Kyverno is a policy engine designed specifically for Kubernetes. Kyverno allows platform teams to manage environment specific configurations independently of workload configurations and enforce configuration best practices for their clusters. Kyverno can be used to scan existing workloads for best practices, or can be used to enforce best practices by blocking or mutating API requests.
Kyverno runs as a dynamic admission controller in a Kubernetes cluster. Kyverno receives validating and mutating admission webhook HTTP callbacks from the kube-apiserver and applies matching policies to return results that enforce admission policies or reject requests. Kyverno policies can match resources using the resource kind, name, and label selectors.
What Will You Do¶
In this exercise,
- You will create a cluster blueprint with a "kyverno" add-on
- You will then apply this cluster blueprint to a managed cluster
This tutorial describes the steps to create and use a Kyverno based blueprint using the Web Console. The entire workflow can also be fully automated and embedded into an automation pipeline
- You have already provisioned or imported a Kubernetes cluster using the controller
Step 1: Create Kyverno add-on using System Catalog¶
- Login into the Web Console and navigate to your Project as an Org Admin or Infrastructure Admin
Under Infrastructure, select "Namespaces" and create a new namespace called "kyverno"
Under Infrastructure, select "Add-ons"
- Click New Add-on and select the Create New Add-on from Catalog option
- Search for kyverno in the Catalog
- Select kyverno and create a new addon called "kyverno"
- Select the namespace as "kyverno"
- Click CREATE to go to next step
- Select "New Version" and give it a name called "v2.6.1"
- Click "SAVE CHANGES"
Step 2: Create Blueprint¶
Now, we are ready to assemble a custom cluster blueprint.
- Under Infrastructure, select "Blueprints"
- Create a new blueprint and provide a name/version
- Under Add-Ons, select "ADD MORE" and choose the "kyverno" add-on created as part of Step 1
- Click "SAVE CHANGES"
Step 3: Apply Blueprint¶
Now, we are ready to apply this blueprint to a cluster.
- Click on Options for the target Cluster in the Web Console
- Select "Update Blueprint" and select the blueprint and the version from the dropdown
- Click on "Save and Publish".
This will start the deployment of the add-on configured in the blueprint to the targeted cluster. The blueprint sync process can take a few minutes. Once complete, the cluster will display the current cluster blueprint details and whether the sync was successful or not.
Step 4: Verify Deployment¶
Users can optionally verify whether the correct resources have been created on the cluster.
- Click on the Kubectl button on the cluster to open a virtual terminal
First, we will verify if the kyverno namespace has been created
kubectl get ns kyverno
Next, we will verify if the pods are healthy in the "kyverno" namespace
kubectl get po -n kyverno
Congratulations! You have successfully created a custom cluster blueprint with the "kyverno" add-on and applied to a cluster.