AKS | Kyverno

Bonjour,

Dans cet article, je vais vous présenter un autre « policy engine » pour Kubernetes. Dans un précédent article, j’avais pu vous présenter la solution OPA Gatekeeper. Dans cet article, nous porterons une attention particulière au projet Kyverno. Ce projet est supporté par la CNCF Foundation dans la catégorie « Sandbox ».

Les principaux avantages d’utiliser la solution Kyverno versus OPA Gatekeeper sont:

  • Ne pas ré-apprendre un nouveau langage, les policies Kyverno sont des resources Kubernetes. Comme pour OPA Gatekeeper, ces policies peuvent être déployées en mode « audit » ou « enforce ».
  • En plus de la validation, Kyverno supporte également la mutation et la génération de resources.

Dans cet exemple, je vous présente comment déployer la solution Kyverno ainsi que comment créer et déployer une policy qui a comme objectif de forcer l’application d’un label lors de la création d’un resource group. J’avais pu vous présenter un exemple similaire au sein de l’article: AKS | OPA

Déployer Kyverno:

max@Azure:~$ kubectl create -f https://raw.githubusercontent.com/kyverno/kyverno/main/definitions/release/install.yaml
 namespace/kyverno created
 customresourcedefinition.apiextensions.k8s.io/clusterpolicies.kyverno.io created
 customresourcedefinition.apiextensions.k8s.io/clusterpolicyreports.wgpolicyk8s.io created
 customresourcedefinition.apiextensions.k8s.io/clusterreportchangerequests.kyverno.io created
 customresourcedefinition.apiextensions.k8s.io/generaterequests.kyverno.io created
 customresourcedefinition.apiextensions.k8s.io/policies.kyverno.io created
 customresourcedefinition.apiextensions.k8s.io/policyreports.wgpolicyk8s.io created
 customresourcedefinition.apiextensions.k8s.io/reportchangerequests.kyverno.io created
 serviceaccount/kyverno-service-account created
 clusterrole.rbac.authorization.k8s.io/kyverno:admin-policies created
 clusterrole.rbac.authorization.k8s.io/kyverno:admin-policyreport created
 clusterrole.rbac.authorization.k8s.io/kyverno:admin-reportchangerequest created
 clusterrole.rbac.authorization.k8s.io/kyverno:customresources created
 clusterrole.rbac.authorization.k8s.io/kyverno:generatecontroller created
 clusterrole.rbac.authorization.k8s.io/kyverno:policycontroller created
 clusterrole.rbac.authorization.k8s.io/kyverno:userinfo created
 clusterrole.rbac.authorization.k8s.io/kyverno:webhook created
 clusterrolebinding.rbac.authorization.k8s.io/kyverno:customresources created
 clusterrolebinding.rbac.authorization.k8s.io/kyverno:generatecontroller created
 clusterrolebinding.rbac.authorization.k8s.io/kyverno:policycontroller created
 clusterrolebinding.rbac.authorization.k8s.io/kyverno:userinfo created
 clusterrolebinding.rbac.authorization.k8s.io/kyverno:webhook created
 configmap/init-config created
 service/kyverno-svc created
 deployment.apps/kyverno created

Créer notre policy:

apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
   name: require-ns-labels
spec:
   validationFailureAction: enforce
   rules:
    - name: require-ns-labels
      match:
        resources:
          kinds:
            - Namespace
      validate:
        message: "The label my-app is required."
        pattern:
          metadata:
            labels:
              my-app: "?*"
max@Azure:~/clouddrive$ kubectl apply -f ns-label.yaml
clusterpolicy.kyverno.io/require-ns-labels created

Test:

max@Azure:~/clouddrive$ kubectl create namespace maxime
Error from server: admission webhook "validate.kyverno.svc" denied the request:

resource Namespace//maxime was blocked due to the following policies

require-ns-labels:
  require-ns-labels: 'validation error: The label my-app is required. Rule require-ns-labels failed at path /metadata/labels/'

max@Azure:~/clouddrive$ kubectl apply -f namespace.yaml
 namespace/maxime created

 max@Azure:~/clouddrive$ kubectl get ns --show-labels
 NAME              STATUS   AGE     LABELS
 default           Active   31m     
 kube-node-lease   Active   31m     
 kube-public       Active   31m     
 kube-system       Active   31m     addonmanager.kubernetes.io/mode=Reconcile,control-plane=true,kubernetes.io/cluster-service=true
 kyverno           Active   20m     
 maxime            Active   2m36s   my-app=maxapp

