Policy As Code on Kubernetes With Kyverno

Enforce Kubernetes best practices for your organisation with CRD

Photo by Denys Nevozhai on Unsplash.

Kubernetes has been able to revolutionise the cloud-native ecosystem by allowing people to run distributed applications at scale. Though Kubernetes is a feature-rich and robust container orchestration platform, it does come with its own set of complexities. Managing Kubernetes at scale with multiple teams working on it is not easy, and ensuring that people do the right thing and do not cross their line is difficult to manage.

Kyverno is just the right tool for this. It is an open source, Kubernetes-native policy engine that helps you define policies using simple Kubernetes manifests. It can validate, mutate, and generate Kubernetes resources. Therefore, it can allow organisations to define and enforce policies so that developers and admin maintain a certain standard.

How Does Kyverno Work?

Kyverno works by using a dynamic admission controller that checks every request you send via Kubectl to the Kube API server. If the request matches the policy, Kyverno applies it. Otherwise, it rejects the request with a defined message.

So this enables Kyverno to provide features such as:

• Checking for CPU and memory limits.
• Ensuring that users don’t change default network policies.
• Checking if the resource name matches a particular pattern.
• Ensuring that specific resources always contain a specific label.
• Denying deletes and changes for particular resources.
• Automatically change imagePullPolicy to Always if the image tag is latest.
• Generate a default network policy for every new namespace.

Kyverno uses custom resource definitions to define policies, and writing policies is as simple as applying them using kubectl.

There are three main functions provided by Kyverno:

• Validation
• Mutation
• Generation

Let’s have a look at some example manifests for each.

Validation