Generate polices ! Make Kubernetes life hassle free with Kyverno
Briefly, Kyverno is a policy engine built for Kubernetes. It runs as an admission controller that can mutate and validate incoming resources. Also, Kyverno can generate any type of resource-based on various triggers from an admission request.
Kyverno generates resources based on a given set of conditions or triggers (read more about match/exclude). Kyverno generate a policy that support two types of rules.
Here is an example of a generated policy
- Copy a resource from one namespace to another namespace. It's similar to copy command in a shell. The user has to define the
cloneblock for providing the source resource path. In the below example source is
config-templateconfigmap in the default namespace
- Generate a resource from inline data. In this type of generating policy users can define a defined data block directly in the policy.
Both examples above will trigger when a new namespace is created then Kyverno will automatically generate the configmaps in the newly created namespace.
Now let's discuss the behavior of the field
synchronize: true. If you enable synchronization that means that Kyverno will manage your generated resources and administrators can only update/delete a resource from the policy. All direct actions on generated resources will be blocked by the kyverno. And in case of clone rule, the cluster-admin can update/delete generated resources from the source resources.
Let's try one more example. This time we will try to generate RBAC from generate policy. By default Kyverno service account doesn't have that permission, Admin has to manually provide access to Kyverno service account. Please read more about Kyverno role
Add admin privilege to Kyverno for creating the role
Now we are ready for generating role and cluster role. let's take an example policy for generating role
Follow the steps to generate roles
Some use cases for the generate policy are:
- Create default Network policies for each namespace
- Create default resource quotas for each namespace
- For more example please check best practices
Check out the Kyverno GitHub page to learn more about the generate policy and several other features, like validating and deny rule. Find more about kyverno in the previous post Kubernetes Policy Management with Kyverno..