kyverno/documentation/kyverno-cli.md

<small>*[documentation](/README.md#documentation) / kyverno-cli*</small>


# Kyverno CLI

The Kyverno Command Line Interface (CLI) is designed to validate policies and test the behavior of applying policies to resources before adding the policy to a cluster. It can be used as a kubectl plugin and as a standalone CLI.

## Build the CLI

You can build the CLI binary locally, then move the binary into a directory in your PATH.

```bash
git clone https://github.com/kyverno/kyverno.git
cd github.com/kyverno/kyverno
make cli
mv ./cmd/cli/kubectl-kyverno/kyverno /usr/local/bin/kyverno
```

You can also use [Krew](https://github.com/kubernetes-sigs/krew)
```bash
# Install kyverno using krew plugin manager
kubectl krew install kyverno 

#example 
kubectl kyverno version  

```

## Install via AUR (archlinux)

You can install the kyverno cli via your favourite AUR helper (e.g. [yay](https://github.com/Jguer/yay))

```
yay -S kyverno-git
```

## Commands

### Version

Prints the version of kyverno used by the CLI.

Example:

```
kyverno version
```

### Validate
Validates a policy, can validate multiple policy resource description files or even an entire folder containing policy resource description 
files. Currently supports files with resource description in yaml. The policies can also be passed from stdin.

Example:
```
kyverno validate /path/to/policy1.yaml /path/to/policy2.yaml /path/to/folderFullOfPolicies
```
Passing policy from stdin:
```
kustomize build nginx/overlays/envs/prod/ | kyverno validate -
```

Use the -o <yaml/json> flag to display the mutated policy.

Example:
```
kyverno validate /path/to/policy1.yaml /path/to/policy2.yaml /path/to/folderFullOfPolicies -o yaml
```

Policy can also be validated with CRDs. Use -c flag to pass the CRD, can pass multiple CRD files or even an entire folder containin CRDs.

Example:
```
kyverno validate /path/to/policy1.yaml -c /path/to/crd.yaml -c /path/to/folderFullOfCRDs
```

### Apply
Applies policies on resources, and supports applying multiple policies on multiple resources in a single command.
Also supports applying the given policies to an entire cluster. The current kubectl context will be used to access the cluster.

Displays mutate results to stdout, by default. Use the -o <path> flag to save mutated resources to a file or directory.

Apply to a resource:
```
kyverno apply /path/to/policy.yaml --resource /path/to/resource.yaml
```

Apply to all matching resources in a cluster:
```
kyverno apply /path/to/policy.yaml --cluster > policy-results.txt
```

The resources can also be passed from stdin:
```
kustomize build nginx/overlays/envs/prod/ | kyverno apply /path/to/policy.yaml --resource -
```

Apply multiple policies to multiple resources:
```
kyverno apply /path/to/policy1.yaml /path/to/folderFullOfPolicies --resource /path/to/resource1.yaml --resource /path/to/resource2.yaml --cluster
```

Saving the mutated resource in a file/directory:
```
kyverno apply /path/to/policy.yaml --resource /path/to/resource.yaml -o <file path/directory path>
```

Apply policy with variables:

Use --set flag to pass the values for variables in a policy while applying on a resource.

```
kyverno apply /path/to/policy.yaml --resource /path/to/resource.yaml --set <variable1>=<value1>,<variable2>=<value2>
```

Use --values_file for applying multiple policies on multiple resources and pass a file containing variables and its values.

```
kyverno apply /path/to/policy1.yaml /path/to/policy2.yaml --resource /path/to/resource1.yaml --resource /path/to/resource2.yaml -f /path/to/value.yaml
```

Format of value.yaml :

```
policies:
  - name: <policy1 name>
    resources:
      - name: <resource1 name>
        values:
          <variable1 in policy1>: <value>
          <variable2 in policy1>: <value>
      - name: <resource2 name>
        values:
          <variable1 in policy1>: <value>
          <variable2 in policy1>: <value>
  - name: <policy2 name>
    resources:
      - name: <resource1 name>
        values:
          <variable1 in policy2>: <value>
          <variable2 in policy2>: <value>
      - name: <resource2 name>
        values:
          <variable1 in policy2>: <value>
          <variable2 in policy2>: <value>
```

