtarkar�

Maintainer�Nirmata

​

@VyankateshKudt1

Prateek Pandey

​

Maintainer

Nirmata

​

@imPrateek14

Shuting Zhao�

Maintainer Nirmata

​

@ShutingZhao2

Topics

• Why Policies?
• Why Kyverno?
• Kyverno architecture
• Kyverno policies
• Kyverno Features & demos
• Kyverno CLI & demos
• Sample policies library
• Summary and Q&A

3

Why Policies?

5

Policies are a contract

Developers

Security

Operations

​

What policies can do for you

1. Improve security
2. Eliminate misconfigurations
3. Separation of concerns across roles
4. Reduce configuration complexity
5. Promote best practices
6. Self-service and automation

6

7

https://twitter.com/_ediri/status/1400891699581308939

Why Kyverno?

9

Kyverno means “Govern” in Greek

What Kyverno does

1. Kyverno is a Kubernetes-native policy engine that helps you define policies using Kubernetes compliant manifests.
2. Kyverno uses the Kubernetes admission webhook to validate, mutate, and generate Kubernetes resources, and verify images.
3. A CLI is available for CI/CD pipelines.
4. Using Kyverno, a central platform team can define policies and ensure the configurations are compliant with their security and best practices standards.
5. Kyverno does not require learning a new programming language to define policies – it uses declarative manifests like Kubernetes.
6. Creating and managing Kyverno policies is easy using existing tools!

Why Kyverno?

1. Make K8s policies easy to write and manage
2. Validate (audit or enforce), Mutate, Generate and ImageVerify
3. Make policy results easy to process
4. Support all Kubernetes types including Custom Resources
5. Use Kubernetes patterns and practices �e.g. labels and selectors, annotations, events, ownerReferences, pod controllers, etc.

11

Kyverno simplifies K8s policy management!

Kubernetes Policy Management Tools Compared �OPA with Gatekeeper vs. Kyverno -- by Viktor Farcic

�

Common Use Cases

• Pod and workload security
• Best practice configurations
• Fine-grained RBAC
• Multi-tenancy
• Auto-Labeling resources
• Sidecar (/certificate) injection with mounts, etc.
• Image Signing and Supply Chain Security

13

new

Kyverno Architecture

Kyverno Architecture

15

Kyverno Artifacts

16

Kyverno Policies

A Kyverno Policy

18

A Kyverno Policy

19

Validate Policy

• Overlays with patterns specify desired state
• Matches all defined fields
• Patterns
• * : zero or more
• ? : any one
• Operators
• >, <, >=, <=, !, |(or)

20

Mutate Policy

• JSON Patch (RFC 6902)
• Use for precise updates
• StrategicMergePatch
• Use for describing intent
• Anchors for conditional logic
• “If-then-else”
• “if-not-defined”

21

Generate Policy

22

• Triggers when a new resource is created or based on label and metadata changes
• Useful in creating defaults for a namespace
• Clones existing resources or copies in-line data
• Can optionally keep data in-sync across namespaces

Image Verification Policy

• Native Cosign 1.0 support!
• Match images using wildcards
• Verify multiple signatures
• Optional signature registry

​

23

�Features

&

Demos

�Demo

Validate Policies

Demo - Kyverno Pod Security Policies

26

$ kustomize build https://github.com/kyverno/policies/pod-security | kubectl apply -f -

​

​

Policy Reporter

• View policy results from Kyverno, Falco, kube-bench
• Send notifications to Loki, ES, Teams, Discord, Slack

27

Policy Metrics

Prometheus metrics:

1. Policies and Rule Counts
2. Policy and Rule Execution
3. Policy Rule Execution Latency
4. Admission Review Latency
5. Admission Requests Counts
6. Policy Change Counts

28

Grafana Dashboard

29

Variables

• Variables make policies data driven
• Kyverno supports 2 types of data substitution:

30

• References: reference data in the current resource
• Variables: JMESPath expressions

​

Variables using JMESPath expressions

Built-in data:

• Admission review request
• User Information
• Image information

31

{{request.object.namespace}}

{{request.user.namespace}}

{{roles}}

{{clusterRoles}}

{{images.<name>.<registry | name | tag }}

Data Sources

• Data sources allow policies to be augmented with run-time data for reusability and complex logic
• Kyverno supports three types of data sources:
1. ConfigMaps
2. API Server Lookups
3. OCI Registries

External Data: Config Maps

• Declare ConfigMap in the rule context
• Reference ConfigMap data in policy rules

33

External Data: API Server Lookups

• Use data from existing resources
• Combine with JMESPath for easy processing
• Test using kubectl �and jp

34

External Data: OCI Registries

• Used for querying image signatures and attestations
• Supports private registries
• Supports multiple registries

35

�Demo

Mutate Policies

�Demo

Generate Policies

Demo - Generate Policies

38

-

• Generate Clone: Clones existing resources or copies in-line data
• Generate Data: To create defaults resources for matching resource
• Multitenancy: Namespace-as-a-service

�Demo

ImageVerify Policies

�Kyverno CLI

Kyverno CLI

41

• Test policies locally or against clusters
• Validate Kubernetes configurations for violations before they are deployed to a cluster
• CLI can also be used to test policies to a cluster without installing Kyverno

​

Apply command

• Perform a dry run on one or more policies with a given set of input resource.
• The input resources can either be resource manifests or Kubernetes cluster

Test Command

• Test multiple policy resources from a Git repository or local folders
• Test command support Validating and Mutating policy.

​

43

�Sample Policies

Summary

Summary

1. Kyverno is a Kubernetes native policy engine
2. Kyverno secures and automates Kubernetes configurations
3. Kyverno operates as an admission controller and as a CLI
4. Kyverno can handle complex policies and is production ready with HA and security
5. Kyverno is simple to get started with and works well with other Kubernetes tools and processes

46

Join the Kyverno Community

• The Kyverno docs & samples: https://kyverno.io
• Slack Channel:
• #kyverno https://slack.k8s.io/#kyverno
• #kyverno-dev https://slack.k8s.io/#kyverno-dev
• Monthly community meetings
• Weekly contributor meetings

​

47

Join https://groups.google.com/g/kyverno

Get Kyverno Certified!

• Free training and certification

https://learn.nirmata.com

Thanks!

https://kyverno.io/

@kyverno

​