2019-05-21 23:03:20 +00:00
# Kyverno - Kubernetes Native Policy Management
2019-02-04 16:30:38 +00:00
2020-07-03 15:40:24 +00:00
[![Build Status ](https://travis-ci.org/nirmata/kyverno.svg?branch=master )](https://travis-ci.org/nirmata/kyverno) [![Go Report Card ](https://goreportcard.com/badge/github.com/nirmata/kyverno )](https://goreportcard.com/report/github.com/nirmata/kyverno) ![License: Apache-2.0 ](https://img.shields.io/github/license/nirmata/kyverno?color=blue )
2019-06-04 22:16:26 +00:00
2019-05-21 03:43:38 +00:00
![logo ](documentation/images/Kyverno_Horizontal.png )
2019-05-03 12:10:54 +00:00
2020-07-03 16:09:02 +00:00
Kyverno is a policy engine built for Kubernetes:
* policies as Kubernetes resources (no new language to learn!)
2020-07-03 15:40:24 +00:00
* validate, mutate, or generate any resource
* match resources using label selectors and wildcards
* validate and mutate using overlays (like Kustomize!)
* generate and synchronize defaults across namespaces
* block or report violations
* test using kubectl
2020-06-07 02:20:42 +00:00
## Quick Start
2020-07-06 00:23:33 +00:00
**NOTE** : Your Kubernetes cluster version must be above v1.14 which adds webhook timeouts.
To check the version, enter `kubectl version` .
2020-07-03 15:40:24 +00:00
2020-06-07 02:20:42 +00:00
Install Kyverno:
```console
kubectl create -f https://github.com/nirmata/kyverno/raw/master/definitions/install.yaml
```
2020-07-03 15:40:24 +00:00
You can also install Kyverno using a [Helm chart ](https://github.com/nirmata/kyverno/blob/master/documentation/installation.md#install-kyverno-using-helm ).
2019-03-25 11:15:07 +00:00
2020-07-06 00:20:21 +00:00
Add the policy below. It contains a single validation rule that requires that all pods have
a `app.kubernetes.io/name` label. Kyverno supports different rule types to validate,
2020-07-06 00:23:33 +00:00
mutate, and generate configurations. The policy attribute `validationFailureAction` is set
2020-07-06 00:29:40 +00:00
to `enforce` to block API requests that are non-compliant (using the default value `audit`
will report violations but not block requests.)
2019-05-21 07:10:50 +00:00
2020-07-03 16:12:05 +00:00
```yaml
2019-11-13 21:55:27 +00:00
apiVersion: kyverno.io/v1
2019-12-09 23:33:21 +00:00
kind: ClusterPolicy
2019-05-21 07:10:50 +00:00
metadata:
2020-07-03 15:40:24 +00:00
name: require-labels
2019-05-21 07:10:50 +00:00
spec:
2020-02-07 06:51:16 +00:00
validationFailureAction: enforce
2019-05-21 07:10:50 +00:00
rules:
2020-07-03 15:40:24 +00:00
- name: check-for-labels
match:
resources:
kinds:
- Pod
validate:
message: "label `app.kubernetes.io/name` is required"
pattern:
metadata:
labels:
app.kubernetes.io/name: "?*"
2020-05-28 06:30:24 +00:00
```
2019-05-21 07:10:50 +00:00
2020-07-03 15:40:24 +00:00
Try creating a deployment without the required label:
2020-05-28 18:22:47 +00:00
2020-07-03 15:40:24 +00:00
```console
kubectl create deployment nginx --image=nginx
2020-05-28 18:22:47 +00:00
```
2020-07-03 15:40:24 +00:00
You should see an error:
```console
Error from server: admission webhook "nirmata.kyverno.resource.validating-webhook" denied the request:
2020-05-28 18:22:47 +00:00
2020-07-03 15:40:24 +00:00
resource Deployment/default/nginx was blocked due to the following policies
2019-03-25 11:15:07 +00:00
2020-07-03 15:40:24 +00:00
require-labels:
autogen-check-for-labels: 'Validation error: label `app.kubernetes.io/name` is required;
Validation rule autogen-check-for-labels failed at path /spec/template/metadata/labels/app.kubernetes.io/name/'
```
2019-05-21 07:10:50 +00:00
2020-07-03 15:40:24 +00:00
Create a pod with the required label. For example from this YAML:
2020-07-03 16:12:05 +00:00
```yaml
2020-07-03 15:40:24 +00:00
kind: "Pod"
apiVersion: "v1"
2019-05-21 07:10:50 +00:00
metadata:
2020-07-03 15:40:24 +00:00
name: nginx
labels:
app.kubernetes.io/name: nginx
2019-05-21 07:10:50 +00:00
spec:
2020-07-03 15:40:24 +00:00
containers:
- name: "nginx"
image: "nginx:latest"
2020-05-28 06:30:24 +00:00
```
2019-05-21 07:10:50 +00:00
2020-07-06 00:29:40 +00:00
This pod configuration complies with the policy rules, and is not blocked.