Example:

Policy file(add_network_policy.yaml):

```
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: add-networkpolicy
  annotations:
    policies.kyverno.io/category: Workload Management
    policies.kyverno.io/description: By default, Kubernetes allows communications across 
      all pods within a cluster. Network policies and, a CNI that supports network policies, 
      must be used to restrict communinications. A default NetworkPolicy should be configured 
      for each namespace to default deny all ingress traffic to the pods in the namespace. 
      Application teams can then configure additional NetworkPolicy resources to allow 
      desired traffic to application pods from select sources.
spec:
  rules:
  - name: default-deny-ingress
    match:
      resources: 
        kinds:
        - Namespace
        name: "*"
    generate: 
      kind: NetworkPolicy
      name: default-deny-ingress
      namespace: "{{request.object.metadata.name}}"
      synchronize : true
      data:
        spec:
          # select all pods in the namespace
          podSelector: {}
          policyTypes: 
          - Ingress
```
Resource file(required_default_network_policy.yaml) :

```
kind: Namespace
apiVersion: v1
metadata: 
    name: "devtest"
```
Applying policy on resource using set/-s flag:

```
kyverno apply /path/to/add_network_policy.yaml --resource /path/to/required_default_network_policy.yaml -s request.object.metadata.name=devtest
```

Applying policy on resource using --values_file/-f flag:

yaml file with variables(value.yaml) :

```
policies:
  - name: default-deny-ingress
    resources:
      - name: devtest
        values:
          request.namespace: devtest
```

```
kyverno apply /path/to/add_network_policy.yaml --resource /path/to/required_default_network_policy.yaml -f /path/to/value.yaml
```


<small>*Read Next >> [Sample Policies](/samples/README.md)*</small>
kyverno CLI accessable through `krew` (#941) * automate kyverno-cli plugin release for krew * windows support added * revert ci changes * update plugin name * documentation added Co-authored-by: Yuvraj <yuvraj@neualto.com> 2020-07-08 09:05:55 -07:00			`<small>[documentation](/README.md#documentation) / kyverno-cli</small>`

696_add_documentation 2020-02-17 10:20:02 +05:30
fix docs 2020-02-19 18:50:03 -08:00			`# Kyverno CLI`

