Policies

Overview

Policies are resources that govern the behavior of the Kubernetes cluster, where they provide defaults for configuration and also determines what is allowed or disallowed.

image

Kyverno

Kyverno is a policy engine designed for Kubernetes. It manages policies as Kubernetes native resources and no new language is required to write policies. This allows using familiar tools such as kubectl, git, and Kustomize to manage policies. Kyverno policies can validate, mutate, and generate Kubernetes resources.

How to write Policies?

To add custom policies, user can create Policy custom resource. This is a namespaced resource and would only allow policy in the relevant namespace.

Detailed walk-through of how to create policies can be found hereopen in new window

For reference: Sample Policiesopen in new window

NOTE: Creating cluster level policies is not allowed.

Example

apiVersion: kyverno.io/v1
kind: Policy
metadata:
  name: require-label-development-team
  annotations:
    policies.kyverno.io/title: Require label Development Team
    policies.kyverno.io/category: Best Practices
    policies.kyverno.io/severity: low
    policies.kyverno.io/subject: Pod
    policies.kyverno.io/description: >-
      Require pods to have development-team label set
spec:
  validationFailureAction: enforce
  rules:
    - name: require-label-development-team
      match:
        resources:
          kinds:
            - Pod
      validate:
        message: "The label `development-team` is required"
        anyPattern:
          - metadata:
              labels:
                development-team: "?*"

Failure Actions

To update failure action, we can set the following values for validationFailureAction in the Policy custom resource. It supports the following values:

Audit

In audit mode, the policy will generate appropriate warnings but won't reject anything. We can view PolicyReport custom resource against that policy to view detailed violation report.

Enforce

In enforce mode, the policy will deny/reject all actions that violate the policy. Report is generated against all the violations and is stored in PolicyReport custom resource.

Default Policy

Policies that are enforced by default. User cannot disable these policies since they are considered essential for governance, security etc.

Stakater Cloud UI

A concrete list of policies is maintained by Stakater for ensuring that clusters follow best practices for security, governance etc. This list of policy can be accessed using our centralized control-plane Stakater Cloudopen in new window

image

NOTE: Policies added directly to the clusters(Namespaced Policies) cannot be managed through this front-end

Alternatives to Kyverno

Kyverno vs OPA Gatekeeper

Features/CapabilitiesGatekeeperKyverno
Validation
Mutation
GenerationX
Policy as native resources
Metrics exposed
OpenAPI validation schema (kubectl explain)X
High Availability
API object lookup
CLI with test ability
Policy audit ability
Programming required✓ (Rego)✓ (JavaScript)

FAQ

  • Can we manage policies added by customers using Stakater Cloud? No, as of right now there is no option for that.
  • Can we disable default policies? No, these policies are critical in maintaining a secure environment for the customers.