What is Kyverno?- Policy Management using Kyverno

Hi everyone, welcome back. we're talking about Kyverno, a tool for Kubernetes called a policy engine. It might seem complicated, but it's actually quite simple. Before we begin, there are a few things you should know. You don't have to be a Kubernetes expert, but it would be helpful if you've already deployed 1-2 apps on Kubernetes. Let's begin!

➡️ What is Kyverno?

Kyverno is a tool that helps manage rules for Kubernetes. You write rules in the same way you manage other Kubernetes resources, so you don't need to learn a new language. This means you can use tools you already know, like kubectl, git, and kustomize, to manage these rules. Kyverno rules can check, change, and create Kubernetes resources and make sure your container images are secure. You can also use the Kyverno command-line tool to test rules and check resources as part of your development and deployment process.

but what are all these "policies" we are talking about? To simplify let's take an example :

We have all attended schools, colleges, or universities at some point in our lives. Some of us might still be pursuing our education. In these institutions, we follow various rules, which can be viewed as policies in the context of "Kubernetes." If you want to restrict, validate, or mandate certain properties or features for your deployment, you can specify these requirements using policies. Kyverno assists in creating these policies, which then validate your deployment and report errors if it does not meet the specified requirements. This ensures you have complete control over what goes into your deployment and whether it adheres to the guidelines you have established.

➡️ Architecture of Kyverno

Let's look at the structure. You don't need to understand every part right now, but knowing where things go and how the process works can help you see and use it better. Let's look at the pictures below.

As seen that Kyverno acts as a middleman when you are trying to apply the manifest files or YAML files to your clusters. It verifies it and upon passing applies it to the requested section in the deployment. let's try it out

➡️ Hands-on time!

Now we will do a simple deployment of an Nginx container. But this time, we don't want to use the :latest image of Nginx. We will only allow deployment if the image has the :1.14.2 tag. Let's start.

Installations 💻

1) First, we will be using Helm in this tutorial, so make sure you have Helm installed. Next, create a Kubernetes cluster on any cloud service provider of your choice. In this tutorial, I will be using Minikube.

2) Now, let's add the Kyverno repository to Helm. Run the following command in your terminal:

helm repo add kyverno https://kyverno.github.io/kyverno/

3) We have to now add Kyverno to our deployment cluster. Run the following 2 commands

# This is not mandatory command, this installs the pods security standards implemented by Kyverno. I have included it because it can be valuable practice in long run :)
helm install kyverno-policies kyverno/kyverno-policies -n kyverno

helm install kyverno kyverno/kyverno -n kyverno --create-namespace

# Output for the above command:
NAME: kyverno
LAST DEPLOYED: Tue Dec 20 14:31:48 2022
NAMESPACE: kyverno
STATUS: deployed
REVISION: 1
NOTES:
Chart version: 2.6.5
Kyverno version: v1.8.5

Thank you for installing kyverno! Your release is named kyverno.

4) You can verify if it's successfully added by running the following kubectl command

kubectl get deploy -n kyverno

You should see something like this:

NAME      READY   UP-TO-DATE   AVAILABLE   AGE
kyverno   1/1     1            1           98s

If you see this message, it means you've successfully installed Kyverno and are all set to use it.

Creating, Testing & Managing Policies :

1) Now create a folder named Kyverno on your computer and add files named nginx.yml which will be our deployment file and my-policy.yml which will have the policy we are trying to apply. Add the following yml configuration code to it.

: This is code for nginx.yml (Notice here the image tag is 1.14.2)

apiVersion: apps/v1
kind: Deployment
metadata:
  name: nginx-deployment
  labels:
    app: nginx
spec:
  replicas: 1
  selector:
    matchLabels:
      app: nginx
  template:
    metadata:
      labels:
        app: nginx
    spec:
      containers:
      - name: nginx
        image: nginx:1.14.2
        ports:
        - containerPort: 80

: This code is for my-policy.yml

# This is original policy file from the kyverno docs
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: disallow-latest-tag
  annotations:
    policies.kyverno.io/title: Disallow Latest Tag
    policies.kyverno.io/category: Best Practices
    policies.kyverno.io/severity: medium
    policies.kyverno.io/subject: Pod
    policies.kyverno.io/description: >-
      The ':latest' tag is mutable and can lead to unexpected errors if the
      image changes. A best practice is to use an immutable tag that maps to
      a specific version of an application Pod. This policy validates that the image
      specifies a tag and that it is not called `latest`.      
spec:
  validationFailureAction: audit
  background: true
  rules:
  - name: require-image-tag
    match:
      resources:
        kinds:
        - Pod
    validate:
      message: "An image tag is required."
      pattern:
        spec:
          containers:
          - image: "*:*"
  - name: validate-image-tag
    match:
      resources:
        kinds:
        - Pod
    validate:
      message: "Using a mutable image tag e.g. 'latest' is not allowed."
      pattern:
        spec:
          containers:
          - image: "!*:latest"

Now, make the following edit in the spec section of the configuration file my-policy.yml, specifically on line 16.

spec:
  validationFailureAction: enforce
  background: true
  failurePolicy: Fail

We've finished editing. Now, let's check if Kyverno prevents us from deploying nginx:latest by updating nginx.yml as follows:

apiVersion: apps/v1
kind: Deployment
metadata:
  name: nginx-deployment
  labels:
    app: nginx
spec:
  replicas: 1
  selector:
    matchLabels:
      app: nginx
  template:
    metadata:
      labels:
        app: nginx
    spec:
      containers:
      - name: nginx
        image: nginx:latest
        ports:
        - containerPort: 80

Now apply the my-policy.yml using the following command

kubectl apply -f my-policy.yml

You will get output similar to

clusterpolicy.kyverno.io/disallow-latest-tag created

Now, apply the nginx.yml using the following command. Remember, since we've edited it to nginx:latest, it shouldn't get deployed, and we should receive an error.

kubectl apply -f nginx.yml

You should receive an error message similar to:

Error from server: error when creating "nginx.yml": admission webhook "validate.kyverno.svc-fail" denied the request: 

policy Deployment/default/nginx-deployment for resource violation: 

disallow-latest-tag:
  autogen-validate-image-tag: 'validation error: Using a mutable image tag e.g. ''latest''
    is not allowed. rule autogen-validate-image-tag failed at path /spec/template/spec/containers/0/image/'

Great job! You've successfully created a policy that prevents the use of :latest tags on the image.

Now, change the tag in the nginx.yml file to :1.14.2.

image: nginx:1.14.2

Now, let's try to apply the nginx.yml file again. This time, it should get deployed because the image no longer has the :latest tag.

kubectl apply -f nginx.yml

Output for this should be:

deployment.apps/nginx-deployment created

References 📖

• Kyverno Docs

• Kyverno - Policy Engine for Kubernetes policy management

The images above are not created by me; they are taken from the internet. Credit for these images goes to their respective creators😊.

Thank you so much for reading🧡

Like | Follow
Catch me on my socials here: https://x.com/harshalstwt