# Kyverno — Policy as Code for Kubernetes > Kyverno is a policy engine for Kubernetes that uses native YAML instead of a new language. Validate, mutate, and generate resources with policies written as Kubernetes resources. ## Install Save in your project root: ## Quick Use ```bash # Install via Helm helm repo add kyverno https://kyverno.github.io/kyverno/ helm install kyverno kyverno/kyverno --namespace kyverno --create-namespace # Apply a policy kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/best-practices/require-labels/require-labels.yaml ``` ## Intro **Kyverno** is a policy engine designed for Kubernetes that uses native Kubernetes YAML instead of requiring a new language (like Rego in OPA). It validates, mutates, generates, and cleans up Kubernetes resources based on declarative policies — providing a simpler, Kubernetes-native way to enforce security, compliance, and operational best practices. With 7.6K+ GitHub stars and Apache-2.0 license, Kyverno is a CNCF incubating project and has become a popular alternative to Open Policy Agent (OPA) Gatekeeper for teams that want policy enforcement without learning Rego. ## What Kyverno Does - **Validate**: Accept or reject resources based on rules (e.g., require specific labels) - **Mutate**: Automatically modify resources on creation (e.g., add default labels) - **Generate**: Create new resources in response to events (e.g., copy ConfigMaps to new namespaces) - **Clean Up**: Automatically delete resources matching criteria - **Image Verification**: Verify container image signatures and attestations - **Policy Reports**: Kubernetes-native reporting of policy violations - **Admission Control**: Enforce policies at create/update time - **Background Scanning**: Audit existing resources against policies - **Policy Exceptions**: Allow specific resources to bypass policies with approval ## Architecture ``` ┌─────────────────────────────────────────────┐ │ Kubernetes API Server │ │ │ │ │ ▼ (Admission Webhook) │ │ ┌──────────────────────────────────┐ │ │ │ Kyverno Controllers │ │ │ │ ┌────────────┐ ┌──────────────┐ │ │ │ │ │ Admission │ │ Background │ │ │ │ │ │ Controller │ │ Scanner │ │ │ │ │ └────────────┘ └──────────────┘ │ │ │ │ ┌────────────┐ ┌──────────────┐ │ │ │ │ │ Reports │ │ Cleanup │ │ │ │ │ │ Controller │ │ Controller │ │ │ │ │ └────────────┘ └──────────────┘ │ │ │ └──────────────────────────────────┘ │ │ │ │ ┌──────────────┐ ┌──────────────────┐ │ │ │ Policies │ │ Policy Reports │ │ │ │ (CRDs) │ │ (CRDs) │ │ │ └──────────────┘ └──────────────────┘ │ └─────────────────────────────────────────────┘ ``` ## Installation ```bash # Helm (recommended) helm repo add kyverno https://kyverno.github.io/kyverno/ helm install kyverno kyverno/kyverno --namespace kyverno --create-namespace # Install policy library helm install kyverno-policies kyverno/kyverno-policies --namespace kyverno --set podSecurityStandard=baseline ``` ## Policy Examples ### Validate: Require Labels ```yaml apiVersion: kyverno.io/v1 kind: ClusterPolicy metadata: name: require-labels spec: validationFailureAction: Enforce background: true rules: - name: check-team-label match: any: - resources: kinds: - Pod - Deployment - StatefulSet validate: message: "The label `team` is required." pattern: metadata: labels: team: "?