1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2024-12-14 11:57:48 +00:00
Cloud Native Policy Management
Find a file
2020-07-10 17:44:41 -07:00
.github kyverno CLI accessable through krew (#941) 2020-07-08 09:05:55 -07:00
api revert data loaction 2020-03-26 19:10:54 +05:30
charts/kyverno reading kyverno svc from environment variable (#962) 2020-07-04 19:35:31 -07:00
cmd merge master changes 2020-07-10 15:25:05 -07:00
definitions reading kyverno svc from environment variable (#962) 2020-07-04 19:35:31 -07:00
documentation merge master changes 2020-07-10 15:25:05 -07:00
pkg bug fixed 2020-07-10 17:44:41 -07:00
samples fixes #928 (#957) 2020-06-26 18:28:52 -07:00
scripts reading kyverno svc from environment variable (#962) 2020-07-04 19:35:31 -07:00
test Bugfix/659 support wildcards for namespaces (#871) 2020-05-26 10:36:56 -07:00
.codeclimate.yml remove arm from goreleaser (#903) 2020-06-04 11:45:37 -07:00
.directory Implemented validation across same yaml 2019-06-20 18:21:55 +03:00
.gitignore ignore cli binary 2020-04-02 09:38:52 -07:00
.golangci.yml codeclimate and golangci-lint added 2020-03-24 02:01:50 +05:30
.goreleaser.yml kyverno CLI accessable through krew (#941) 2020-07-08 09:05:55 -07:00
.krew.yaml kyverno CLI accessable through krew (#941) 2020-07-08 09:05:55 -07:00
.travis.yml tag v1.1.7-rc1 2020-07-01 17:45:41 -07:00
CODE_OF_CONDUCT.md add code of conduct & contributing section 2019-06-12 09:39:37 -07:00
CONTRIBUTING.md remove extra documentation 2020-03-26 20:06:20 +05:30
go.mod 965 add validate audit handler (#967) 2020-07-09 11:48:34 -07:00
go.sum 965 add validate audit handler (#967) 2020-07-09 11:48:34 -07:00
LICENSE Create LICENSE 2019-06-05 23:00:32 -04:00
Makefile remove duplicate crd changes 2020-06-05 13:44:47 -07:00
README.md update to active tense 2020-07-05 17:29:40 -07:00

Kyverno - Kubernetes Native Policy Management

Build Status Go Report Card License: Apache-2.0

logo

Kyverno is a policy engine built for Kubernetes:

  • policies as Kubernetes resources (no new language to learn!)
  • validate, mutate, or generate any resource
  • match resources using label selectors and wildcards
  • validate and mutate using overlays (like Kustomize!)
  • generate and synchronize defaults across namespaces
  • block or report violations
  • test using kubectl

Quick Start

NOTE : Your Kubernetes cluster version must be above v1.14 which adds webhook timeouts. To check the version, enter kubectl version.

Install Kyverno:

kubectl create -f https://github.com/nirmata/kyverno/raw/master/definitions/install.yaml

You can also install Kyverno using a Helm chart.

Add the policy below. It contains a single validation rule that requires that all pods have a app.kubernetes.io/name label. Kyverno supports different rule types to validate, mutate, and generate configurations. The policy attribute validationFailureAction is set to enforce to block API requests that are non-compliant (using the default value audit will report violations but not block requests.)

apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: require-labels
spec:
  validationFailureAction: enforce
  rules:
  - name: check-for-labels
    match:
      resources:
        kinds:
        - Pod
    validate:
      message: "label `app.kubernetes.io/name` is required"
      pattern:
        metadata:
          labels:
            app.kubernetes.io/name: "?*"

Try creating a deployment without the required label:

kubectl create deployment nginx --image=nginx

You should see an error:

Error from server: admission webhook "nirmata.kyverno.resource.validating-webhook" denied the request:

resource Deployment/default/nginx was blocked due to the following policies

require-labels:
  autogen-check-for-labels: 'Validation error: label `app.kubernetes.io/name` is required;
    Validation rule autogen-check-for-labels failed at path /spec/template/metadata/labels/app.kubernetes.io/name/'

Create a pod with the required label. For example from this YAML:

kind: "Pod"
apiVersion: "v1"
metadata:
  name: nginx
  labels:
    app.kubernetes.io/name: nginx
spec:
  containers:
  - name: "nginx"
    image: "nginx:latest"

This pod configuration complies with the policy rules, and is not blocked.

Clean up by deleting all cluster policies:

kubectl delete cpol --all

As a next step, browse the sample policies and learn about writing policies. You can test policies using the Kyverno cli. See docs for complete details.

Documentation

License

Apache License 2.0

Community

Community Meetings

To attend our next monthly community meeting join the Kyverno group. You will then be sent a meeting invite and get access to the agenda and meeting notes.

Getting Help

Contributing

Thanks for your interest in contributing!

Presentations and Articles

Alternatives

Open Policy Agent

Open Policy Agent (OPA) is a general-purpose policy engine that can be used as a Kubernetes admission controller. It supports a large set of use cases. Policies are written using Rego a custom query language.

k-rail

k-rail provides several ready to use policies for security and multi-tenancy. The policies are written in Golang. Several of the Kyverno sample policies were inspired by k-rail policies.

Polaris

Polaris validates configurations for best practices. It includes several checks across health, networking, security, etc. Checks can be assigned a severity. A dashboard reports the overall score.

External configuration management tools

Tools like Kustomize can be used to manage variations in configurations outside of clusters. There are several advantages to this approach when used to produce variations of the same base configuration. However, such solutions cannot be used to validate or enforce configurations.

Roadmap

See Milestones and Issues.