mirror of https://github.com/kyverno/kyverno.git synced 2025-03-31 03:45:17 +00:00

Cloud Native Policy Management

Find a file

Michael Barrientos b067f41d02 Replace Policy CRD AnyValue fields with empty dict (#1086 ) /kind cleanup \## Proposed change This implements the same change as #1047, except for the new Policy CRD instead of the ClusterPolicy CRD, which apparently did not get those updates before merging. When deploying Kyverno using Argo CD, we get a persistent false diff for the Policy custom resource definition (the definition itself, not instances of Policy), because Kubernetes converts the invalid AnyValue: {} property types to just an empty dict {}. Since the Kubernetes server makes this change to {} unilaterally after applying, when a diffing tool like Argo CD compares it against the YAML manifest, each such instance of AnyValue appears as a diff. I know that since AnyValue is not part of the official OpenAPI V3 schema, and that when you run kubectl get crd policies.kyverno.io -o yaml the status message shows Kubernetes complaining about "Required value: must not be empty for specified object fields" for all of these fields. In theory the correct solution would be to somehow provide a full schema, but I know this can be tricky for these data/anyPattern/patches types, but at the minimum, I would like to get Argo CD to believe that there are no changes that need to be applied. Since these fields are already silently turned into {} by Kubernetes, this should have no functionality change on existing code/deployments.		2020-08-26 11:11:36 -07:00
.github	git action added (#1078 )	2020-08-21 12:24:02 -07:00
api	revert data loaction	2020-03-26 19:10:54 +05:30
charts/kyverno	Replace Policy CRD AnyValue fields with empty dict (#1086 )	2020-08-26 11:11:36 -07:00
cmd	Events take several minutes to show on the resource (#1083 )	2020-08-26 14:28:34 +05:30
definitions	Replace Policy CRD AnyValue fields with empty dict (#1086 )	2020-08-26 11:11:36 -07:00
documentation	updated readme - apply example	2020-08-22 01:07:04 +05:30
pkg	Events take several minutes to show on the resource (#1083 )	2020-08-26 14:28:34 +05:30
samples	add validateFailureAction to all policies (#1068 )	2020-08-19 14:04:58 -07:00
scripts	e2e workflow added (#1021 )	2020-08-06 11:56:31 +05:30
test	Feature/e2e 575 (#1018 )	2020-08-06 10:46:10 +05:30
.codeclimate.yml	remove arm from goreleaser (#903 )	2020-06-04 11:45:37 -07:00
.directory	Implemented validation across same yaml	2019-06-20 18:21:55 +03:00
.gitignore	Events fix (#1006 )	2020-07-20 20:30:02 +05:30
.golangci.yml	codeclimate and golangci-lint added	2020-03-24 02:01:50 +05:30
.goreleaser.yml	Added version in cli (#990 )	2020-07-15 02:16:03 +05:30
.krew.yaml	krew yaml fixes (#1000 )	2020-07-15 14:37:04 -07:00
CODE_OF_CONDUCT.md	add code of conduct & contributing section	2019-06-12 09:39:37 -07:00
CONTRIBUTING.md	remove extra documentation	2020-03-26 20:06:20 +05:30
go.mod	Feature/e2e 575 (#1018 )	2020-08-06 10:46:10 +05:30
go.sum	Feature/namespaced policy 280 (#1058 )	2020-08-19 09:07:23 -07:00
LICENSE	Create LICENSE	2019-06-05 23:00:32 -04:00
Makefile	tag v1.1.10	2020-08-21 11:12:55 -07:00
README.md	1040 automate release (#1044 )	2020-08-12 07:54:45 -07:00

README.md

Kyverno - Kubernetes Native Policy Management

Kyverno is a policy engine built for Kubernetes:

policies as Kubernetes resources (no new language to learn!)
validate, mutate, or generate any resource
match resources using label selectors and wildcards
validate and mutate using overlays (like Kustomize!)
generate and synchronize defaults across namespaces
block or report violations
test using kubectl

Quick Start

NOTE : Your Kubernetes cluster version must be above v1.14 which adds webhook timeouts. To check the version, enter kubectl version.

Install Kyverno:

kubectl create -f https://raw.githubusercontent.com/nirmata/kyverno/master/definitions/release/install.yaml

You can also install Kyverno using a Helm chart.

Add the policy below. It contains a single validation rule that requires that all pods have a app.kubernetes.io/name label. Kyverno supports different rule types to validate, mutate, and generate configurations. The policy attribute validationFailureAction is set to enforce to block API requests that are non-compliant (using the default value audit will report violations but not block requests.)

apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: require-labels
spec:
  validationFailureAction: enforce
  rules:
  - name: check-for-labels
    match:
      resources:
        kinds:
        - Pod
    validate:
      message: "label `app.kubernetes.io/name` is required"
      pattern:
        metadata:
          labels:
            app.kubernetes.io/name: "?*"

Try creating a deployment without the required label:

kubectl create deployment nginx --image=nginx

You should see an error:

Error from server: admission webhook "nirmata.kyverno.resource.validating-webhook" denied the request:

resource Deployment/default/nginx was blocked due to the following policies

require-labels:
  autogen-check-for-labels: 'Validation error: label `app.kubernetes.io/name` is required;
    Validation rule autogen-check-for-labels failed at path /spec/template/metadata/labels/app.kubernetes.io/name/'

Create a pod with the required label. For example from this YAML:

kind: "Pod"
apiVersion: "v1"
metadata:
  name: nginx
  labels:
    app.kubernetes.io/name: nginx
spec:
  containers:
  - name: "nginx"
    image: "nginx:latest"

This pod configuration complies with the policy rules, and is not blocked.

Clean up by deleting all cluster policies:

kubectl delete cpol --all

As a next step, browse the sample policies and learn about writing policies. You can test policies using the Kyverno cli. See docs for complete details.

Documentation

License

Apache License 2.0

Community

Community Meetings

To attend our next monthly community meeting join the Kyverno group. You will then be sent a meeting invite and get access to the agenda and meeting notes.

Getting Help

For feature requests and bugs, file an issue.
For discussions or questions, join the #kyverno channel on the Kubernetes Slack or the mailing list.

Contributing

Thanks for your interest in contributing!

Please review and agree to abide with the Code of Conduct before contributing.
We encourage all contributions and encourage you to read our contribution guidelines.
See the Wiki for developer documentation.
Browse through the open issues

Presentations and Articles

Alternatives

Open Policy Agent

Open Policy Agent (OPA) is a general-purpose policy engine that can be used as a Kubernetes admission controller. It supports a large set of use cases. Policies are written using Rego a custom query language.

k-rail

k-rail provides several ready to use policies for security and multi-tenancy. The policies are written in Golang. Several of the Kyverno sample policies were inspired by k-rail policies.

Polaris

Polaris validates configurations for best practices. It includes several checks across health, networking, security, etc. Checks can be assigned a severity. A dashboard reports the overall score.

External configuration management tools

Tools like Kustomize can be used to manage variations in configurations outside of clusters. There are several advantages to this approach when used to produce variations of the same base configuration. However, such solutions cannot be used to validate or enforce configurations.

Roadmap

See Milestones and Issues.