*" ``` Now any Pod/Deployment without a `team` label will be rejected. ### Validate: Pod Security ```yaml apiVersion: kyverno.io/v1 kind: ClusterPolicy metadata: name: disallow-privileged spec: validationFailureAction: Enforce rules: - name: privileged-containers match: any: - resources: kinds: - Pod validate: message: "Privileged containers are not allowed" pattern: spec: containers: - =(securityContext): =(privileged): "false" ``` ### Mutate: Add Default Labels ```yaml apiVersion: kyverno.io/v1 kind: ClusterPolicy metadata: name: add-default-labels spec: rules: - name: add-environment-label match: any: - resources: kinds: - Deployment mutate: patchStrategicMerge: metadata: labels: environment: "{{request.namespace}}" created-by: "kyverno" ``` Every Deployment automatically gets `environment` and `created-by` labels. ### Generate: Default Network Policy ```yaml apiVersion: kyverno.io/v1 kind: ClusterPolicy metadata: name: add-networkpolicy spec: rules: - name: default-deny match: any: - resources: kinds: - Namespace generate: apiVersion: networking.k8s.io/v1 kind: NetworkPolicy name: default-deny namespace: "{{request.object.metadata.name}}" data: spec: podSelector: {} policyTypes: - Ingress - Egress ``` Every new namespace automatically gets a default-deny NetworkPolicy. ### Image Verification ```yaml apiVersion: kyverno.io/v1 kind: ClusterPolicy metadata: name: verify-image-signatures spec: validationFailureAction: Enforce rules: - name: check-cosign-signature match: any: - resources: kinds: - Pod verifyImages: - imageReferences: - "ghcr.io/myorg/*" attestors: - entries: - keys: publicKeys: |- -----BEGIN PUBLIC KEY----- ... cosign public key ... -----END PUBLIC KEY----- ``` Only Cosign-signed images from your registry will be allowed. ### Enforce Resource Limits ```yaml apiVersion: kyverno.io/v1 kind: ClusterPolicy metadata: name: require-resource-limits spec: validationFailureAction: Enforce rules: - name: validate-resources match: any: - resources: kinds: - Pod validate: message: "CPU and memory resource requests and limits are required" pattern: spec: containers: - resources: requests: memory: "?*" cpu: "?*" limits: memory: "?*" cpu: "?*" ``` ### Cleanup Policy ```yaml apiVersion: kyverno.io/v2alpha1 kind: ClusterCleanupPolicy metadata: name: cleanup-old-jobs spec: match: any: - resources: kinds: - Job conditions: all: - key: "{{ target.status.completionTime }}" operator: LessThan value: "{{ time_subtract('@now', '168h') }}" schedule: "0 * * * *" # Every hour ``` Automatically delete completed Jobs older than 7 days. ## Policy Reports ```bash # View policy violations kubectl get policyreport -A # Detailed report kubectl describe policyreport -n # Example output: # Summary: # Pass: 45 # Fail: 3 # Warn: 0 # Error: 0 # Skip: 0 # Results: # - Rule: require-labels # Status: Fail # Resource: Deployment/default/nginx # Message: The label `team` is required ``` ## Kyverno vs OPA Gatekeeper | Feature | Kyverno | OPA Gatekeeper | |---------|---------|----------------| | Policy language | Kubernetes YAML | Rego | | Learning curve | Low (YAML-native) | High (new language) | | Validate | Yes | Yes | | Mutate | Yes | Yes | | Generate | Yes | Limited (via sync) | | Image verification | Built-in | No (separate tool) | | Cleanup policies | Yes | No | | Policy exceptions | Native CRD | Via labels | | Community | Growing | Large | | CNCF | Incubating | Graduated | ## 常见问题 **Q: Kyverno 和 OPA Gatekeeper 怎么选?** A: 如果你的团队不想学 Rego 语言,选 Kyverno(纯 YAML)。如果你需要超复杂的策略逻辑或已有 OPA 投入,选 Gatekeeper。Kyverno 的生成(generate)和镜像验证功能更强,Gatekeeper 的生态更成熟。 **Q: 策略会影响集群性能吗?** A: Kyverno 作为 admission webhook 会在每个资源创建/更新时执行。对于大规模集群(每秒数百次 API 请求),需要适当配置副本数和资源。建议先在测试环境评估影响。 **Q: 可以用在非 Kubernetes 场景吗?** A: Kyverno 1.11+ 引入了 "Kyverno Applications" 和 JSON 验证模式,可以用于验证 Helm charts、Terraform plans 等。但核心用途仍是 Kubernetes 资源策略。 ## 来源与致谢 - GitHub: [kyverno/kyverno](https://github.com/kyverno/kyverno) — 7.6K+ ⭐ | Apache-2.0 - 官网: [kyverno.io](https://kyverno.io) --- Source: https://tokrepo.com/en/workflows/e6f1ef60-3558-11f1-9bc6-00163e2b0d79 Author: AI Open Source