HackTricks Cloud
Kubernetes Kyverno
Reading time: 1 minute
The original author of this page is Guillaume
Definition
Kyverno is an open-source, policy management framework for Kubernetes that enables organizations to define, enforce, and audit policies across their entire Kubernetes infrastructure. It provides a scalable, extensible, and highly customizable solution for managing the security, compliance, and governance of Kubernetes clusters.
Use cases
Kyverno can be used in a variety of use cases, including:
- Network Policy Enforcement: Kyverno can be used to enforce network policies, such as allowing or blocking traffic between pods or services.
- Secret Management: Kyverno can be used to enforce secret management policies, such as requiring secrets to be stored in a specific format or location.
- Access Control: Kyverno can be used to enforce access control policies, such as requiring users to have specific roles or permissions to access certain resources.
Example: ClusterPolicy and Policy
Let's say we have a Kubernetes cluster with multiple namespaces, and we want to enforce a policy that requires all pods in the default namespace to have a specific label.
ClusterPolicy
A ClusterPolicy is a high-level policy that defines the overall policy intent. In this case, our ClusterPolicy might look like this:
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: require-label
spec:
rules:
- validate:
message: "Pods in the default namespace must have the label 'app: myapp'"
match:
any:
- resources:
kinds:
- Pod
namespaceSelector:
matchLabels:
namespace: default
- any:
- resources:
kinds:
- Pod
namespaceSelector:
matchLabels:
namespace: default
validationFailureAction: enforce
When a pod is created in the default namespace without the label app: myapp, Kyverno will block the request and return an error message indicating that the pod does not meet the policy requirements.