Lister les policies:

max@Azure:~/clouddrive$ kubectl get cpol
 NAME                BACKGROUND   ACTION
 require-ns-labels   true         enforce

max@Azure:~/clouddrive$ kubectl describe cpol require-ns-labels
 Name:         require-ns-labels
 Namespace:
 Labels:       
 Annotations:  pod-policies.kyverno.io/autogen-controllers: DaemonSet,Deployment,Job,StatefulSet,CronJob
 API Version:  kyverno.io/v1
 Kind:         ClusterPolicy
 Metadata:
   Creation Timestamp:  2020-12-31T20:39:24Z
   Generation:          1
   Managed Fields:
     API Version:  kyverno.io/v1
     Fields Type:  FieldsV1
     fieldsV1:
       f:metadata:
         f:annotations:
           .:
           f:kubectl.kubernetes.io/last-applied-configuration:
       f:spec:
         .:
         f:validationFailureAction:
     Manager:      kubectl-client-side-apply
     Operation:    Update
     Time:         2020-12-31T20:39:24Z
     API Version:  kyverno.io/v1
     Fields Type:  FieldsV1
     fieldsV1:
       f:spec:
         f:rules:
       f:status:
         .:
         f:averageExecutionTime:
         f:resourcesBlockedCount:
         f:ruleStatus:
         f:rulesAppliedCount:
         f:rulesFailedCount:
     Manager:         kyverno
     Operation:       Update
     Time:            2020-12-31T20:46:35Z
   Resource Version:  4981
   Self Link:         /apis/kyverno.io/v1/clusterpolicies/require-ns-labels
   UID:               0c6e3e76-307b-4f6e-884c-73708e740bde
 Spec:
   Background:  true
   Rules:
     Match:
       Resources:
         Kinds:
           Namespace
     Name:  require-ns-labels
     Validate:
       Message:  The label my-app is required.
       Pattern:
         Metadata:
           Labels:
             My - App:         ?*
   Validation Failure Action:  enforce
 Status:
   Average Execution Time:   165.212µs
   Resources Blocked Count:  2
   Rule Status:
     Applied Count:            2
     Average Execution Time:   165.212µs
     Failed Count:             2
     Resources Blocked Count:  2
     Rule Name:                require-ns-labels
   Rules Applied Count:        2
   Rules Failed Count:         2
 Events:                       

Supprimer une policy:

max@Azure:~/clouddrive$ kubectl delete cpol require-ns-labels
clusterpolicy.kyverno.io "require-ns-labels" deleted
maxl@Azure:~/clouddrive$ kubectl get cpol
No resources found

Créer une policy en audit mode:

apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
   name: audit-ns-labels
spec:
   validationFailureAction: audit
   rules:
    - name: audit-ns-labels
      match:
        resources:
          kinds:
            - Namespace
      validate:
        message: "The label my-app is required."
        pattern:
          metadata:
            labels:
              my-app: "?*"


max@Azure:~/clouddrive$ kubectl apply -f ns-label.yaml
clusterpolicy.kyverno.io/require-ns-labels created

max@Azure:~/clouddrive$ kubectl create namespace maxime
namespace/maxime created

max@Azure:~/clouddrive$ kubectl get cpol
NAME              BACKGROUND   ACTION
audit-ns-labels   true         audit

max@Azure:~/clouddrive$ kubectl describe cpol audit-ns-labels
 Name:         audit-ns-labels
 Namespace:
 Labels:       
 Annotations:  pod-policies.kyverno.io/autogen-controllers: DaemonSet,Deployment,Job,StatefulSet,CronJob
 API Version:  kyverno.io/v1
 Kind:         ClusterPolicy
 Metadata:
   Creation Timestamp:  2020-12-31T21:02:50Z
   Generation:          1
   Managed Fields:
     API Version:  kyverno.io/v1
     Fields Type:  FieldsV1
     fieldsV1:
       f:metadata:
         f:annotations:
           .:
           f:kubectl.kubernetes.io/last-applied-configuration:
       f:spec:
         .:
         f:validationFailureAction:
     Manager:      kubectl-client-side-apply
     Operation:    Update
     Time:         2020-12-31T21:02:50Z
     API Version:  kyverno.io/v1
     Fields Type:  FieldsV1
     fieldsV1:
       f:spec:
         f:rules:
       f:status:
         .:
         f:averageExecutionTime:
         f:ruleStatus:
         f:rulesFailedCount:
     Manager:         kyverno
     Operation:       Update
     Time:            2020-12-31T21:04:35Z
   Resource Version:  7592
   Self Link:         /apis/kyverno.io/v1/clusterpolicies/audit-ns-labels
   UID:               13bc5039-f6ac-4214-aa1a-40ddd932b39c
 Spec:
   Background:  true
   Rules:
     Match:
       Resources:
         Kinds:
           Namespace
     Name:  audit-ns-labels
     Validate:
       Message:  The label my-app is required.
       Pattern:
         Metadata:
           Labels:
             My - App:         ?*
   Validation Failure Action:  audit
 Status:
   Average Execution Time:  26.002µs
   Rule Status:
     Average Execution Time:  26.002µs
     Failed Count:            2
     Rule Name:               audit-ns-labels
   Rules Failed Count:        2
 Events:                      

Vous pouvez retrouver une suite d’exemples de policies à l’adresse ci-dessous: https://github.com/kyverno/kyverno/tree/main/samples

En conclusion, nous pouvons constater que Kyverno est une solution très intéressante et simple d’utilisation. A noter qu’une fonctionnalité de reporting est en cours de développement. Je reviendrai vous présenter cette fonctionnalité dans un prochain article.

Maxime.

Démarrez une conversation

Votre adresse e-mail ne sera pas publiée.