kyverno.md

Policies With Kyverno

There are five main capabilities of Kyverno:

• Resource Validation

-Is it allowed? - 'Yes' or 'No' response
-'No' usually includes a custom message about WHY

• Resource Mutation

-Should the resource be changed? If so, how?
-Good for adding information that is only known at runtime

• Resource Generation

-Kyverno can create new Kubernetes resources
-For example, if a new namespace is created, clone a specific secret
*Resource generation enables multitenancy*

• Software Supply Chain

-Kyverno has a rule type 'Verify Images' that can verify signatures & verify attestations
-Secures container images and other OCI artifacts
*Verify images supports both Sigstore and Notary*

• Resource Clean Up

-Clean up any resource
-For example, remove old pods based on age

Setup

• Install gum by following the instructions in https://github.com/charmbracelet/gum#installation.
• Watch https://youtu.be/U8zCHA-9VLA if you are not familiar with Charm Gum.

# TODO: kapp-controller

chmod +x manuscript/policies/kyverno.sh

./manuscript/policies/kyverno.sh

source .env

Do

cat policies/kyverno.yaml

cp policies/kyverno.yaml infra/policies.yaml

git add .

git commit -m "Policies"

git push

kubectl get clusterpolicies

# Wait until the policies are created

export POLICY_KIND=clusterpolicy

yq --inplace ".policies.type = \"kyverno\"" settings.yaml

yq --inplace ".policies.kind = \"$POLICY_KIND\"" settings.yaml

cp $GITOPS_APP/cncf-demo-$TEMPLATES.yaml apps/cncf-demo.yaml

git add .

git commit -m "CNCF Demo"

git push

How Did You Define Your App?

• Helm
• Kustomize
• Carvel ytt
• cdk8s