What Kyverno Does
- Validate: Accept or reject resources based on rules (e.g., require specific labels)
- Mutate: Automatically modify resources on creation (e.g., add default labels)
- Generate: Create new resources in response to events (e.g., copy ConfigMaps to new namespaces)
- Clean Up: Automatically delete resources matching criteria
- Image Verification: Verify container image signatures and attestations
- Policy Reports: Kubernetes-native reporting of policy violations
- Admission Control: Enforce policies at create/update time
- Background Scanning: Audit existing resources against policies
- Policy Exceptions: Allow specific resources to bypass policies with approval
Architecture
┌─────────────────────────────────────────────┐
│ Kubernetes API Server │
│ │ │
│ ▼ (Admission Webhook) │
│ ┌──────────────────────────────────┐ │
│ │ Kyverno Controllers │ │
│ │ ┌────────────┐ ┌──────────────┐ │ │
│ │ │ Admission │ │ Background │ │ │
│ │ │ Controller │ │ Scanner │ │ │
│ │ └────────────┘ └──────────────┘ │ │
│ │ ┌────────────┐ ┌──────────────┐ │ │
│ │ │ Reports │ │ Cleanup │ │ │
│ │ │ Controller │ │ Controller │ │ │
│ │ └────────────┘ └──────────────┘ │ │
│ └──────────────────────────────────┘ │
│ │
│ ┌──────────────┐ ┌──────────────────┐ │
│ │ Policies │ │ Policy Reports │ │
│ │ (CRDs) │ │ (CRDs) │ │
│ └──────────────┘ └──────────────────┘ │
└─────────────────────────────────────────────┘Installation
# Helm (recommended)
helm repo add kyverno https://kyverno.github.io/kyverno/
helm install kyverno kyverno/kyverno
--namespace kyverno --create-namespace
# Install policy library
helm install kyverno-policies kyverno/kyverno-policies
--namespace kyverno
--set podSecurityStandard=baselinePolicy Examples
Validate: Require Labels
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: require-labels
spec:
validationFailureAction: Enforce
background: true
rules:
- name: check-team-label
match:
any:
- resources:
kinds:
- Pod
- Deployment
- StatefulSet
validate:
message: "The label `team` is required."
pattern:
metadata:
labels:
team: "?*"Now any Pod/Deployment without a team label will be rejected.
Validate: Pod Security
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: disallow-privileged
spec:
validationFailureAction: Enforce
rules:
- name: privileged-containers
match:
any:
- resources:
kinds:
- Pod
validate:
message: "Privileged containers are not allowed"
pattern:
spec:
containers:
- =(securityContext):
=(privileged): "false"Mutate: Add Default Labels
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: add-default-labels
spec:
rules:
- name: add-environment-label
match:
any:
- resources:
kinds:
- Deployment
mutate:
patchStrategicMerge:
metadata:
labels:
environment: "{{request.namespace}}"
created-by: "kyverno"Every Deployment automatically gets environment and created-by labels.
Generate: Default Network Policy
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: add-networkpolicy
spec:
rules:
- name: default-deny
match:
any:
- resources:
kinds:
- Namespace
generate:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
name: default-deny
namespace: "{{request.object.metadata.name}}"
data:
spec:
podSelector: {}
policyTypes:
- Ingress
- EgressEvery new namespace automatically gets a default-deny NetworkPolicy.
Image Verification
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: verify-image-signatures
spec:
validationFailureAction: Enforce
rules:
- name: check-cosign-signature
match:
any:
- resources:
kinds:
- Pod
verifyImages:
- imageReferences:
- "ghcr.io/myorg/*"
attestors:
- entries:
- keys:
publicKeys: |-
-----BEGIN PUBLIC KEY-----
... cosign public key ...
-----END PUBLIC KEY-----Only Cosign-signed images from your registry will be allowed.
Enforce Resource Limits
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: require-resource-limits
spec:
validationFailureAction: Enforce
rules:
- name: validate-resources
match:
any:
- resources:
kinds:
- Pod
validate:
message: "CPU and memory resource requests and limits are required"
pattern:
spec:
containers:
- resources:
requests:
memory: "?*"
cpu: "?*"
limits:
memory: "?*"
cpu: "?*"Cleanup Policy
apiVersion: kyverno.io/v2alpha1
kind: ClusterCleanupPolicy
metadata:
name: cleanup-old-jobs
spec:
match:
any:
- resources:
kinds:
- Job
conditions:
all:
- key: "{{ target.status.completionTime }}"
operator: LessThan
value: "{{ time_subtract('@now', '168h') }}"
schedule: "0 * * * *" # Every hourAutomatically delete completed Jobs older than 7 days.
Policy Reports
# View policy violations
kubectl get policyreport -A
# Detailed report
kubectl describe policyreport <name> -n <namespace>
# Example output:
# Summary:
# Pass: 45
# Fail: 3
# Warn: 0
# Error: 0
# Skip: 0
# Results:
# - Rule: require-labels
# Status: Fail
# Resource: Deployment/default/nginx
# Message: The label `team` is requiredKyverno vs OPA Gatekeeper
| Feature | Kyverno | OPA Gatekeeper |
|---|---|---|
| Policy language | Kubernetes YAML | Rego |
| Learning curve | Low (YAML-native) | High (new language) |
| Validate | Yes | Yes |
| Mutate | Yes | Yes |
| Generate | Yes | Limited (via sync) |
| Image verification | Built-in | No (separate tool) |
| Cleanup policies | Yes | No |
| Policy exceptions | Native CRD | Via labels |
| Community | Growing | Large |
| CNCF | Incubating | Graduated |
常见问题
Q: Kyverno 和 OPA Gatekeeper 怎么选? A: 如果你的团队不想学 Rego 语言,选 Kyverno(纯 YAML)。如果你需要超复杂的策略逻辑或已有 OPA 投入,选 Gatekeeper。Kyverno 的生成(generate)和镜像验证功能更强,Gatekeeper 的生态更成熟。
Q: 策略会影响集群性能吗? A: Kyverno 作为 admission webhook 会在每个资源创建/更新时执行。对于大规模集群(每秒数百次 API 请求),需要适当配置副本数和资源。建议先在测试环境评估影响。
Q: 可以用在非 Kubernetes 场景吗? A: Kyverno 1.11+ 引入了 "Kyverno Applications" 和 JSON 验证模式,可以用于验证 Helm charts、Terraform plans 等。但核心用途仍是 Kubernetes 资源策略。
来源与致谢
- GitHub: kyverno/kyverno — 7.6K+ ⭐ | Apache-2.0
- 官网: kyverno.io