696 documentatino fixes 2020-02-19 21:47:15 +05:30			`The Kyverno Command Line Interface (CLI) is designed to validate policies and test the behavior of applying policies to resources before adding the policy to a cluster. It can be used as a kubectl plugin and as a standalone CLI.`
696_add_documentation 2020-02-17 10:20:02 +05:30
update cli doc / makefile 2020-02-19 19:13:05 -08:00			`## Build the CLI`
fix docs 2020-02-19 18:50:03 -08:00
update doc 2020-02-19 19:24:11 -08:00			`You can build the CLI binary locally, then move the binary into a directory in your PATH.`
update cli doc / makefile 2020-02-19 19:13:05 -08:00
			```bash
migrate repo 2020-10-07 15:09:52 -07:00			`git clone https://github.com/kyverno/kyverno.git`
			`cd github.com/kyverno/kyverno`
update cli doc / makefile 2020-02-19 19:13:05 -08:00			`make cli`
fix typo 2020-02-19 19:24:55 -08:00			`mv ./cmd/cli/kubectl-kyverno/kyverno /usr/local/bin/kyverno`
update cli doc / makefile 2020-02-19 19:13:05 -08:00			```
696_add_documentation 2020-02-17 10:20:02 +05:30
kyverno CLI accessable through `krew` (#941) * automate kyverno-cli plugin release for krew * windows support added * revert ci changes * update plugin name * documentation added Co-authored-by: Yuvraj <yuvraj@neualto.com> 2020-07-08 09:05:55 -07:00			`You can also use [Krew](https://github.com/kubernetes-sigs/krew)`
remove arm from goreleaser (#903) * Feature : Added complete release cycle and created install bash script for kyverno-cli 2020-06-04 11:45:37 -07:00			```bash
kyverno CLI accessable through `krew` (#941) * automate kyverno-cli plugin release for krew * windows support added * revert ci changes * update plugin name * documentation added Co-authored-by: Yuvraj <yuvraj@neualto.com> 2020-07-08 09:05:55 -07:00			`# Install kyverno using krew plugin manager`
			`kubectl krew install kyverno`

			`#example`
Update kyverno-cli.md (#989) 2020-07-14 13:42:31 -07:00			`kubectl kyverno version`
kyverno CLI accessable through `krew` (#941) * automate kyverno-cli plugin release for krew * windows support added * revert ci changes * update plugin name * documentation added Co-authored-by: Yuvraj <yuvraj@neualto.com> 2020-07-08 09:05:55 -07:00
remove arm from goreleaser (#903) * Feature : Added complete release cycle and created install bash script for kyverno-cli 2020-06-04 11:45:37 -07:00			```

Add info about the kyverno AUR package I created an AUR package for the `kyverno` cli, therefore I wanted to publish its existence for other fellow arch users 2020-03-18 17:18:59 +01:00			`## Install via AUR (archlinux)`

			`You can install the kyverno cli via your favourite AUR helper (e.g. [yay](https://github.com/Jguer/yay))`

			```
			`yay -S kyverno-git`
			```

696_add_documentation 2020-02-17 10:20:02 +05:30			`## Commands`

Feature/read from stdin (#1165) * temp * added pipe logic for apply * removed comments * updated readme 2020-10-02 06:52:58 +05:30			`### Version`
fix docs 2020-02-19 18:50:03 -08:00
696_add_documentation 2020-02-17 10:20:02 +05:30			`Prints the version of kyverno used by the CLI.`

Feature/read from stdin validate (#1171) * temp * added pipe logic for validate * fixed test cases - policy mutation 2020-10-07 06:20:53 +05:30			`Example:`

696_add_documentation 2020-02-17 10:20:02 +05:30			```
fix docs 2020-02-19 18:50:03 -08:00			`kyverno version`
696_add_documentation 2020-02-17 10:20:02 +05:30			```

Feature/read from stdin (#1165) * temp * added pipe logic for apply * removed comments * updated readme 2020-10-02 06:52:58 +05:30			`### Validate`
kyverno CLI accessable through `krew` (#941) * automate kyverno-cli plugin release for krew * windows support added * revert ci changes * update plugin name * documentation added Co-authored-by: Yuvraj <yuvraj@neualto.com> 2020-07-08 09:05:55 -07:00			`Validates a policy, can validate multiple policy resource description files or even an entire folder containing policy resource description`
Feature/read from stdin validate (#1171) * temp * added pipe logic for validate * fixed test cases - policy mutation 2020-10-07 06:20:53 +05:30			`files. Currently supports files with resource description in yaml. The policies can also be passed from stdin.`
696_add_documentation 2020-02-17 10:20:02 +05:30
			`Example:`
			```
fix docs 2020-02-19 18:50:03 -08:00			`kyverno validate /path/to/policy1.yaml /path/to/policy2.yaml /path/to/folderFullOfPolicies`
696_add_documentation 2020-02-17 10:20:02 +05:30			```
Feature/read from stdin validate (#1171) * temp * added pipe logic for validate * fixed test cases - policy mutation 2020-10-07 06:20:53 +05:30			`Passing policy from stdin:`
			```
			`kustomize build nginx/overlays/envs/prod/ \| kyverno validate -`
			```
696_add_documentation 2020-02-17 10:20:02 +05:30
Feature/print mutated policy (#1014) * added printing mutation policy * added mutated method in common * improved yaml print * updated readme * small fix * small fix 2020-07-29 21:41:58 +05:30			`Use the -o <yaml/json> flag to display the mutated policy.`

