Kyverno is an application to manage security policies in Kubernetes. Security policies appear in Kyverno as Kubernetes resources.
Kyverno supports tools, such as kubectl, git, and kustomize. You can use the Kyverno command-line interface to test policies and validate resources as part of the CI/CD pipeline.
Kyverno-policies is a Kyverno extension.
Kyverno-policies includes an implementation of Kubernetes Pod Security Standards (PSS). When you install the extension, you can select a policy mode: audit (notify only) or enforce (block). The original policies are stored in a separate Kyverno-policies repository.
You can send notifications from Kyverno to other systems using the kyverno-policy-reporter extensions. Kyverno-policy-reporter supports export to Yandex Object Storage (s3).
Tip
To find vulnerabilities in Kubernetes clusters, use Chaos Mesh. Vulnerability detection will help you configure security policies.
- Install kubectl and configure it to work with your cluster.
- Create a node group for Kyverno.
- Configure the application:
- Namespace: Select a namespace or create a new one. Make sure it contains no applications or objects; otherwise, Kyverno will not run properly.
- Application name: Enter an application name.
- Kyverno policies activation: Select the kyverno-policies extensions for an automatic install in Kyverno.
- Pod Security Standard profile: Select the Pod Security Standard profile:
baseline,restricted, orprivileged. If the field is left blank, it will be set tobaselineby default. - Validation failure action: Select a response to Kyverno triggering:
audit(notify only) orenforce(block). If the field is left blank, it will be set toauditby default.
- Click Install.
For more information about tracking when Kyverno is triggered, see the instructions.
If you no longer need the application, delete it. Next, clear the application’s webhook configurations, or else the cluster will not run properly.
Application versions
For each Kubernetes version, a certain Kyverno version is supported. The required Kyverno version is installed by default depending on your Kubernetes version.
| Kubernetes version | Kyverno version | Documentation |
|---|---|---|
| 1.21 or older | 1.6 | Kyverno 1.6 documentation |
| 1.22 | 1.7 | Kyverno 1.7 documentation |
| 1.23 | 1.8 | Kyverno 1.8 documentation |
| 1.24 and higher | 1.9 | Kyverno 1.9 documentation |
- Managing the environment independently from workload configurations.
- Scanning the current workload to optimize Kubernetes cluster performance.
- Blocking or modifying API calls to optimize Kubernetes cluster performance.
- Validating, mutating, and generating Kubernetes resources.
- Ensuring the security of the OCI image supply chain.
Yandex Cloud technical support is available 24/7 to respond to requests. Available support modes and response times depend on your support plan. You can enable paid support in the management console. Learn more about requesting technical support.
| Helm chart | Version | Pull-command | Documentation |
|---|---|---|---|
| multi-kyverno | 1.0.0 | Open |
| Docker image | Version | Pull-command |
|---|---|---|
| yandex-cloud/marketplace/kyvernopre | v1.6.3 | |
| yandex-cloud/marketplace/kyverno | v1.6.3 | |
| yandex-cloud/marketplace/kyvernopre | v1.7.5 | |
| yandex-cloud/marketplace/kyverno | v1.7.5 | |
| yandex-cloud/marketplace/kyvernopre | v1.8.5 | |
| yandex-cloud/marketplace/kyverno | v1.8.5 | |
| yandex-cloud/marketplace/kyvernopre | v1.9.2 | |
| yandex-cloud/marketplace/kyverno | v1.9.2 | |
| yandex-cloud/marketplace/cleanup-controller | v1.9.2 | |
| yandex-cloud/marketplace/bitnami/kubectl | 1.27.2 | |
| yandex-cloud/marketplace/busybox | 1.36.1 |
