1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2024-12-14 11:57:48 +00:00
Cloud Native Policy Management
Find a file
2020-06-05 17:12:36 -07:00
.github Hotfix/remove docker changes (#909) 2020-06-04 16:09:12 -07:00
api revert data loaction 2020-03-26 19:10:54 +05:30
charts/kyverno update helm install 2020-06-05 16:59:26 -07:00
cmd - enable profiling; - update install.yaml 2020-06-02 16:50:51 -07:00
definitions Added aggregated view clusterroles 2020-06-05 14:36:37 -07:00
documentation update helm installation instructions 2020-06-05 16:57:52 -07:00
pkg Tag release 1.1.6 (#911) 2020-06-04 17:13:16 -07:00
samples Bugfix/878 fix disallow sysctls (#899) 2020-06-03 17:46:01 -07:00
scripts remove arm from goreleaser (#903) 2020-06-04 11:45:37 -07:00
test Bugfix/659 support wildcards for namespaces (#871) 2020-05-26 10:36:56 -07:00
.codeclimate.yml remove arm from goreleaser (#903) 2020-06-04 11:45:37 -07:00
.directory Implemented validation across same yaml 2019-06-20 18:21:55 +03:00
.gitignore ignore cli binary 2020-04-02 09:38:52 -07:00
.golangci.yml codeclimate and golangci-lint added 2020-03-24 02:01:50 +05:30
.goreleaser.yml update CLI executable name (#910) 2020-06-04 16:43:05 -07:00
.travis.yml Merge branch 'master' of github.com:nirmata/kyverno into fix-709 2020-06-02 13:27:51 -07:00
CODE_OF_CONDUCT.md add code of conduct & contributing section 2019-06-12 09:39:37 -07:00
CONTRIBUTING.md remove extra documentation 2020-03-26 20:06:20 +05:30
go.mod fix violation updates when there's no change 2020-06-01 19:37:48 -07:00
go.sum fix violation updates when there's no change 2020-06-01 19:37:48 -07:00
LICENSE Create LICENSE 2019-06-05 23:00:32 -04:00
Makefile remove duplicate crd changes 2020-06-05 13:44:47 -07:00
README.md Note added for kubernetes version (#889) 2020-05-28 13:57:20 -07:00

Kyverno - Kubernetes Native Policy Management

Build Status Go Report Card

logo

Kyverno is a policy engine designed for Kubernetes.

Kyverno supports declarative validation, mutation, and generation of resource configurations using policies written as Kubernetes resources.

Kyverno can be used to scan existing workloads for best practices, or can be used to enforce best practices by blocking or mutating API requests.Kyverno allows cluster adminstrators to manage environment specific configurations independently of workload configurations and enforce configuration best practices for their clusters.

Kyverno policies are Kubernetes resources that can be written in YAML or JSON. Kyverno policies can validate, mutate, and generate any Kubernetes resources.

Kyverno runs as a dynamic admission controller in a Kubernetes cluster. Kyverno receives validating and mutating admission webhook HTTP callbacks from the kube-apiserver and applies matching policies to return results that enforce admission policies or reject requests.

Kyverno policies can match resources using the resource kind, name, and label selectors. Wildcards are supported in names.

Mutating policies can be written as overlays (similar to Kustomize) or as a JSON Patch. Validating policies also use an overlay style syntax, with support for pattern matching and conditional (if-then-else) processing.

Policy enforcement is captured using Kubernetes events. Kyverno also reports policy violations for existing resources.

NOTE : Your Kubernetes server must be at or later than version v1.14. To check the version, enter kubectl version.

Examples

1. Validating resources

This policy requires that all pods have CPU and memory resource requests and limits:

apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: check-cpu-memory
spec:
  # `enforce` blocks the request. `audit` reports violations
  validationFailureAction: enforce
  rules:
    - name: check-pod-resources
      match:
        resources:
          kinds:
            - Pod
      validate:
        message: "CPU and memory resource requests and limits are required"
        pattern:
          spec:
            containers:
              # 'name: *' selects all containers in the pod
              - name: "*"
                resources:
                  limits:
                    # '?' requires 1 alphanumeric character and '*' means that 
                    # there can be 0 or more characters. Using them together 
                    # e.g. '?*' requires at least one character.
                    memory: "?*"
                    cpu: "?*"
                  requests:
                    memory: "?*"
                    cpu: "?*"

This policy prevents users from changing default network policies:

apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: deny-netpol-changes
spec:
  validationFailureAction: enforce
  background: false
  rules:
    - name: check-netpol-updates
      match:
        resources:
          kinds:
            - NetworkPolicy
          name:
            - *-default
      exclude:
        clusterRoles:
          - cluster-admin    
      validate:
        message: "Changing default network policies is not allowed"
        deny: {}

2. Mutating resources

This policy sets the imagePullPolicy to Always if the image tag is latest:

apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: set-image-pull-policy
spec:
  rules:
    - name: set-image-pull-policy
      match:
        resources:
          kinds:
            - Pod
      mutate:
        overlay:
          spec:
            containers:
              # match images which end with :latest
              - (image): "*:latest"
                # set the imagePullPolicy to "Always"
                imagePullPolicy: "Always"

3. Generating resources

This policy sets the Zookeeper and Kafka connection strings for all namespaces.

apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: "zk-kafka-address"
spec:
  rules:
    - name: "zk-kafka-address"
      match:
        resources:
          kinds:
            - Namespace
      generate:
        kind: ConfigMap
        name: zk-kafka-address
        # generate the resource in the new namespace
        namespace: "{{request.object.metadata.name}}"
        data:
          kind: ConfigMap
          data:
            ZK_ADDRESS: "192.168.10.10:2181,192.168.10.11:2181,192.168.10.12:2181"
            KAFKA_ADDRESS: "192.168.10.13:9092,192.168.10.14:9092,192.168.10.15:9092"

For more examples, refer to a list of curated of sample policies that can be applied to your cluster.

Documentation

Presentations and Articles

License

Apache License 2.0

Alternatives

Open Policy Agent

Open Policy Agent (OPA) is a general-purpose policy engine that can be used as a Kubernetes admission controller. It supports a large set of use cases. Policies are written using Rego a custom query language.

k-rail

k-rail provides several ready to use policies for security and multi-tenancy. The policies are written in Golang. Several of the Kyverno sample policies were inspired by k-rail policies.

Polaris

Polaris validates configurations for best practices. It includes several checks across health, networking, security, etc. Checks can be assigned a severity. A dashboard reports the overall score.

External configuration management tools

Tools like Kustomize can be used to manage variations in configurations outside of clusters. There are several advantages to this approach when used to produce variations of the same base configuration. However, such solutions cannot be used to validate or enforce configurations.

Roadmap

See Milestones and Issues.

Getting help

Contributing

Thanks for your interest in contributing!