mirror of https://github.com/kyverno/kyverno.git synced 2025-04-06 09:13:31 +00:00

History

vivek kumar sahu a1f21c747f from policy/v1beta1 to policy/v1 (#2561 ) * from policy/v1beta1 to policy/v1 Signed-off-by: viveksahu26 <vivekkumarsahu650@gmail.com> * replace "policy/v1beta1" by "policy/v1" Signed-off-by: viveksahu26 <vivekkumarsahu650@gmail.com>		2021-10-25 12:37:00 +05:30
..
templates	from policy/v1beta1 to policy/v1 (#2561 )	2021-10-25 12:37:00 +05:30
Chart.yaml	release v1.5.0-rc1	2021-10-07 16:04:08 -07:00
README.md	Helm README updates with values (#2548 )	2021-10-18 22:49:40 -07:00
values.yaml	Changing flag names for consistency (#2467 )	2021-10-06 10:32:48 -07:00

README.md

Kyverno

Kyverno is a Kubernetes Native Policy Management engine. It allows you to:

Manage policies as Kubernetes resources (no new language required.)
Validate, mutate, and generate resource configurations.
Select resources based on labels and wildcards.
View policy enforcement as events.
Scan existing resources for violations.

Access the complete user documentation and guides at: https://kyverno.io.

TL;DR

## Add the Kyverno Helm repository
$ helm repo add kyverno https://kyverno.github.io/kyverno/

## Install the Kyverno Helm chart
$ helm install kyverno --namespace kyverno kyverno/kyverno --create-namespace

Introduction

This chart bootstraps a Kyverno deployment on a Kubernetes cluster using the Helm package manager.

Installing the Chart

Add the Kyverno Helm repository:

$ helm repo add kyverno https://kyverno.github.io/kyverno/

Create a namespace:

You can install Kyverno in any namespace. The examples use kyverno as the namespace.

$ kubectl create namespace kyverno

Install the Kyverno chart:

$ helm install kyverno --namespace kyverno kyverno ./charts/kyverno

The command deploys Kyverno on the Kubernetes cluster with default configuration. The installation guide lists the parameters that can be configured during installation.

Uninstalling the Chart

To uninstall/delete the kyverno deployment:

$ helm delete -n kyverno kyverno

The command removes all the Kubernetes components associated with the chart and deletes the release.

Configuration

The following table lists the configurable parameters of the kyverno chart and their default values.

