1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2024-12-14 11:57:48 +00:00
kyverno/README.md

173 lines
6.9 KiB
Markdown
Raw Normal View History

2019-05-21 23:03:20 +00:00
# Kyverno - Kubernetes Native Policy Management
2019-02-04 16:30:38 +00:00
[![Build Status](https://travis-ci.org/nirmata/kyverno.svg?branch=master)](https://travis-ci.org/nirmata/kyverno) [![Go Report Card](https://goreportcard.com/badge/github.com/nirmata/kyverno)](https://goreportcard.com/report/github.com/nirmata/kyverno)
2019-06-04 22:16:26 +00:00
2019-05-21 03:43:38 +00:00
![logo](documentation/images/Kyverno_Horizontal.png)
2019-05-03 12:10:54 +00:00
2019-05-21 07:33:50 +00:00
Kyverno is a policy engine designed for Kubernetes.
2019-05-03 12:10:54 +00:00
2019-06-11 17:39:20 +00:00
Kubernetes supports declarative management of objects using configurations written in YAML or JSON. Often, parts of the configuration will need to vary based on the runtime environment. For portability, and for separation of concerns, its best to maintain environment specific configurations separately from workload configurations.
2019-05-21 07:33:50 +00:00
Kyverno allows cluster adminstrators to manage environment specific configurations independently of workload configurations and enforce configuration best practices for their clusters.
Kyverno policies are Kubernetes resources that can be written in YAML or JSON. Kyverno policies can validate, mutate, and generate any Kubernetes resources.
2019-05-03 12:10:54 +00:00
2019-05-22 15:14:10 +00:00
Kyverno runs as a [dynamic admission controller](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/) in a Kubernetes cluster. Kyverno receives validating and mutating admission webhook HTTP callbacks from the kube-apiserver and applies matching policies to return results that enforce admission policies or reject requests.
2019-05-03 12:10:54 +00:00
2019-05-21 07:10:50 +00:00
Kyverno policies can match resources using the resource kind, name, and label selectors. Wildcards are supported in names.
2019-05-03 12:10:54 +00:00
2019-05-21 03:43:38 +00:00
Mutating policies can be written as overlays (similar to [Kustomize](https://kubernetes.io/docs/tasks/manage-kubernetes-objects/kustomization/#bases-and-overlays)) or as a [JSON Patch](http://jsonpatch.com/). Validating policies also use an overlay style syntax, with support for pattern matching and conditional (if-then-else) processing.
2019-05-03 12:10:54 +00:00
2019-05-21 03:43:38 +00:00
Policy enforcement is captured using Kubernetes events. Kyverno also reports policy violations for existing resources.
2019-02-04 16:30:38 +00:00
## Examples
2019-05-21 03:43:38 +00:00
### 1. Validating resources
2019-05-21 07:10:50 +00:00
This policy requires that all pods have CPU and memory resource requests and limits:
````yaml
2019-05-22 15:14:10 +00:00
apiVersion: kyverno.io/v1alpha1
2019-05-21 07:10:50 +00:00
kind: Policy
metadata:
name: check-cpu-memory
spec:
rules:
- name: check-pod-resources
resource:
2019-05-22 15:14:10 +00:00
kinds:
- Pod
2019-05-21 07:10:50 +00:00
validate:
message: "CPU and memory resource requests and limits are required"
pattern:
2019-05-21 07:55:29 +00:00
spec:
containers:
# 'name: *' selects all containers in the pod
- name: "*"
resources:
limits:
2019-05-23 03:14:03 +00:00
# '?' requires 1 alphanumeric character and '*' means that there can be 0 or more characters.
# Using them togther e.g. '?*' requires at least one character.
memory: "?*"
cpu: "?*"
2019-05-21 07:55:29 +00:00
requests:
memory: "?*"
cpu: "?*"
2019-05-21 07:10:50 +00:00
````
2019-05-21 03:43:38 +00:00
### 2. Mutating resources
2019-05-21 07:10:50 +00:00
This policy sets the imagePullPolicy to Always if the image tag is latest:
````yaml
2019-05-22 15:14:10 +00:00
apiVersion: kyverno.io/v1alpha1
2019-05-21 07:10:50 +00:00
kind: Policy
metadata:
name: set-image-pull-policy
spec:
rules:
- name: set-image-pull-policy
resource:
2019-05-22 15:14:10 +00:00
kinds:
- Deployment
2019-05-21 07:10:50 +00:00
mutate:
overlay:
spec:
template:
spec:
containers:
# match images which end with :latest
- (image): "*:latest"
# set the imagePullPolicy to "Always"
imagePullPolicy: "Always"
2019-05-21 07:10:50 +00:00
````
### 3. Generating resources
This policy sets the Zookeeper and Kafka connection strings for all namespaces with a label key 'kafka'.
