kyverno/README.md

# Kyverno - Kubernetes Native Policy Management

[![Build Status](https://travis-ci.org/nirmata/kyverno.svg?branch=master)](https://travis-ci.org/nirmata/kyverno) [![Go Report Card](https://goreportcard.com/badge/github.com/nirmata/kyverno)](https://goreportcard.com/report/github.com/nirmata/kyverno)

![logo](documentation/images/Kyverno_Horizontal.png)

Kyverno is a policy engine designed for Kubernetes.

Kubernetes supports declarative management of objects using configurations written in YAML or JSON. Often, parts of the configuration will need to vary based on the runtime environment. For portability, and for separation of concerns, its best to maintain environment specific configurations separately from workload configurations.

Kyverno allows cluster adminstrators to manage environment specific configurations independently of workload configurations and enforce configuration best practices for their clusters.

Kyverno policies are Kubernetes resources that can be written in YAML or JSON. Kyverno policies can validate, mutate, and generate any Kubernetes resources. 

Kyverno runs as a [dynamic admission controller](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/) in a Kubernetes cluster. Kyverno receives validating and mutating admission webhook HTTP callbacks from the kube-apiserver and applies matching policies to return results that enforce admission policies or reject requests.

Kyverno policies can match resources using the resource kind, name, and label selectors. Wildcards are supported in names.

Mutating policies can be written as overlays (similar to [Kustomize](https://kubernetes.io/docs/tasks/manage-kubernetes-objects/kustomization/#bases-and-overlays)) or as a [JSON Patch](http://jsonpatch.com/). Validating policies also use an overlay style syntax, with support for pattern matching and conditional (if-then-else) processing. 

Policy enforcement is captured using Kubernetes events. Kyverno also reports policy violations for existing resources.

## Examples

### 1. Validating resources

This policy requires that all pods have CPU and memory resource requests and limits:

````yaml
apiVersion: kyverno.io/v1alpha1
kind: Policy
metadata:
  name: check-cpu-memory
spec:
  rules:
  - name: check-pod-resources
    resource:
      kinds:
      - Pod
    validate:
      message: "CPU and memory resource requests and limits are required"
      pattern:
        spec:
          containers:
          # 'name: *' selects all containers in the pod
          - name: "*"
            resources:
              limits:
                # '?' requires 1 alphanumeric character and '*' means that there can be 0 or more characters. 
                # Using them togther e.g. '?*' requires at least one character. 
                memory: "?*"
                cpu: "?*"
              requests:
                memory: "?*"
                cpu: "?*"
````

### 2. Mutating resources

This policy sets the imagePullPolicy to Always if the image tag is latest:

````yaml
apiVersion: kyverno.io/v1alpha1
kind: Policy
metadata:
  name: set-image-pull-policy
spec:
  rules:
  - name: set-image-pull-policy
    resource:
      kinds:
      - Deployment
    mutate:
      overlay:
        spec:
          template:
            spec:
              containers:
                # match images which end with :latest   
                - (image): "*:latest"
                  # set the imagePullPolicy to "Always"
                  imagePullPolicy: "Always"
````

### 3. Generating resources

This policy sets the Zookeeper and Kafka connection strings for all namespaces with a label key 'kafka'.

````yaml
apiVersion: kyverno.io/v1alpha1
kind: Policy
metadata:
  name: "zk-kafka-address"
spec:
  rules:
  - name: "zk-kafka-address"
    resource:
      kinds:
        - Namespace
      selector:
        matchExpressions:
        - {key: kafka, operator: Exists}
    generate: 
      kind: ConfigMap
      name: zk-kafka-address
      data:
        kind: ConfigMap
        data:
          ZK_ADDRESS: "192.168.10.10:2181,192.168.10.11:2181,192.168.10.12:2181"
          KAFKA_ADDRESS: "192.168.10.13:9092,192.168.10.14:9092,192.168.10.15:9092"
````

### 4. More examples

Additional examples are available in [examples](/examples).

## Alternatives

### Open Policy Agent

[Open Policy Agent (OPA)](https://www.openpolicyagent.org/) is a general-purpose policy engine that can be used as a Kubernetes admission controller. It supports a large set of use cases. Policies are written using [Rego](https://www.openpolicyagent.org/docs/latest/how-do-i-write-policies#what-is-rego) a custom query language. 

### External configuration management tools

Tools like [Kustomize](https://github.com/kubernetes-sigs/kustomize) can be used to manage variations in configurations outside of clusters. There are several advantages to this approach when used to produce variations of the same base configuration. However, such solutions cannot be used to validate or enforce configurations.


