Open source, easy to use, and efficient, Kyverno ensures that good security practices are respected at runtime in Kubernetes.
While most workload security parameters need to be checked as soon as possible, especially in CI/CD, policy enforcement directly integrated into the Kubernetes validation engine ensures compliance with best practices.
As Kubernetes is a critical part of the infrastructure, it is necessary to impose good security practices. Natively, the Kubernetes control plane doesn't offer the possibility of fine-tuning custom security policies (the Admission Policies Pods available since 1.25 enable basic management).
Kyverno is a policy engine in Kubernetes. The power of Kyverno lies in the simplicity of writing policies in yaml. In status Incubating since 2020 within the CNCF incubator, Kyverno has experienced strong traction compared to its main competitor OPA Gatekeeper.
Based on Kubernetes validationWebhook and mutationWebhook, the tool offers a wide range of pre-written policies. For example, require the presence of request/limit for all pods or forbid the creation of privileged pods.
Kyverno also offers an elegant way of adding security configurations on the fly via Webhooks mutations:
- Add an HTTP proxy as a pod environment variable
- Create RBAC rights dynamically when creating a namespace
However, we advise you to limit the use of mutation policies, which can be detrimental to understanding during incidents. As the resource is no longer defined as code, the person in charge of debugging must know this mechanism.
Warning: Like all tools that take advantage of Kubernetes webhooks, Kyverno can be a SPOF if its FailurePolicy is set to Fail: if Kyverno is down, the Server API cannot validate requests and therefore authorizes no action. A good practice is to whitelist critical namespaces such as the kube-system to avoid any problems.