Skip to content
Published on

Kyverno Architecture Internals: Kubernetes-Native Policy Engine

🇰🇷KO🇺🇸EN🇯🇵JA
Split View
Authors

1. What is Kyverno

Kyverno is a policy engine designed for Kubernetes. Unlike OPA/Gatekeeper, it allows defining policies in YAML and CEL without a separate policy language.

Key features: YAML-based policies, Kubernetes resource management via kubectl, four rule types (validate, mutate, generate, verifyImages), CEL support, background scanning for existing resources.

2. Architecture Overview

Admission Controller: Intercepts API requests for real-time policy enforcement Background Controller: Evaluates policies against existing resources periodically Reports Controller: Generates and manages PolicyReport/ClusterPolicyReport CRDs

2.1 Webhook Configuration

Kyverno auto-configures MutatingWebhookConfiguration and ValidatingWebhookConfiguration on installation. failurePolicy can be Fail (reject on webhook failure) or Ignore (allow on failure).

3. Policy Types

3.1 ClusterPolicy vs Policy

# ClusterPolicy: applies cluster-wide
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: require-labels
spec:
  validationFailureAction: Enforce
  rules:
    - name: check-labels
      match:
        any:
          - resources:
              kinds:
                - Pod
      validate:
        message: "Label 'app.kubernetes.io/name' is required"
        pattern:
          metadata:
            labels:
              app.kubernetes.io/name: '?*'

3.2 validationFailureAction

  • Enforce: Reject requests that violate policies
  • Audit: Log violations but allow requests

4. Rule Types

4.1 validate

rules:
  - name: validate-resources
    match:
      any:
        - resources:
            kinds:
              - Deployment
    validate:
      message: 'CPU and memory limits are required'
      pattern:
        spec:
          template:
            spec:
              containers:
                - resources:
                    limits:
                      memory: '?*'
                      cpu: '?*'

4.2 mutate

rules:
  - name: add-default-labels
    match:
      any:
        - resources:
            kinds:
              - Deployment
    mutate:
      patchStrategicMerge:
        metadata:
          labels:
            app.kubernetes.io/managed-by: kyverno

4.3 generate

rules:
  - name: generate-networkpolicy
    match:
      any:
        - resources:
            kinds:
              - Namespace
    generate:
      apiVersion: networking.k8s.io/v1
      kind: NetworkPolicy
      name: default-deny
      namespace: '{{ request.object.metadata.name }}'
      synchronize: true
      data:
        spec:
          podSelector: {}
          policyTypes:
            - Ingress
            - Egress

4.4 verifyImages

rules:
  - name: verify-image-signature
    match:
      any:
        - resources:
            kinds:
              - Pod
    verifyImages:
      - imageReferences:
          - 'ghcr.io/myorg/*'
        attestors:
          - entries:
              - keyless:
                  url: https://fulcio.sigstore.dev

5. match/exclude Filtering

rules:
  - name: my-rule
    match:
      any:
        - resources:
            kinds:
              - Deployment
            namespaces:
              - production
    exclude:
      any:
        - resources:
            namespaces:
              - kube-system
        - clusterRoles:
            - cluster-admin

6. Installation

helm repo add kyverno https://kyverno.github.io/kyverno/
helm install kyverno kyverno/kyverno -n kyverno --create-namespace

# HA configuration
helm install kyverno kyverno/kyverno -n kyverno --create-namespace \
  --set admissionController.replicas=3

7. Summary

  1. Kubernetes native: YAML/CEL-based policies, managed with kubectl
  2. Three controllers: Admission (real-time), Background (existing resources), Reports
  3. Four rule types: validate, mutate, generate, verifyImages
  4. Flexible matching: Filter by resource kinds, namespaces, users, roles
  5. Audit/Enforce modes: Support gradual policy adoption
Discuss on TwitterView on GitHub