โ kubernetes, kyverno โ 1 min read
Briefly, Kyverno is a policy engine built for Kubernetes. It runs as an admission controller that can mutate and validate incoming resources. Also, Kyverno can generate any type of resource-based on various triggers from an admission request.
Kyverno generates resources based on a given set of conditions or triggers (read more about match/exclude). Kyverno generate a policy that support two types of rules.
Here is an example of a generated policy
clone
block for providing the source resource path. In the below example source is config-template
configmap in the default namespace1apiVersion: kyverno.io/v12kind: ClusterPolicy3metadata:4 name: basic-policy5spec:6 rules:7 - name: "Generate ConfigMap"8 match:9 resources:10 kinds:11 - Namespace12 generate:13 kind: ConfigMap # Kind of resource14 name: default-config # Name of the new Resource15 namespace: "{{request.object.metadata.name}}" # namespace that triggers this rule16 synchronize : true17 clone:18 namespace: default19 name: config-template
1apiVersion: kyverno.io/v12kind: ClusterPolicy3metadata:4 name: basic-policy5spec:6 rules:7 - name: "Generate Configmap"8 match:9 resources:10 kinds:11 - Namespace12 generate:13 kind: ConfigMap14 name: config-app15 namespace: "{{request.object.metadata.name}}" # namespace that triggers this rule16 data:17 data:18 USERNAME: evalsocket=19 DATABASE: blog20 metadata:21 labels:22 purpose: config
Both examples above will trigger when a new namespace is created then Kyverno will automatically generate the configmaps in the newly created namespace.
1# Create a configmap in default namespace (We need this configmap for generating resources)2โ evalsocket โ kubectl create configmap config-template -n default --from-literal=special.how=very3configmap/config-template created4โ evalsocket โ kubectl apply -f namespace-configmap.yaml5clusterpolicy.kyverno.io/basic-policy created6# Trigger the policy by creating a namespace7โ evalsocket โ kubectl create namespace kyverno-example8namespace/kyverno-example created9#Verify the resources10โ evalsocket โ kubectl get configmap -n kyverno-example11NAME DATA AGE12config-app 2 5s13default-config 1 6s14
15# We did it
Now let's discuss the behavior of the field synchronize: true
. If you enable synchronization that means that Kyverno will manage your generated resources and administrators can only update/delete a resource from the policy. All direct actions on generated resources will be blocked by the kyverno. And in case of clone rule, the cluster-admin can update/delete generated resources from the source resources.
1# Let's try to delete configmap generated from default namespace. It should block your request basecause synchronize : true in case of generated configmap2โ evalsocket โ kubectl delete configmap default-config -n kyverno-example3Error from server: admission webhook "nirmata.kyverno.resource.validating-webhook" denied the request: Resource is managed by a Kyverno policy and cannot be update manually. You can edit the generate policy to update this resource.4
5#Now let's try to delete generated resource configmap that doesn't have synchronize : true and synchronize has default value false.6โ evalsocket โ kubectl delete configmap config-app -n kyverno-example7configmap "config-app" deleted8
9# Update Your configmap in default namespace and check your update to see synchronize. Set special.how=why10โ evalsocket โ kubectl edit configmap config-template -n default11configmap/config-template edited12# Wait 5-6 sec and check13โ evalsocket โ kubectl get configmap default-config -n kyverno-example -oyaml14apiVersion: v115data:16 special.how: why17kind: ConfigMap18metadata:19 creationTimestamp: "2020-07-28T00:13:58Z"20 labels:21 app.kubernetes.io/managed-by: kyverno22 app.kubernetes.io/synchronize: enable23 kyverno.io/generated-by: Namespace--kyverno-example24 name: default-config25 namespace: kyverno-example26 resourceVersion: "1682"27 selfLink: /api/v1/namespaces/kyverno-example/configmaps/default-config28 uid: b683b4c1-c498-4c25-b018-aa0c63cbcf7f
Let's try one more example. This time we will try to generate RBAC from generate policy. By default Kyverno service account doesn't have that permission, Admin has to manually provide access to Kyverno service account. Please read more about Kyverno role
Add admin privilege to Kyverno for creating the role
1apiVersion: rbac.authorization.k8s.io/v12kind: ClusterRole3metadata:4 name: kyverno:policycontroller5rules:6 - apiGroups:7 - '*'8 resources:9 - '*'10 verbs:11 - create12 - delete13 - get14 - list15 - patch16 - update17 - watch18---19apiVersion: rbac.authorization.k8s.io/v120kind: ClusterRole21metadata:22 name: kyverno:userinfo23rules:24 - apiGroups:25 - '*'26 resources:27 - roles28 - clusterroles29 - rolebindings30 - clusterrolebindings31 - configmaps32 verbs:33 - create34 - delete35 - get36 - list37 - patch38 - update39 - watch40---41kind: ClusterRoleBinding42apiVersion: rbac.authorization.k8s.io/v1beta143metadata:44 name: kyverno-admin-generate45roleRef:46 apiGroup: rbac.authorization.k8s.io47 kind: ClusterRole48 name: kyverno:generatecontroller # clusterRole defined above, to manage generated resources49subjects:50 - kind: ServiceAccount51 name: kyverno-service-account # default Kyverno serviceAccount52 namespace: kyverno
Now we are ready for generating role and cluster role. let's take an example policy for generating role
1apiVersion: kyverno.io/v12kind: ClusterPolicy3metadata:4 name: "gen-role-policy"5spec:6 background: false7 rules:8 - name: "gen-role"9 match:10 resources:11 kinds:12 - Namespace13 generate:14 kind: Role15 name: "ns-role"16 namespace: "{{request.object.metadata.name}}" # namespace that triggers this rule17 synchronize: true18 data:19 rules:20 - apiGroups: [""]21 resources: ["pods"]22 verbs: ["get", "watch", "list"]
Follow the steps to generate roles
1โ evalsocket โ kubectl apply -f gen-role-policy.yaml2clusterpolicy.kyverno.io/gen-role-policy created3
4โ evalsocket โ kubectl create ns new5namespace/new created6
7โ evalsocket โ kubectl get Role -n new8NAME AGE9ns-role 8s
Some use cases for the generate policy are:
Check out the Kyverno GitHub page to learn more about the generate policy and several other features, like validating and deny rule. Find more about kyverno in the previous post Kubernetes Policy Management with Kyverno..