## Status

*Kyverno is under active development and not ready for production use.  Key components and policy definitions are likely to change as we complete core features.*


## Documentation

* [Getting Started](documentation/installation.md)
* [Writing Policies](documentation/writing-policies.md)
  * [Mutate](documentation/writing-policies-mutate.md)
  * [Validate](documentation/writing-policies-validate.md)
  * [Generate](documentation/writing-policies-generate.md)
* [Testing Policies](documentation/testing-policies.md)
  * [Using kubectl](documentation/testing-policies.md#Test-using-kubectl)
  * [Using the Kyverno CLI](documentation/testing-policies.md#Test-using-the-Kyverno-CLI)
* [Examples](examples/)

## Roadmap

Here are some the major features we plan on completing before a 1.0 release:

* [Events](https://github.com/nirmata/kyverno/issues/14)
* [Policy Violations](https://github.com/nirmata/kyverno/issues/24)
* [Conditionals on existing resources](https://github.com/nirmata/kyverno/issues/57)
* [Extend CLI to operate on cluster resources ](https://github.com/nirmata/kyverno/issues/164)

## Getting help

  * For feature requests and bugs, file an [issue](https://github.com/nirmata/kyverno/issues).
  * For discussions or questions, join the [mailing list](https://groups.google.com/forum/#!forum/kyverno)
remove center - has no effect 2019-05-21 23:03:20 +00:00			`# Kyverno - Kubernetes Native Policy Management`
Update README.md add placeholders 2019-02-04 16:30:38 +00:00
add goreport status and travis refresh report on build 2019-06-06 00:54:07 +00:00			`[![Build Status](https://travis-ci.org/nirmata/kyverno.svg?branch=master)](https://travis-ci.org/nirmata/kyverno) [![Go Report Card](https://goreportcard.com/badge/github.com/nirmata/kyverno)](https://goreportcard.com/report/github.com/nirmata/kyverno)`
add build status logo 2019-06-04 22:16:26 +00:00
start docs 2019-05-21 03:43:38 +00:00			`![logo](documentation/images/Kyverno_Horizontal.png)`
Updated README.md: Added Workflow 2019-05-03 12:10:54 +00:00
update README.md 2019-05-21 07:33:50 +00:00			`Kyverno is a policy engine designed for Kubernetes.`
Updated README.md: Added Workflow 2019-05-03 12:10:54 +00:00
Fix typo 2019-06-11 17:39:20 +00:00			`Kubernetes supports declarative management of objects using configurations written in YAML or JSON. Often, parts of the configuration will need to vary based on the runtime environment. For portability, and for separation of concerns, its best to maintain environment specific configurations separately from workload configurations.`
update README.md 2019-05-21 07:33:50 +00:00
			`Kyverno allows cluster adminstrators to manage environment specific configurations independently of workload configurations and enforce configuration best practices for their clusters.`

			`Kyverno policies are Kubernetes resources that can be written in YAML or JSON. Kyverno policies can validate, mutate, and generate any Kubernetes resources.`
Updated README.md: Added Workflow 2019-05-03 12:10:54 +00:00
34: Updated documentation 2019-05-22 15:14:10 +00:00			`Kyverno runs as a [dynamic admission controller](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/) in a Kubernetes cluster. Kyverno receives validating and mutating admission webhook HTTP callbacks from the kube-apiserver and applies matching policies to return results that enforce admission policies or reject requests.`
Updated README.md: Added Workflow 2019-05-03 12:10:54 +00:00
update readme with examples 2019-05-21 07:10:50 +00:00			`Kyverno policies can match resources using the resource kind, name, and label selectors. Wildcards are supported in names.`
Updated README.md: Added Workflow 2019-05-03 12:10:54 +00:00
start docs 2019-05-21 03:43:38 +00:00			`Mutating policies can be written as overlays (similar to [Kustomize](https://kubernetes.io/docs/tasks/manage-kubernetes-objects/kustomization/#bases-and-overlays)) or as a [JSON Patch](http://jsonpatch.com/). Validating policies also use an overlay style syntax, with support for pattern matching and conditional (if-then-else) processing.`
Updated README.md: Added Workflow 2019-05-03 12:10:54 +00:00
start docs 2019-05-21 03:43:38 +00:00			`Policy enforcement is captured using Kubernetes events. Kyverno also reports policy violations for existing resources.`
NK-14: Prepared repo to publishing. Updated README.md, crd dir renamed to definitions, removed some test yamls. 2019-03-18 16:59:30 +00:00
Update README.md add placeholders 2019-02-04 16:30:38 +00:00			`## Examples`

start docs 2019-05-21 03:43:38 +00:00			`### 1. Validating resources`
NK-48: Added Troubleshuting to README.md. Renamed examples folder with generators. 2019-03-25 11:15:07 +00:00
update readme with examples 2019-05-21 07:10:50 +00:00			`This policy requires that all pods have CPU and memory resource requests and limits:`

