Kubernetes was made to reduce complexity while deploying production-ready applications. However, just like every other piece of brilliant technology, as the use-cases grew, managing Kubernetes clusters itself started becoming a complex task. One of these complexities that arose was managing configurations in a cluster. To simplify managing your K8s cluster, I want to introduce you to Kyverno.
So, let’s get started!
Kyverno, which is Greek for “govern”, is a policy engine designed for Kubernetes.
But what is a “policy engine”?
Kubernetes has four main categories for policies: Limit Ranges, Resource Quotas, Pod Security Policies, and Process ID Limits and Reservations.
To understand what a policy engine does, let’s first look at what Pod Security Policies are. Pod Security Policies are described as follows in the official Kubernetes documentation:
“A Pod Security Policy is a cluster-level resource that controls security sensitive aspects of the pod specification. Pod Security Policies enable fine-grained authorization of pod creation and updates.”
Policy engines take this one step further by not only giving you a far greater amount of options, but also allowing you to extend this fine-grained control beyond pods to other Kubernetes resources as well.
To put this in straightforward terms, Kyverno allows you to define policies that can validate, mutate, and generate Kubernetes resources.
And you know what’s even cooler?
Kyverno allows you to do this using the same familiar declarative approach of writing YAML files and a similar syntax as your Kubernetes resource definitions. This means the learning curve is practically nonexistent for K8s users!
Now that we have an idea of “what” Kyverno is, we can start to understand why it is a really effective tool to have in your arsenal when fighting against the challenges of managing a Kubernetes cluster. Kyverno was created to simplify validating and/or enforcing best practices for configurations in K8s clusters.
For those of you familiar with other policy engines, like Open Policy Agent (OPA), you might wonder why you’d want to use Kyverno. The reason is simple: it’s the Kubernetes-native approach!
Let’s explain this in more detail. Anyone working with Kubernetes is familiar (and probably in love) with the simple declarative approach K8s takes of writing YAML files. Kyverno, too, believes in this ideology of keeping things simple and uses the same approach of writing YAML files to define your policies. This is in contrast to other engines like OPA for which one would have to learn Rego, which has quite a learning curve.
So to sum it up, Kyverno is easy to learn and use, yet extremely powerful!
Let’s go a bit into the technical side of things and show you how Kyverno works Kyverno relies on Kubernetes Admission Controllers. If you’re not familiar with admission controllers, you can think of them as a sort of a checkpoint for Kubernetes API requests. At these checkpoints, the API requests can be mutated and/or validated/blocked.
Kubernetes comes with several built-in admission controllers, but the two that are relevant to Kyverno are ValidatingAdmissionWebhooks
and MutatingAdmissionWebhooks
. These two admission controllers receive an action from the REST endpoint of a service running inside the cluster that is Kyverno. Based on this received action, these admission controllers mutate or validate the API request as needed.
To make the whole picture extremely clear, think of it this way: the two admission controllers mentioned above receive an API request, they then send this request to Kyverno which, based on the policies you have written, decides what to do and sends this decision as a response to these controllers. The controllers then actually perform the action that needs to be taken.
Interesting, right?
Even more interesting is that these policies you write in Kyverno are a Custom Resource. For those not familiar, custom resources are a way to extend Kubernetes by introducing a new object type. You can look at the schemas of the Custom Resources that Kyverno creates using the kubectl explain
command.
For example, to view the Kyverno policy schema, you can run:
kubectl explain policy.spec
From a top-level view, you can look at Kyverno as a tool for managing your Kubernetes configurations with the help of policies. These policies can set the rules, validate any requests that the API Server receives, and mutate the incoming Kubernetes object as part of the request. All of this happens in the familiar declarative Kubernetes way.
Due to the simplicity of Kyverno, you can use it on clusters of any size to make your life easier. You will particularly see Kyverno shine on complex clusters where a lot of configuration is required. In your clusters, Kyverno policies can help you by providing the defaults for a configuration and/or make sure you don’t mistakenly end up creating resources that aren’t following best practices.
There is a set of policies that
Kyverno was developed by Nirmata, who provides cloud-based Kubernetes management platforms. The goal was to accelerate the adoption of Kubernetes, which is only possible when it is easy to manage complex configurations.
In November 2020, Kyverno joined the Cloud Native Computing Foundation (CNCF) as a Sandbox project. Being a part of the CNCF was a step towards seeing more involvement from the community and towards greater adoption of Kyverno as the de facto way of managing Kubernetes configurations.
There are many amazing things about Kyverno, but we almost forgot to mention the best one.
It’s open-source!
If you have some ideas or suggestions, you can open up issues related to them on the Kyverno repo. You can also join the Kyverno slack channel and chat with the maintainers and other Kyverno community members. You can also join us at any one of the monthly Kyverno community meetings!
Kyverno has been rapidly growing and we would appreciate it a lot if you could star the project on GitHub and share it with others who might find it useful.
If you want to contribute code, you can get started with some of the “good first issues” on the repository. Kyverno comes with excellent documentation and support from the maintainers and other community members.