			`Example:`
			```
			`kyverno validate /path/to/policy1.yaml /path/to/policy2.yaml /path/to/folderFullOfPolicies -o yaml`
			```

updated readme 2020-08-31 19:32:00 +05:30			`Policy can also be validated with CRDs. Use -c flag to pass the CRD, can pass multiple CRD files or even an entire folder containin CRDs.`

			`Example:`
			```
			`kyverno validate /path/to/policy1.yaml -c /path/to/crd.yaml -c /path/to/folderFullOfCRDs`
			```
Feature/print mutated policy (#1014) * added printing mutation policy * added mutated method in common * improved yaml print * updated readme * small fix * small fix 2020-07-29 21:41:58 +05:30
Feature/read from stdin (#1165) * temp * added pipe logic for apply * removed comments * updated readme 2020-10-02 06:52:58 +05:30			`### Apply`
696 documentatino fixes 2020-02-19 21:47:15 +05:30			`Applies policies on resources, and supports applying multiple policies on multiple resources in a single command.`
			`Also supports applying the given policies to an entire cluster. The current kubectl context will be used to access the cluster.`
Feature/CLI saving mutate results (#1007) * saving mutated policy and resources in yaml * removed saving mutated policy * fixed file creation * updated readme * changed flags 2020-07-21 00:41:30 +05:30
			`Displays mutate results to stdout, by default. Use the -o <path> flag to save mutated resources to a file or directory.`
696_add_documentation 2020-02-17 10:20:02 +05:30
			`Apply to a resource:`
kyverno CLI accessable through `krew` (#941) * automate kyverno-cli plugin release for krew * windows support added * revert ci changes * update plugin name * documentation added Co-authored-by: Yuvraj <yuvraj@neualto.com> 2020-07-08 09:05:55 -07:00			```
fix docs 2020-02-19 18:50:03 -08:00			`kyverno apply /path/to/policy.yaml --resource /path/to/resource.yaml`
696_add_documentation 2020-02-17 10:20:02 +05:30			```
fix docs 2020-02-19 18:50:03 -08:00
696 documentatino fixes 2020-02-19 21:47:15 +05:30			`Apply to all matching resources in a cluster:`
kyverno CLI accessable through `krew` (#941) * automate kyverno-cli plugin release for krew * windows support added * revert ci changes * update plugin name * documentation added Co-authored-by: Yuvraj <yuvraj@neualto.com> 2020-07-08 09:05:55 -07:00			```
fix docs 2020-02-19 18:50:03 -08:00			`kyverno apply /path/to/policy.yaml --cluster > policy-results.txt`
696_add_documentation 2020-02-17 10:20:02 +05:30			```
fix docs 2020-02-19 18:50:03 -08:00
Feature/read from stdin (#1165) * temp * added pipe logic for apply * removed comments * updated readme 2020-10-02 06:52:58 +05:30			`The resources can also be passed from stdin:`
			```
			`kustomize build nginx/overlays/envs/prod/ \| kyverno apply /path/to/policy.yaml --resource -`
			```

fix docs 2020-02-19 18:50:03 -08:00			`Apply multiple policies to multiple resources:`
kyverno CLI accessable through `krew` (#941) * automate kyverno-cli plugin release for krew * windows support added * revert ci changes * update plugin name * documentation added Co-authored-by: Yuvraj <yuvraj@neualto.com> 2020-07-08 09:05:55 -07:00			```
fix docs 2020-02-19 18:50:03 -08:00			`kyverno apply /path/to/policy1.yaml /path/to/folderFullOfPolicies --resource /path/to/resource1.yaml --resource /path/to/resource2.yaml --cluster`
696_add_documentation 2020-02-17 10:20:02 +05:30			```
fix docs 2020-02-19 18:50:03 -08:00
Feature/CLI saving mutate results (#1007) * saving mutated policy and resources in yaml * removed saving mutated policy * fixed file creation * updated readme * changed flags 2020-07-21 00:41:30 +05:30			`Saving the mutated resource in a file/directory:`
			```
			`kyverno apply /path/to/policy.yaml --resource /path/to/resource.yaml -o <file path/directory path>`
			```

updated readme 2020-08-11 09:55:02 +05:30			`Apply policy with variables:`

			`Use --set flag to pass the values for variables in a policy while applying on a resource.`