2020-07-06 00:20:21 +00:00
Clean up by deleting all cluster policies:
2019-05-21 07:10:50 +00:00
2020-07-03 15:40:24 +00:00
```console
kubectl delete cpol --all
2020-05-28 06:30:24 +00:00
```
2019-05-21 07:10:50 +00:00
2020-07-06 00:29:40 +00:00
As a next step, browse the [sample policies ](https://github.com/nirmata/kyverno/blob/master/samples/README.md )
and learn about [writing policies ](https://github.com/nirmata/kyverno/blob/master/documentation/writing-policies.md ).
You can test policies using the [Kyverno cli ](https://github.com/nirmata/kyverno/blob/master/documentation/kyverno-cli.md ).
See [docs ](https://github.com/nirmata/kyverno/#documentation ) for complete details.
2019-05-21 07:10:50 +00:00
2019-11-12 03:59:40 +00:00
## Documentation
2020-05-28 06:30:24 +00:00
- [Getting Started ](documentation/installation.md )
- [Writing Policies ](documentation/writing-policies.md )
- [Selecting Resources ](/documentation/writing-policies-match-exclude.md )
2020-05-28 18:22:47 +00:00
- [Validating Resources ](documentation/writing-policies-validate.md )
- [Mutating Resources ](documentation/writing-policies-mutate.md )
- [Generating Resources ](documentation/writing-policies-generate.md )
2020-05-28 06:30:24 +00:00
- [Variable Substitution ](documentation/writing-policies-variables.md )
- [Preconditions ](documentation/writing-policies-preconditions.md )
- [Auto-Generation of Pod Controller Policies ](documentation/writing-policies-autogen.md )
- [Background Processing ](documentation/writing-policies-background.md )
- [Testing Policies ](documentation/testing-policies.md )
- [Policy Violations ](documentation/policy-violations.md )
- [Kyverno CLI ](documentation/kyverno-cli.md )
- [Sample Policies ](/samples/README.md )
2019-11-13 07:52:59 +00:00
2020-07-03 15:40:24 +00:00
## License
[Apache License 2.0 ](https://github.com/nirmata/kyverno/blob/master/LICENSE )
2020-07-06 00:20:21 +00:00
## Community
2020-07-03 15:40:24 +00:00
2020-07-06 00:20:21 +00:00
### Community Meetings
2020-05-28 18:22:47 +00:00
2020-07-06 00:20:21 +00:00
To attend our next monthly community meeting join the [Kyverno group ](https://groups.google.com/g/kyverno ). You will then be sent a meeting invite and get access to the [agenda and meeting notes ](https://docs.google.com/document/d/10Hu1qTip1KShi8Lf_v9C5UVQtp7vz_WL3WVxltTvdAc/edit# ).
