Setting up Kyverno & Kyverno Policies
The Kyverno
To integrate Kyverno & Kyverno Pоlicies into Managed Service for Kubernetes:
If you no longer need the resources you created, delete them.
Getting started
-
Create a Managed Service for Kubernetes cluster and node group.
ManuallyTerraform- If you do not have a network yet, create one.
- If you do not have any subnets yet, create them in the availability zones where your Kubernetes cluster and node group will be created.
- Create a Managed Service for Kubernetes cluster and a node group in any suitable configuration.
- Create a rule for connecting to the services from the internet and apply it to the Managed Service for Kubernetes cluster's node group.
-
If you do not have Terraform yet, install it.
-
Get the authentication credentials. You can add them to environment variables or specify them later in the provider configuration file.
-
Configure and initialize a provider. There is no need to create a provider configuration file manually, you can download it
. -
Place the configuration file in a separate working directory and specify the parameter values. If you did not add the authentication credentials to environment variables, specify them in the configuration file.
-
Download the k8s-cluster.tf
cluster configuration file to the same working directory. The file describes:- Network.
- Subnet.
- Security group and rules required for the cluster, node group, and Managed Service for Kubernetes instance to run:
- Rules for service traffic.
- Rules for accessing the Kubernetes API and managing the cluster with
kubectl
through ports 443 and 6443. - Rules for connecting to services from the internet.
- Managed Service for Kubernetes cluster.
- Service account required to use the Managed Service for Kubernetes cluster and node group.
-
Specify the following in the configuration file:
- Folder ID.
- Kubernetes version for the Managed Service for Kubernetes cluster and node groups.
- Kubernetes cluster CIDR.
- Name of the service account. It must be unique within the folder.
-
Make sure the Terraform configuration files are correct using this command:
terraform validate
If there are any errors in the configuration files, Terraform will point them out.
-
Create the required infrastructure:
-
Run the command to view planned changes:
terraform plan
If the resource configuration descriptions are correct, the terminal will display a list of the resources to modify and their parameters. This is a test step. No resources are updated.
-
If you are happy with the planned changes, apply them:
-
Run the command:
terraform apply
-
Confirm the update of resources.
-
Wait for the operation to complete.
-
All the required resources will be created in the specified folder. You can check resource availability and their settings in the management console
. -
-
Install kubectl
and configure it to work with the created cluster.
Create a Kyverno policy
-
Install the Kyverno & Kyverno Pоlicies application by following this guide.
-
Create a policy that will require that all pods have the
app.kubernetes.io/name
Kubernetes label.-
Save the specification for
ClusterPolicy
creation in a YAML file namedpolicy.yaml
:apiVersion: kyverno.io/v1 kind: ClusterPolicy metadata: name: require-labels spec: validationFailureAction: enforce rules: - name: check-for-labels match: any: - resources: kinds: - Pod validate: message: "label 'app.kubernetes.io/name' is required" pattern: metadata: labels: app.kubernetes.io/name: "?*"
-
Run this command:
kubectl apply -f ./policy.yaml
Result:
clusterpolicy.kyverno.io/require-labels created
-
-
(Optional) Install Policy Reporter in your Managed Service for Kubernetes cluster to be able to save and process policy results.
Test Kyverno & Kyverno Pоlicies
-
Create a pod with no
app.kubernetes.io/name
Kubernetes label:kubectl run nginx --image nginx
Result:
Error from server: admission webhook "validate.kyverno.svc-fail" denied the request: resource Pod/default/nginx was blocked due to the following policies require-labels: check-for-labels: 'validation error: label ''app.kubernetes.io/name'' is required. Rule check-for-labels failed at path /metadata/labels/app.kubernetes.io/name/'
-
Create a pod with the
app.kubernetes.io/name
Kubernetes label:kubectl run nginx --image nginx --labels app.kubernetes.io/name=nginx
Result:
pod/nginx created
Note
Although the policies are designed for pods, Kyverno applies them to any resources that can create pods.
Delete the resources you created
Some resources are not free of charge. To avoid paying for them, delete the resources you no longer need:
-
In the command line, go to the directory with the current Terraform configuration file with an infrastructure plan.
-
Delete the
k8s-cluster.tf
configuration file. -
Make sure the Terraform configuration files are correct using this command:
terraform validate
If there are any errors in the configuration files, Terraform will point them out.
-
Confirm updating the resources.
-
Run the command to view planned changes:
terraform plan
If the resource configuration descriptions are correct, the terminal will display a list of the resources to modify and their parameters. This is a test step. No resources are updated.
-
If you are happy with the planned changes, apply them:
-
Run the command:
terraform apply
-
Confirm the update of resources.
-
Wait for the operation to complete.
-
All the resources described in the
k8s-cluster.tf
configuration file will be deleted. -