Parameter	Description	Default
`antiAffinity`	node/pod affinities. Enabled by default but can be disabled in single-node clusters.	`nil`
`createSelfSignedCert`	generate a self signed cert and certificate authority. Kyverno defaults to using kube-controller-manager CA-signed certificate or existing cert secret if false.	`false`
`config.existingConfig`	existing Kubernetes configmap to use for the resource filters configuration	`nil`
`config.resourceFilters`	list of resource types to be skipped by kyverno policy engine. See documentation for details	`[Event,,][,kube-system,][,kube-public,][,kube-node-lease,][Node,,][APIService,,][TokenReview,,][SubjectAccessReview,,][SelfSubjectAccessReview,,][,kyverno,][Binding,,][ReplicaSet,,][ReportChangeRequest,,][ClusterReportChangeRequest,,]`
`config.webhooks`	customize webhook configurations for both MutatingWebhookConfiguration and ValidatingWebhookConfiguration of Kubernetes resources, only `namespaceSelector` can be configured with Kyverno v1.4.0	`nil`
`customLabels`	Additional labels	`{}`
`dnsPolicy`	Sets the DNS Policy which determines the manner in which DNS resolution happens across the cluster. For further reference, see the official Kubernetes docs	`ClusterFirst`
`envVarsInit`	Extra environment variables to pass to kyverno initContainers
`envVars`	Extra environment variables to pass to Kyverno	{}
`extraArgs`	list of extra arguments to give the binary (ex., `--webhookTimeout=4`)	`[]`
`fullnameOverride`	override the expanded name of the chart	`nil`
`generatecontrollerExtraResources`	extra resource type Kyverno is allowed to generate	`[]`
`hostNetwork`	Use the host network's namespace. Set it to `true` when dealing with a custom CNI over Amazon EKS	`false`
`image.pullPolicy`	Image pull policy	`IfNotPresent`
`image.pullSecrets`	Specify image pull secrets	`[]` (does not add image pull secrets to deployed pods)
`image.repository`	Image repository	`ghcr.io/kyverno/kyverno`
`image.tag`	Image tag	`nil`
`initImage.pullPolicy`	Init image pull policy	`nil`
`initImage.repository`	Init image repository	`ghcr.io/kyverno/kyvernopre`
`initImage.tag`	Init image tag	`nil`
`livenessProbe`	liveness probe configuration	`{}`
`nameOverride`	override the name of the chart	`nil`
`namespace`	namespace the chart deploy to	`nil`
`networkPolicy.enabled`	when true, use a NetworkPolicy to grant access to the webhook.	`false`
`nodeSelector`	node labels for pod assignment	`{}`
`podAnnotations`	annotations to add to each pod	`{}`
`podLabels`	additional labels to add to each pod	`{}`
`podSecurityContext`	security context for the pod	`{}`
`podDisruptionBudget.enabled`	Adds a PodDisruptionBudget for the kyverno deployment	`false`
`podDisruptionBudget.minAvailable`	Configures the minimum available pods for kyverno disruptions. Cannot used if `maxUnavailable` is set.	`0`
`podDisruptionBudget.maxUnavailable`	Configures the maximum unavailable pods for kyverno disruptions. Cannot used if `minAvailable` is set.	`nil`
`priorityClassName`	priorityClassName	`nil`
`rbac.create`	create ClusterRoles, ClusterRoleBindings, and ServiceAccount	`true`
`rbac.serviceAccount.create`	create a ServiceAccount	`true`
`rbac.serviceAccount.name`	the ServiceAccount name	`nil`
`rbac.serviceAccount.annotations`	annotations for the ServiceAccount	`{}`
`readinessProbe`	readiness probe configuration	`{}`
`replicaCount`	desired number of pods	`1`
`resources`	pod resource requests and limits	`{}`
`securityContext`	security context configuration	`{}`
`service.annotations`	annotations to add to the service	`{}`
`service.nodePort`	node port	`nil`
`service.port`	port for the service	`443`
`service.type`	type of service	`ClusterIP`
`serviceMonitor.enabled`	create a ServiceMonitor(Requires Prometheus)	`false`
`serviceMonitor.namespace`	override namespace for ServiceMonitor (default is same than kyverno)	`false`
`serviceMonitor.additionalLabels`	additional labels to add for ServiceMonitor	`nil`
`serviceMonitor.interval`	interval to scrape metrics	`30s`
`serviceMonitor.scrapeTimeout`	timeout if metrics can't be retrieved in given time interval	`25s`
`serviceMonitor.secure`	is TLS required for endpoint	`false`
`serviceMonitor.tlsConfig`	TLS Configuration for endpoint	`[]`
`testImage.pullPolicy`	image pull policy for test image (defaults to `image.pullPolicy`)	`nil`
`testImage.repository`	repository for chart test image	`busybox`
`testImage.tag`	tag for chart test image	`nil`
`tolerations`	list of node taints to tolerate	`[]`
`topologySpreadConstraints`	node/pod topology spread constrains	`[]`

Specify each parameter using the --set key=value[,key=value] argument to helm install. For example,

$ helm install --namespace kyverno kyverno ./charts/kyverno \
  --set=image.tag=v0.0.2,resources.limits.cpu=200m

Alternatively, a YAML file that specifies the values for the above parameters can be provided while installing the chart. For example,

$ helm install --namespace kyverno kyverno ./charts/kyverno -f values.yaml

Tip: You can use the default values.yaml

TLS Configuration

If createSelfSignedCert is true, Helm will take care of the steps of creating an external self-signed certificate described in option 2 of the installation documentation

If createSelfSignedCert is false, Kyverno will generate a self-signed CA and a certificate, or you can provide your own TLS CA and signed-key pair and create the secret yourself as described in the documentation.

Kyverno CLI

See: https://kyverno.io/docs/kyverno-cli/