← Back to Post
Split View: Kyverno 아키텍처 내부 분석: Kubernetes 네이티브 정책 엔진
|
Kyverno 아키텍처 내부 분석: Kubernetes 네이티브 정책 엔진
1. Kyverno란
1.1 Kubernetes 네이티브 정책 엔진
Kyverno는 Kubernetes를 위해 설계된 정책 엔진입니다. OPA/Gatekeeper와 달리 별도의 정책 언어 없이 YAML과 CEL로 정책을 정의할 수 있어 Kubernetes 사용자에게 친숙합니다.
핵심 특징:
- YAML 기반 정책 정의 (Rego 학습 불필요)
- Kubernetes 리소스로 정책 관리 (kubectl로 CRUD)
- validate, mutate, generate, verifyImages 4가지 규칙 타입
- CEL(Common Expression Language) 지원
- 백그라운드 스캐닝으로 기존 리소스에도 정책 적용
1.2 CNCF 프로젝트 현황
Kyverno는 CNCF Incubating 프로젝트로, 활발한 커뮤니티와 빠른 릴리스 주기를 가지고 있습니다.
2. 아키텍처 개요
2.1 컨트롤러 구성
+-------------------+ +------------------------+
| Kubernetes | | Kyverno |
| API Server | | |
| | | +--------------------+ |
| Webhook --------->|---->| | Admission | |
| (Mutating/ | | | Controller | |
| Validating) | | +--------------------+ |
| | | |
| | | +--------------------+ |
| | | | Background | |
| | | | Controller | |
| | | +--------------------+ |
| | | |
| | | +--------------------+ |
| | | | Reports | |
| | | | Controller | |
| | | +--------------------+ |
+-------------------+ +------------------------+
Admission Controller: API 요청을 가로채서 정책을 실시간 적용
- MutatingWebhookConfiguration: mutate 규칙 처리
- ValidatingWebhookConfiguration: validate 규칙 처리
Background Controller: 기존 리소스에 대한 정책 평가
- 주기적으로 클러스터의 기존 리소스를 스캔
- generate 규칙의 동기화(synchronize) 처리
Reports Controller: 정책 보고서 생성 및 관리
- PolicyReport / ClusterPolicyReport CRD 관리
- 정책 위반 결과를 리소스로 저장
2.2 Webhook 구성
Kyverno는 설치 시 자동으로 Webhook을 구성합니다:
# Kyverno가 자동 생성하는 MutatingWebhookConfiguration
apiVersion: admissionregistration.k8s.io/v1
kind: MutatingWebhookConfiguration
metadata:
name: kyverno-resource-mutating-webhook-cfg
webhooks:
- name: mutate.kyverno.svc-fail
clientConfig:
service:
name: kyverno-svc
namespace: kyverno
path: /mutate/fail
rules:
- apiGroups: ['*']
apiVersions: ['*']
operations: ['CREATE', 'UPDATE']
resources: ['*']
failurePolicy: Fail
sideEffects: None
timeoutSeconds: 10
2.3 failurePolicy 설정
| 설정 | 동작 | 사용 시나리오 |
|---|---|---|
| Fail | Webhook 실패 시 요청 거부 | 프로덕션 보안 정책 |
| Ignore | Webhook 실패 시 요청 허용 | 초기 도입, 비핵심 정책 |
3. 정책 타입
3.1 ClusterPolicy vs Policy
# ClusterPolicy: 클러스터 전체에 적용
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: require-labels
spec:
validationFailureAction: Enforce
rules:
- name: check-labels
match:
any:
- resources:
kinds:
- Pod
validate:
message: "Label 'app.kubernetes.io/name' is required"
pattern:
metadata:
labels:
app.kubernetes.io/name: '?*'
# Policy: 특정 네임스페이스에만 적용
apiVersion: kyverno.io/v1
kind: Policy
metadata:
name: require-labels
namespace: production
spec:
validationFailureAction: Enforce
rules:
- name: check-labels
match:
any:
- resources:
kinds:
- Pod
validate:
message: "Label 'app.kubernetes.io/name' is required"
pattern:
metadata:
labels:
app.kubernetes.io/name: '?*'
3.2 validationFailureAction
| 모드 | 동작 |
|---|---|
| Enforce | 정책 위반 시 요청 거부 |
| Audit | 정책 위반을 기록하지만 요청은 허용 |
spec:
validationFailureAction: Audit # 또는 Enforce
validationFailureActionOverrides:
- action: Enforce
namespaces:
- production
- action: Audit
namespaces:
- development
4. 규칙 타입
4.1 validate - 검증
리소스가 정책을 충족하는지 검증:
rules:
- name: validate-resources
match:
any:
- resources:
kinds:
- Deployment
validate:
message: 'CPU and memory limits are required'
pattern:
spec:
template:
spec:
containers:
- resources:
limits:
memory: '?*'
cpu: '?*'
4.2 mutate - 변형
리소스를 자동으로 수정:
rules:
- name: add-default-labels
match:
any:
- resources:
kinds:
- Deployment
- StatefulSet
mutate:
patchStrategicMerge:
metadata:
labels:
app.kubernetes.io/managed-by: kyverno
4.3 generate - 생성
리소스 생성 시 관련 리소스를 자동 생성:
rules:
- name: generate-networkpolicy
match:
any:
- resources:
kinds:
- Namespace
generate:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
name: default-deny
namespace: '{{ request.object.metadata.name }}'
synchronize: true
data:
spec:
podSelector: {}
policyTypes:
- Ingress
- Egress
4.4 verifyImages - 이미지 검증
컨테이너 이미지의 서명과 증명을 검증:
rules:
- name: verify-image-signature
match:
any:
- resources:
kinds:
- Pod
verifyImages:
- imageReferences:
- 'ghcr.io/myorg/*'
attestors:
- entries:
- keyless:
url: https://fulcio.sigstore.dev
roots: |
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
5. match/exclude 필터링
5.1 리소스 매칭
rules:
- name: my-rule
match:
any:
- resources:
kinds:
- Deployment
- StatefulSet
