Skip to content

Policies#

Overview#

Policies are resources that govern the behavior of the Kubernetes cluster, where they provide defaults for configuration and also determines what is allowed or disallowed.

image

Kyverno#

Kyverno is a policy engine designed for Kubernetes. It manages policies as Kubernetes native resources and no new language is required to write policies. This allows using familiar tools such as kubectl, git, and Kustomize to manage policies. Kyverno policies can validate, mutate, and generate Kubernetes resources.

How to write Policies?#

To add custom policies, user can create Policy custom resource. This is a namespaced resource and would only allow policy in the relevant namespace.

Detailed walk-through of how to create policies can be found here

For reference: Sample Policies

NOTE: Creating cluster level policies is not allowed.

Example#

apiVersion: kyverno.io/v1
kind: Policy
metadata:
  name: require-label-development-team
  annotations:
    policies.kyverno.io/title: Require label Development Team
    policies.kyverno.io/category: Best Practices
    policies.kyverno.io/severity: low
    policies.kyverno.io/subject: Pod
    policies.kyverno.io/description: >-
      Require pods to have development-team label set
spec:
  validationFailureAction: enforce
  rules:
    - name: require-label-development-team
      match:
        resources:
          kinds:
            - Pod
      validate:
        message: "The label `development-team` is required"
        anyPattern:
          - metadata:
              labels:
                development-team: "?*"

Failure Actions#

To update failure action, we can set the following values for validationFailureAction in the Policy custom resource. It supports the following values:

Audit#

In audit mode, the policy will generate appropriate warnings but won't reject anything. We can view PolicyReport custom resource against that policy to view detailed violation report.

Enforce#

In enforce mode, the policy will deny/reject all actions that violate the policy. Report is generated against all the violations and is stored in PolicyReport custom resource.

Default Policy#

Policies that are enforced by default. User cannot disable these policies since they are considered essential for governance, security etc.

Stakater Cloud UI#

A concrete list of policies is maintained by Stakater for ensuring that clusters follow best practices for security, governance etc. This list of policy can be accessed using our centralized control-plane Stakater Cloud

image

NOTE: Policies added directly to the clusters(Namespaced Policies) cannot be managed through this front-end

Alternatives to Kyverno#

Kyverno vs OPA Gatekeeper#

Features/Capabilities Gatekeeper Kyverno
Validation
Mutation
Generation X
Policy as native resources
Metrics exposed
OpenAPI validation schema (kubectl explain) X
High Availability
API object lookup
CLI with test ability
Policy audit ability
Programming required ✓ (Rego) ✓ (JavaScript)

FAQ#

  • Can we manage policies added by customers using Stakater Cloud? No, as of right now there is no option for that.
  • Can we disable default policies? No, these policies are critical in maintaining a secure environment for the customers.