With PSP
being deprecated in 1.21
and fully removed in 1.25
(See the github conversation here) its time to start looking around at other options. At present that really sits with OPA which means learning a new code/syntax which doesn’t seem to friendly to me, or Kyverno which uses a native kubernetes
manifests to let you deal with your policy management. For me, as we don’t have to many policies at the moment, kyverno
fits our needs better. below is basic syntax and usage examples.
Install
You can install via manifest
or HELM
, we use kustomize
so download the install.yml
file and use that as a base then overlay our ecr
images
kubectl create -f https://raw.githubusercontent.com/kyverno/kyverno/main/definitions/release/install.yaml
Basic overlay example
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
bases:
- ../../base
images:
- name: ghcr.io/kyverno/kyverno
newName: dkr.ecr.eu-west-2.amazonaws.com/kyverno
newTag: v1.3.2-rc1
- name: ghcr.io/kyverno/kyvernopre
newName: dkr.ecr.eu-west-2.amazonaws.com/kyvernopre
newTag: v1.3.2-rc1
Reading Policies
Policies are split between namespace
and cluster
Namespace
kubectl get policyreport -A
Cluster
kubectl get clusterpolicyreport -A
View Violations
kubectl describe polr -A | grep -i "status: \+fail" -B10
or specific to namespace
kubectl describe polr polr-ns-default | grep "Status: \+fail" -B10
Delete all policies
Example policy to audit the use of the label app: "?*"
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: audit-app-label
spec:
validationFailureAction: audit
rules:
- name: check-for-app-labels
match:
resources:
kinds:
- Pod
validate:
message: "The label `app` is required."
pattern:
metadata:
labels:
app: "?*"