			````yaml
34: Updated documentation 2019-05-22 15:14:10 +00:00			`apiVersion: kyverno.io/v1alpha1`
update readme with examples 2019-05-21 07:10:50 +00:00			`kind: Policy`
			`metadata:`
			`name: check-cpu-memory`
			`spec:`
			`rules:`
			`- name: check-pod-resources`
			`resource:`
34: Updated documentation 2019-05-22 15:14:10 +00:00			`kinds:`
			`- Pod`
update readme with examples 2019-05-21 07:10:50 +00:00			`validate:`
			`message: "CPU and memory resource requests and limits are required"`
			`pattern:`
add comments and fix ident 2019-05-21 07:55:29 +00:00			`spec:`
			`containers:`
			`# 'name: *' selects all containers in the pod`
			`- name: "*"`
			`resources:`
			`limits:`
update comment 2019-05-23 03:14:03 +00:00			`# '?' requires 1 alphanumeric character and '*' means that there can be 0 or more characters.`
			`# Using them togther e.g. '?*' requires at least one character.`
34: Updated Roadmap with links to the issues 2019-05-22 16:30:34 +00:00			`memory: "?*"`
			`cpu: "?*"`
add comments and fix ident 2019-05-21 07:55:29 +00:00			`requests:`
34: Updated Roadmap with links to the issues 2019-05-22 16:30:34 +00:00			`memory: "?*"`
			`cpu: "?*"`
update readme with examples 2019-05-21 07:10:50 +00:00			````

start docs 2019-05-21 03:43:38 +00:00			`### 2. Mutating resources`
NK-48: Added Troubleshuting to README.md. Renamed examples folder with generators. 2019-03-25 11:15:07 +00:00
update readme with examples 2019-05-21 07:10:50 +00:00			`This policy sets the imagePullPolicy to Always if the image tag is latest:`

			````yaml
34: Updated documentation 2019-05-22 15:14:10 +00:00			`apiVersion: kyverno.io/v1alpha1`
update readme with examples 2019-05-21 07:10:50 +00:00			`kind: Policy`
			`metadata:`
			`name: set-image-pull-policy`
			`spec:`
			`rules:`
			`- name: set-image-pull-policy`
			`resource:`
34: Updated documentation 2019-05-22 15:14:10 +00:00			`kinds:`
update mutate overlay example in readme 2019-05-23 02:09:21 +00:00			`- Deployment`
update readme with examples 2019-05-21 07:10:50 +00:00			`mutate:`
			`overlay:`
			`spec:`
update mutate overlay example in readme 2019-05-23 02:09:21 +00:00			`template:`
			`spec:`
			`containers:`
			`# match images which end with :latest`
			`- (image): "*:latest"`
			`# set the imagePullPolicy to "Always"`
			`imagePullPolicy: "Always"`
update readme with examples 2019-05-21 07:10:50 +00:00			````

			`### 3. Generating resources`

			`This policy sets the Zookeeper and Kafka connection strings for all namespaces with a label key 'kafka'.`

