HackTricks Cloud
HackTricks TrainingTwitterLinkedinSponsor

Kubernetes Kyverno

The original author of this page is Guillaume

Definition

Kyverno is an open-source, policy management framework for Kubernetes that enables organizations to define, enforce, and audit policies across their entire Kubernetes infrastructure. It provides a scalable, extensible, and highly customizable solution for managing the security, compliance, and governance of Kubernetes clusters.

Use cases

Kyverno can be used in a variety of use cases, including:

  1. Network Policy Enforcement: Kyverno can be used to enforce network policies, such as allowing or blocking traffic between pods or services.

  2. Secret Management: Kyverno can be used to enforce secret management policies, such as requiring secrets to be stored in a specific format or location.

  3. Access Control: Kyverno can be used to enforce access control policies, such as requiring users to have specific roles or permissions to access certain resources.

Example: ClusterPolicy and Policy

Let's say we have a Kubernetes cluster with multiple namespaces, and we want to enforce a policy that requires all pods in the default namespace to have a specific label.

ClusterPolicy

A ClusterPolicy is a high-level policy that defines the overall policy intent. In this case, our ClusterPolicy might look like this:

apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: require-label
spec:
  rules:
  - validate:
      message: "Pods in the default namespace must have the label 'app: myapp'"
      match:
        any:
        - resources:
            kinds:
              - Pod
            namespaceSelector:
              matchLabels:
                namespace: default
        - any:
            - resources:
                kinds:
                  - Pod
                namespaceSelector:
                  matchLabels:
                    namespace: default
                validationFailureAction: enforce

When a pod is created in the default namespace without the label app: myapp, Kyverno will block the request and return an error message indicating that the pod does not meet the policy requirements.

References

PreviousKubernetes OPA Gatekeeper bypassNextKubernetes Kyverno bypass

Last updated