			```
			`kyverno apply /path/to/policy.yaml --resource /path/to/resource.yaml --set <variable1>=<value1>,<variable2>=<value2>`
			```

updated readme 2020-08-12 15:25:11 +05:30			`Use --values_file for applying multiple policies on multiple resources and pass a file containing variables and its values.`

			```
updated readme - apply example 2020-08-18 11:46:44 +05:30			`kyverno apply /path/to/policy1.yaml /path/to/policy2.yaml --resource /path/to/resource1.yaml --resource /path/to/resource2.yaml -f /path/to/value.yaml`
updated readme 2020-08-12 15:25:11 +05:30			```

			`Format of value.yaml :`

			```
			`policies:`
			`- name: <policy1 name>`
			`resources:`
			`- name: <resource1 name>`
			`values:`
			`<variable1 in policy1>: <value>`
			`<variable2 in policy1>: <value>`
			`- name: <resource2 name>`
			`values:`
			`<variable1 in policy1>: <value>`
			`<variable2 in policy1>: <value>`
			`- name: <policy2 name>`
			`resources:`
			`- name: <resource1 name>`
			`values:`
			`<variable1 in policy2>: <value>`
			`<variable2 in policy2>: <value>`
			`- name: <resource2 name>`
			`values:`
			`<variable1 in policy2>: <value>`
			`<variable2 in policy2>: <value>`
			```
updated readme 2020-08-11 09:55:02 +05:30
updated readme - apply example 2020-08-18 11:46:44 +05:30			`Example:`

			`Policy file(add_network_policy.yaml):`

			```
			`apiVersion: kyverno.io/v1`
			`kind: ClusterPolicy`
			`metadata:`
			`name: add-networkpolicy`
			`annotations:`
			`policies.kyverno.io/category: Workload Management`
			`policies.kyverno.io/description: By default, Kubernetes allows communications across`
			`all pods within a cluster. Network policies and, a CNI that supports network policies,`
			`must be used to restrict communinications. A default NetworkPolicy should be configured`
			`for each namespace to default deny all ingress traffic to the pods in the namespace.`
			`Application teams can then configure additional NetworkPolicy resources to allow`
			`desired traffic to application pods from select sources.`
			`spec:`
			`rules:`
			`- name: default-deny-ingress`
			`match:`
			`resources:`
			`kinds:`
			`- Namespace`
			`name: "*"`
			`generate:`
			`kind: NetworkPolicy`
			`name: default-deny-ingress`
			`namespace: "{{request.object.metadata.name}}"`
			`synchronize : true`
			`data:`
			`spec:`
			`# select all pods in the namespace`
			`podSelector: {}`
			`policyTypes:`
			`- Ingress`
			```
			`Resource file(required_default_network_policy.yaml) :`

			```
			`kind: Namespace`
			`apiVersion: v1`
			`metadata:`
			`name: "devtest"`
			```
			`Applying policy on resource using set/-s flag:`

			```
			`kyverno apply /path/to/add_network_policy.yaml --resource /path/to/required_default_network_policy.yaml -s request.object.metadata.name=devtest`
			```

			`Applying policy on resource using --values_file/-f flag:`

			`yaml file with variables(value.yaml) :`

			```
			`policies:`
			`- name: default-deny-ingress`
			`resources:`
			`- name: devtest`
			`values:`
			`request.namespace: devtest`
			```

			```
			`kyverno apply /path/to/add_network_policy.yaml --resource /path/to/required_default_network_policy.yaml -f /path/to/value.yaml`
			```

fix docs 2020-02-19 18:50:03 -08:00
kyverno CLI accessable through `krew` (#941) * automate kyverno-cli plugin release for krew * windows support added * revert ci changes * update plugin name * documentation added Co-authored-by: Yuvraj <yuvraj@neualto.com> 2020-07-08 09:05:55 -07:00			`<small>Read Next >> [Sample Policies](/samples/README.md)</small>`