Kyverno
➡️ What is Kyverno 🤔 ?
According to the Kyverno official documentation, it is described as follows
Kyverno is a policy engine designed for Kubernetes. With Kyverno, policies are managed as Kubernetes resources and no new language is required to write policies. This allows using familiar tools such as
kubectl
,git
, andkustomize
to manage policies. Kyverno policies can validate, mutate, and generate Kubernetes resources plus ensure OCI image supply chain security. The Kyverno CLI can be used to test policies and validate resources as part of a CI/CD pipeline.
but what are all these "policies" we are talking about? To simplify let's take an example :
We all have been to schools/ colleges/ universities at some point in our life, some might be pursuing it right now (like me :D) and we have various rules we need to keep in mind while attending the school & colleges. These rules can be seen as policies in the "Kubernetes" school or college. So if you want to restrict/ validate/ mandate some properties, or features your deployment should have or shouldn't have you can mention that using Policies and Kyverno helps us in the creation of the policies which validate your deployment and send errors if the requirement is not matched. So as you might have guessed, this helps you get total control over what goes into your deployment and whether it is up to the guidelines you have created.
➡️ Architecture of Kyverno ⚙️
Let's look into the architecture. Though understanding every part of architecture is not at all essential at this point but knowing where everything goes and how the workflow goes can help you better visualize and implement. Let's take a look at the images below
As seen that Kyverno acts as a middleman when you are trying to apply the manifest files to your clusters. It verifies it and upon passing applies it to the requested section in the deployment. Enough theory let's try it out
➡️ Hands-on time 🤩!
Now we will be doing a simple nginx
container deployment. But this time we don't want :latest
image of nginx
so we won't be allowed to deploy if the image has :latest
tag and allow only if another tag :1.14.2
so let's start.
Installations 💻 :
1) First of all we need will be using helm in this tutorial so it's essential that you have helm installed. Then go ahead and create a Kubernetes cluster on any cloud service provider of your choice, in this tutorial I will be using minikube
2) Now let's add Kyverno repo to the helm. Run the following command in terminal
3) We have to now add Kyverno to our deployment cluster. Run the following 2 commands
4) You can verify if it's successfully added by running the following kubectl
command
you should get something like this 👇
If you get this then you have successfully installed Kyverno and you are ready to work with it.
Creating, Testing & Managing Policies ✨ :
1) Now create a folder named Kyverno
on your computer and add files named nginx.yml
which will be our deployment file and my-policy.yml
which will have the policy we are trying to apply. Add the following yml
configuration code to it. (Can be also found here)
-- This is code for nginx.yml
(Notice here the image tag is 1.14.2
)
-- This code is for my-policy.yml
(You can see different policy templates here, the one we are customizing and using here is this)
Now edit the
spec
section of the configuration file inmy-policy.yml
as below (on line16
to be specific)
We are done with the edition, now let's try to see if Kyverno stops us if we are trying to deploy
nginx:latest
for this updatenginx.yml
so it looks as follows:
Now apply the
my-policy.yml
using the following command
You will get output similar to
Now apply the
nginx.yml
using the following command. (Remember as we have edited it tonginx:latest
this should not get deployed and we should get an error)
You should get an error message similar to
Wohoo 🎉 you successfully created a policy that doesn't allow :latest
tags on the image
Now change the tag in the
nginx.yml
file to :1.14.2
and now lets try to apply the nginx.yml
file again and this should get deployed as the image no longer has :latest
tag
And the output for this should be
That's it, that's how you enforce the policies and manage them using Kyverno. You can use multiple pre-made policies or you can custom create your own too. And that is all for this blog. Would definitely like to know your feedback in the comments below. Until next time 👋
References 📖
The above images are not created by me and are taken from the internet. The credit for this images go to their respected creators :)
Last updated