			````yaml
34: Updated documentation 2019-05-22 15:14:10 +00:00			`apiVersion: kyverno.io/v1alpha1`
update readme with examples 2019-05-21 07:10:50 +00:00			`kind: Policy`
			`metadata:`
			`name: "zk-kafka-address"`
			`spec:`
			`rules:`
			`- name: "zk-kafka-address"`
			`resource:`
34: Updated documentation 2019-05-22 15:14:10 +00:00			`kinds:`
			`- Namespace`
update readme with examples 2019-05-21 07:10:50 +00:00			`selector:`
			`matchExpressions:`
			`- {key: kafka, operator: Exists}`
update namespace trigger + update documentation 2019-06-03 23:02:34 +00:00			`generate:`
update readme with examples 2019-05-21 07:10:50 +00:00			`kind: ConfigMap`
			`name: zk-kafka-address`
			`data:`
update namespace trigger + update documentation 2019-06-03 23:02:34 +00:00			`kind: ConfigMap`
			`data:`
			`ZK_ADDRESS: "192.168.10.10:2181,192.168.10.11:2181,192.168.10.12:2181"`
			`KAFKA_ADDRESS: "192.168.10.13:9092,192.168.10.14:9092,192.168.10.15:9092"`
update readme with examples 2019-05-21 07:10:50 +00:00			````

			`### 4. More examples`

			`Additional examples are available in [examples](/examples).`

add alternatives 2019-05-23 02:36:45 +00:00			`## Alternatives`

			`### Open Policy Agent`

			`[Open Policy Agent (OPA)](https://www.openpolicyagent.org/) is a general-purpose policy engine that can be used as a Kubernetes admission controller. It supports a large set of use cases. Policies are written using [Rego](https://www.openpolicyagent.org/docs/latest/how-do-i-write-policies#what-is-rego) a custom query language.`

			`### External configuration management tools`

			`Tools like [Kustomize](https://github.com/kubernetes-sigs/kustomize) can be used to manage variations in configurations outside of clusters. There are several advantages to this approach when used to produce variations of the same base configuration. However, such solutions cannot be used to validate or enforce configurations.`


update README.md 2019-05-21 07:33:50 +00:00			`## Status`

			`Kyverno is under active development and not ready for production use. Key components and policy definitions are likely to change as we complete core features.`

NK-48: Added Troubleshuting to README.md. Renamed examples folder with generators. 2019-03-25 11:15:07 +00:00
start docs 2019-05-21 03:43:38 +00:00			`## Documentation`
NK-48: Added Troubleshuting to README.md. Renamed examples folder with generators. 2019-03-25 11:15:07 +00:00
start docs 2019-05-21 03:43:38 +00:00			`* [Getting Started](documentation/installation.md)`
			`* [Writing Policies](documentation/writing-policies.md)`
add placeholders for docs 2019-05-21 18:06:03 +00:00			`* [Mutate](documentation/writing-policies-mutate.md)`
Documentation for Mutate moved up Documentation for Mutate moved before the Validate according to the order of deatures application 2019-05-22 16:32:23 +00:00			`* [Validate](documentation/writing-policies-validate.md)`
add placeholders for docs 2019-05-21 18:06:03 +00:00			`* [Generate](documentation/writing-policies-generate.md)`
start docs 2019-05-21 03:43:38 +00:00			`* [Testing Policies](documentation/testing-policies.md)`
update links and consolidate test docs 2019-05-21 22:50:36 +00:00			`* [Using kubectl](documentation/testing-policies.md#Test-using-kubectl)`
			`* [Using the Kyverno CLI](documentation/testing-policies.md#Test-using-the-Kyverno-CLI)`
- rename example - add link to examples from docs section 2019-06-03 19:10:49 +00:00			`* [Examples](examples/)`
NK-14: Updated Readme. Added in-cluster installation instruction. Added information about formating tool. Minor fixes. 2019-03-21 17:18:43 +00:00
update README.md 2019-05-21 07:33:50 +00:00			`## Roadmap`
update readme with examples 2019-05-21 07:10:50 +00:00
			`Here are some the major features we plan on completing before a 1.0 release:`

34: Updated Roadmap with links to the issues 2019-05-22 16:30:34 +00:00			`* [Events](https://github.com/nirmata/kyverno/issues/14)`
			`* [Policy Violations](https://github.com/nirmata/kyverno/issues/24)`
			`* [Conditionals on existing resources](https://github.com/nirmata/kyverno/issues/57)`
update bug# and remove fixed issue 2019-06-12 02:16:15 +00:00			`* [Extend CLI to operate on cluster resources ](https://github.com/nirmata/kyverno/issues/164)`
NK-14: Updated Readme. Added in-cluster installation instruction. Added information about formating tool. Minor fixes. 2019-03-21 17:18:43 +00:00
start docs 2019-05-21 03:43:38 +00:00			`## Getting help`
NK-23: Fixed readme and deployment script, deleted extra resource. 2019-03-07 16:48:02 +00:00
Add link to mailing list 2019-06-11 06:38:25 +00:00			`* For feature requests and bugs, file an [issue](https://github.com/nirmata/kyverno/issues).`
			`* For discussions or questions, join the [mailing list](https://groups.google.com/forum/#!forum/kyverno)`
NK-48: Added Troubleshuting to README.md. Renamed examples folder with generators. 2019-03-25 11:15:07 +00:00