2020-05-28 18:22:47 +00:00
2020-07-06 00:20:21 +00:00
### Getting Help
2020-07-03 15:40:24 +00:00
- For feature requests and bugs, file an [issue ](https://github.com/nirmata/kyverno/issues ).
- For discussions or questions, join the ** #kyverno ** channel on the [Kubernetes Slack ](https://kubernetes.slack.com/ ) or the [mailing list ](https://groups.google.com/g/kyverno ).
2020-05-28 18:22:47 +00:00
2020-07-06 00:20:21 +00:00
### Contributing
2020-07-03 15:40:24 +00:00
Thanks for your interest in contributing!
- Please review and agree to abide with the [Code of Conduct ](/CODE_OF_CONDUCT.md ) before contributing.
- We encourage all contributions and encourage you to read our [contribution guidelines ](./CONTRIBUTING.md ).
- See the [Wiki ](https://github.com/nirmata/kyverno/wiki ) for developer documentation.
- Browse through the [open issues ](https://github.com/nirmata/kyverno/issues )
2019-11-13 07:52:59 +00:00
2020-07-06 00:20:21 +00:00
## Presentations and Articles
- [Introducing Kyverno - blog post ](https://nirmata.com/2019/07/11/managing-kubernetes-configuration-with-policies/ )
- [CNCF Video and Slides ](https://www.cncf.io/webinars/how-to-keep-your-clusters-safe-and-healthy/ )
- [10 Kubernetes Best Practices - blog post ](https://thenewstack.io/10-kubernetes-best-practices-you-can-easily-apply-to-your-clusters/ )
- [VMware Code Meetup Video ](https://www.youtube.com/watch?v=mgEmTvLytb0 )
- [Virtual Rejekts Video ](https://www.youtube.com/watch?v=caFMtSg4A6I )
- [TGIK Video ](https://www.youtube.com/watch?v=ZE4Zu9WQET4&list=PL7bmigfV0EqQzxcNpmcdTJ9eFRPBe-iZa&index=18&t=0s )
2019-11-12 03:59:40 +00:00
2019-05-23 02:36:45 +00:00
## Alternatives
### Open Policy Agent
2019-06-21 12:36:31 +00:00
[Open Policy Agent (OPA) ](https://www.openpolicyagent.org/ ) is a general-purpose policy engine that can be used as a Kubernetes admission controller. It supports a large set of use cases. Policies are written using [Rego ](https://www.openpolicyagent.org/docs/latest/how-do-i-write-policies#what-is-rego ) a custom query language.
2019-05-23 02:36:45 +00:00
2019-11-12 03:59:40 +00:00
### k-rail
2019-11-13 07:52:59 +00:00
[k-rail ](https://github.com/cruise-automation/k-rail/ ) provides several ready to use policies for security and multi-tenancy. The policies are written in Golang. Several of the [Kyverno sample policies ](/samples/README.md ) were inspired by k-rail policies.
2019-11-12 03:59:40 +00:00
2019-06-12 15:49:29 +00:00
### Polaris
2019-06-21 12:36:31 +00:00
[Polaris ](https://github.com/reactiveops/polaris ) validates configurations for best practices. It includes several checks across health, networking, security, etc. Checks can be assigned a severity. A dashboard reports the overall score.
2019-06-12 15:49:29 +00:00
2019-05-23 02:36:45 +00:00
### External configuration management tools
Tools like [Kustomize ](https://github.com/kubernetes-sigs/kustomize ) can be used to manage variations in configurations outside of clusters. There are several advantages to this approach when used to produce variations of the same base configuration. However, such solutions cannot be used to validate or enforce configurations.
2019-05-21 07:33:50 +00:00
## Roadmap
2019-05-21 07:10:50 +00:00
2019-11-12 03:59:40 +00:00
See [Milestones ](https://github.com/nirmata/kyverno/milestones ) and [Issues ](https://github.com/nirmata/kyverno/issues ).
2019-03-21 17:18:43 +00:00