Before we get to the samples, let’s take a look at installing Kyverno on your cluster.

Installing Kyverno:

  1. Add Kyverno to your Kubernetes cluster:
    kubectl apply -f https://raw.githubusercontent.com/kyverno/kyverno/main/definitions/release/install.yaml
    
  2. Verify installation:
    kubectl get pods -n kyverno
    

Kyverno Samples

First, let’s take a look at a sample policy that enforces the “app” label on all pods. Note that the value of the label can be anything (hence the ?*). This is an example of a validation policy.

Enforce Labels:

apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: require-labels
spec:
  validationFailureAction: enforce
  rules:
    - name: check-app-label
      match:
        resources:
          kinds:
            - Pod
      validate:
        message: "Pods must have the 'app' label."
        pattern:
          metadata:
            labels:
              app: "?*"

Next is a policy that adds a default resource limit to all pods. This is an example of a mutation policy.

Add Default Resource Limits:

apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: default-resource-limits
spec:
  rules:
    - name: set-default-limits
      match:
        resources:
          kinds:
            - Pod
      mutate:
        patchStrategicMerge:
          spec:
            containers:
              - name: "*"
                resources:
                  limits:
                    memory: "512Mi"
                    cpu: "1"

Finally we have a policy that creates a ConfigMap when a new namespace is created in the cluster. This is an example of generation policy.

Generate ConfigMap:

apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: generate-configmap
spec:
  rules:
    - name: create-configmap
      match:
        resources:
          kinds:
            - Namespace
      generate:
        kind: ConfigMap
        name: default-config
        namespace: ""
        data:
          config: default

Conclusion

This brings us to the end of the section on Kyverno. Kyverno empowers Kubernetes users to enforce best practices, security standards, and operational consistency in a seamless and Kubernetes-native manner. Its simplicity and powerful capabilities make it an excellent choice for policy management in Kubernetes environments. To learn more extensively about Kyverno, check out the official docs.