````yaml
2019-05-22 15:14:10 +00:00
apiVersion: kyverno.io/v1alpha1
2019-05-21 07:10:50 +00:00
kind: Policy
metadata:
name: "zk-kafka-address"
spec:
rules:
- name: "zk-kafka-address"
resource:
2019-05-22 15:14:10 +00:00
kinds:
- Namespace
2019-05-21 07:10:50 +00:00
selector:
matchExpressions:
- {key: kafka, operator: Exists}
generate:
2019-05-21 07:10:50 +00:00
kind: ConfigMap
name: zk-kafka-address
data:
kind: ConfigMap
data:
ZK_ADDRESS: "192.168.10.10:2181,192.168.10.11:2181,192.168.10.12:2181"
KAFKA_ADDRESS: "192.168.10.13:9092,192.168.10.14:9092,192.168.10.15:9092"
2019-05-21 07:10:50 +00:00
````
### 4. More examples
Additional examples are available in [examples](/examples).
## License
[Apache License 2.0](https://github.com/nirmata/kyverno/blob/master/LICENSE)
## Status
*Kyverno is under active development and not ready for production use. Key components and policy definitions are likely to change as we complete core features.*
2019-05-23 02:36:45 +00:00
## Alternatives
### Open Policy Agent
[Open Policy Agent (OPA)](https://www.openpolicyagent.org/) is a general-purpose policy engine that can be used as a Kubernetes admission controller. It supports a large set of use cases. Policies are written using [Rego](https://www.openpolicyagent.org/docs/latest/how-do-i-write-policies#what-is-rego) a custom query language.
2019-06-12 15:49:29 +00:00
### Polaris
[Polaris](https://github.com/reactiveops/polaris) validates configurations for best practices. It includes several checks across health, networking, security, etc. Checks can be assigned a severity. A dashboard reports the overall score.
2019-05-23 02:36:45 +00:00
### External configuration management tools
Tools like [Kustomize](https://github.com/kubernetes-sigs/kustomize) can be used to manage variations in configurations outside of clusters. There are several advantages to this approach when used to produce variations of the same base configuration. However, such solutions cannot be used to validate or enforce configurations.
2019-05-21 03:43:38 +00:00
## Documentation
2019-05-21 03:43:38 +00:00
* [Getting Started](documentation/installation.md)
* [Writing Policies](documentation/writing-policies.md)
2019-05-21 18:06:03 +00:00
* [Mutate](documentation/writing-policies-mutate.md)
* [Validate](documentation/writing-policies-validate.md)
2019-05-21 18:06:03 +00:00
* [Generate](documentation/writing-policies-generate.md)
2019-05-21 03:43:38 +00:00
* [Testing Policies](documentation/testing-policies.md)
2019-05-21 22:50:36 +00:00
* [Using kubectl](documentation/testing-policies.md#Test-using-kubectl)
* [Using the Kyverno CLI](documentation/testing-policies.md#Test-using-the-Kyverno-CLI)
* [Examples](examples/)
2019-05-21 07:33:50 +00:00
## Roadmap
2019-05-21 07:10:50 +00:00
Here are some the major features we plan on completing before a 1.0 release:
* [Events](https://github.com/nirmata/kyverno/issues/14)
* [Policy Violations](https://github.com/nirmata/kyverno/issues/24)
* [Conditionals on existing resources](https://github.com/nirmata/kyverno/issues/57)
2019-06-12 02:16:15 +00:00
* [Extend CLI to operate on cluster resources ](https://github.com/nirmata/kyverno/issues/164)
2019-05-21 03:43:38 +00:00
## Getting help
2019-06-11 06:38:25 +00:00
* For feature requests and bugs, file an [issue](https://github.com/nirmata/kyverno/issues).
* For discussions or questions, join the [mailing list](https://groups.google.com/forum/#!forum/kyverno)
## Contributing
Welcome to our community and thanks for contributing!
* Please review and agree to abide with the [Code of Conduct](/CODE_OF_CONDUCT.md) before contributing.
* See the [Wiki](https://github.com/nirmata/kyverno/wiki) for developer documentation.
* Browse through the [open issues](https://github.com/nirmata/kyverno/issues)