namespaces:
- production
- staging
names:
- 'web-*'
selector:
matchLabels:
tier: frontend
- resources:
kinds:
- Service
exclude:
any:
- resources:
namespaces:
- kube-system
- kyverno
- subjects:
- kind: ServiceAccount
name: admin-sa
namespace: kube-system
- clusterRoles:
- cluster-admin
6. 설치 및 기본 구성
# Helm으로 설치
helm repo add kyverno https://kyverno.github.io/kyverno/
helm repo update
helm install kyverno kyverno/kyverno -n kyverno --create-namespace
# HA 구성
helm install kyverno kyverno/kyverno -n kyverno --create-namespace \
--set admissionController.replicas=3 \
--set backgroundController.replicas=2 \
--set reportsController.replicas=2
# 정책 라이브러리 확인
# https://kyverno.io/policies/
7. 정리
Kyverno 아키텍처의 핵심:
- Kubernetes 네이티브: YAML/CEL 기반 정책, kubectl로 관리
- 3개 컨트롤러: Admission(실시간), Background(기존 리소스), Reports(보고서)
- 4가지 규칙 타입: validate, mutate, generate, verifyImages
- 유연한 매칭: 리소스 종류, 네임스페이스, 사용자, 역할별 필터링
- Audit/Enforce 모드: 점진적 정책 도입 지원
다음 글에서는 Kyverno의 정책 엔진 내부 동작을 심층 분석합니다.
Kyverno Architecture Internals: Kubernetes-Native Policy Engine
- 1. What is Kyverno
- 2. Architecture Overview
- 3. Policy Types
- 4. Rule Types
- 5. match/exclude Filtering
- 6. Installation
- 7. Summary
1. What is Kyverno
Kyverno is a policy engine designed for Kubernetes. Unlike OPA/Gatekeeper, it allows defining policies in YAML and CEL without a separate policy language.
Key features: YAML-based policies, Kubernetes resource management via kubectl, four rule types (validate, mutate, generate, verifyImages), CEL support, background scanning for existing resources.
2. Architecture Overview
Admission Controller: Intercepts API requests for real-time policy enforcement Background Controller: Evaluates policies against existing resources periodically Reports Controller: Generates and manages PolicyReport/ClusterPolicyReport CRDs
2.1 Webhook Configuration
Kyverno auto-configures MutatingWebhookConfiguration and ValidatingWebhookConfiguration on installation. failurePolicy can be Fail (reject on webhook failure) or Ignore (allow on failure).
3. Policy Types
3.1 ClusterPolicy vs Policy
# ClusterPolicy: applies cluster-wide
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: require-labels
spec:
validationFailureAction: Enforce
rules:
- name: check-labels
match:
any:
- resources:
kinds:
- Pod
validate:
message: "Label 'app.kubernetes.io/name' is required"
pattern:
metadata:
labels:
app.kubernetes.io/name: '?*'
3.2 validationFailureAction
- Enforce: Reject requests that violate policies
- Audit: Log violations but allow requests
4. Rule Types
4.1 validate
rules:
- name: validate-resources
match:
any:
- resources:
kinds:
- Deployment
validate:
message: 'CPU and memory limits are required'
pattern:
spec:
template:
spec:
containers:
- resources:
limits:
memory: '?*'
cpu: '?*'
4.2 mutate
rules:
- name: add-default-labels
match:
any:
- resources:
kinds:
- Deployment
mutate:
patchStrategicMerge:
metadata:
labels:
app.kubernetes.io/managed-by: kyverno
4.3 generate
rules:
- name: generate-networkpolicy
match:
any:
- resources:
kinds:
- Namespace
generate:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
name: default-deny
namespace: '{{ request.object.metadata.name }}'
synchronize: true
data:
spec:
podSelector: {}
policyTypes:
- Ingress
- Egress
4.4 verifyImages
rules:
- name: verify-image-signature
match:
any:
- resources:
kinds:
- Pod
verifyImages:
- imageReferences:
- 'ghcr.io/myorg/*'
attestors:
- entries:
- keyless:
url: https://fulcio.sigstore.dev
5. match/exclude Filtering
rules:
- name: my-rule
match:
any:
- resources:
kinds:
- Deployment
namespaces:
- production
exclude:
any:
- resources:
namespaces:
- kube-system
- clusterRoles:
- cluster-admin
6. Installation
helm repo add kyverno https://kyverno.github.io/kyverno/
helm install kyverno kyverno/kyverno -n kyverno --create-namespace
# HA configuration
helm install kyverno kyverno/kyverno -n kyverno --create-namespace \
--set admissionController.replicas=3
7. Summary
- Kubernetes native: YAML/CEL-based policies, managed with kubectl
- Three controllers: Admission (real-time), Background (existing resources), Reports
- Four rule types: validate, mutate, generate, verifyImages
- Flexible matching: Filter by resource kinds, namespaces, users, roles
- Audit/Enforce modes: Support gradual policy adoption