Securing and Automating Kubernetes with Kyverno
- 3. 3
What is Kyverno?
• A policy engine designed for Kubernetes
• Uses Kubernetes resources, patterns, idioms
• Familiar to Kubernetes users
- 4. 4
Why Policies?
• Kubernetes configurations are complex to manage
across developers and operations.
• External configuration tools (Helm, Kustomize) etc.
cannot ensure environment specific configurations.
• Admission controllers provide a way to validate best
practices and mutate configurations.
• Policy management tools like Kyverno use admission
control and provide a way to manage “policies” and
“rules” without creating custom controllers.
- 5. Why Kyverno?
1. Declarative policies that are easy to write and manage
2. Policy results that are easy to view and process
3. Validate (audit or enforce), Mutate, and Generate
4. Support all Kubernetes resource types including CRs
5. Adopt Kubernetes patterns and practices e.g. labels and
selectors, annotations, events, ownerReferences, pod controllers, etc.
5
- 7. A Kyverno Policy
7
• Kinds
• Names (with wildcards)
• Label Selectors (with wildcards)
• Namespaces (with wildcards)
• Namespace Selector
• User Roles
• User Groups
• Usernames
- 10. 10
Mutate
● JSON Patch (RFC 6902)
○ Use for precise updates
● StrategicMergePatch
○ Use for describing intent
○ Anchors for conditional logic
• “If-then-else”
• “if-not-defined”
- 11. 11
Validate
● Overlays with patterns specify
desired state
● Matches all defined fields
● Patterns
○ * : zero or more
○ ? : any one
● Operators
○ >, <, >=, <=, !, |(or)
- 12. 12
Generate
● Triggers when a new
resource is created
● Useful in creating defaults
for a namespace
● Clones existing resources or
copies in-line data
● Can optionally keep data in-
sync across namespaces
- 14. 14
Advanced Features
• Anchors and operators
• Variables
– Inline policy data
– JMESPath
• External data lookups
– Config Maps
– API Calls
• Deny rules
• Auto-generation of pod controller rules
• Command Line for CI/CD and dev-test for policies
- 15. 15
Use Cases
• Security validation and enforcement
• Fine-grained RBAC
• Multi-tenancy
• Auto-Labeling
• Sidecar (including certificate) injection with mounts, etc.
• IFTTT for Kubernetes
- 17. 17
Pod Security
• What is a Pod Security Policy (PSP)?
o Cluster resource that controls security configuration of pods
o Being marked for deprecation in v1.21 removal in v1.25
• A KEP is being developed to replace PSP with namespace
based Pod Security Levels
Privileged Baseline Restricted
- 18. 18
Kyverno Policies for Pod Security
• Also based on Pod Security Levels
• Available at: https://kyverno.io/policies/pod-security/
- 20. 20
Roadmap: Major Features
1. Multiple replicas for scale and availability
2. Custom JMESPath functions
3. Javascript functions for complex validation
- 21. How you can contribute?
- Kyverno Repo - https://github.com/kyverno/kyverno
- Slack Channel - Kubernetes Slack channel #kyverno
21
- 23. 23
Summary and Takeaways
1. Policies are useful in managing Kubernetes configurations
at scale
2. Kyverno is built for Kubernetes
3. Kyverno can validate (audit or enforce), mutate, and
generate configurations
4. Kyverno supports best practices for pod security and
isolation
5. Kyverno is easy to use! Install Kyverno in your clusters, try
the best practice policies, and give us feedback!