Before we get to the samples, let’s take a look at installing Kyverno on your cluster.
Installing Kyverno:
- Add Kyverno to your Kubernetes cluster:
kubectl apply -f https://raw.githubusercontent.com/kyverno/kyverno/main/definitions/release/install.yaml
- Verify installation:
kubectl get pods -n kyverno
Kyverno Samples
First, let’s take a look at a sample policy that enforces the “app” label on all pods. Note that the value of the label can be anything (hence the ?*
). This is an example of a validation policy.
Enforce Labels:
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: require-labels
spec:
validationFailureAction: enforce
rules:
- name: check-app-label
match:
resources:
kinds:
- Pod
validate:
message: "Pods must have the 'app' label."
pattern:
metadata:
labels:
app: "?*"
Next is a policy that adds a default resource limit to all pods. This is an example of a mutation policy.
Add Default Resource Limits:
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: default-resource-limits
spec:
rules:
- name: set-default-limits
match:
resources:
kinds:
- Pod
mutate:
patchStrategicMerge:
spec:
containers:
- name: "*"
resources:
limits:
memory: "512Mi"
cpu: "1"
Finally we have a policy that creates a ConfigMap when a new namespace is created in the cluster. This is an example of generation policy.
Generate ConfigMap:
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: generate-configmap
spec:
rules:
- name: create-configmap
match:
resources:
kinds:
- Namespace
generate:
kind: ConfigMap
name: default-config
namespace: ""
data:
config: default
Conclusion
This brings us to the end of the section on Kyverno. Kyverno empowers Kubernetes users to enforce best practices, security standards, and operational consistency in a seamless and Kubernetes-native manner. Its simplicity and powerful capabilities make it an excellent choice for policy management in Kubernetes environments. To learn more extensively about Kyverno, check out the official docs.