Kyverno - Kubernetes Native Policy Management

Kyverno - Kubernetes Native Policy Management

• ClusterPolicy Custom Resource를 사용하여 kubernetes의 정책을 관리할 수 있는 애드온입니다.
• Kubernetes dynamic admission controller로 실행되고, validating admission webhook, mutating admission webhook방식으로 동작합니다.
• validation 체크 및 kubernetes 리소스 설정 변경 및 특정 리소스를 추가할 수 있습니다.
• helm chart 또는 kustomize, yaml파일로 배포된 kubernetes 리소스에 helm chart, kustomize, yaml 파일 수정 없이 ClusterPolicy를 등록하여 kubernetes의 리소스 설정을 변경할 수 있습니다.

Example ClusterPolicy

ClusterPolicy를 직접만들어서 사용해도 되고, kyverno document에도 많은 예제들이 등록되어있습니다.

Require Limits and Requests

request, limit cpu / memory 를 지정하지 않으면 POD이 등록되지 않습니다.

apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: require-requests-limits
  annotations:
    policies.kyverno.io/title: Require Limits and Requests
    policies.kyverno.io/category: Best Practices
    policies.kyverno.io/severity: medium
    policies.kyverno.io/subject: Pod
    policies.kyverno.io/description: >-
      As application workloads share cluster resources, it is important to limit resources
      requested and consumed by each Pod. It is recommended to require resource requests and
      limits per Pod, especially for memory and CPU. If a Namespace level request or limit is specified,
      defaults will automatically be applied to each Pod based on the LimitRange configuration.
      This policy validates that all containers have something specified for memory and CPU
      requests and memory limits.      
spec:
  validationFailureAction: audit
  background: true
  rules:
  - name: validate-resources
    match:
      resources:
        kinds:
        - Pod
    validate:
      message: "CPU and memory resource requests and limits are required."
      pattern:
        spec:
          containers:
          - resources:
              requests:
                memory: "?*"
                cpu: "?*"
              limits:
                memory: "?*"

Add Default securityContext

모든 POD에 securityContext 설정을 추가합니다.

apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: add-default-securitycontext
  annotations:
    policies.kyverno.io/title: Add Default securityContext
    policies.kyverno.io/category: Sample
    policies.kyverno.io/subject: Pod
    policies.kyverno.io/description: >-
      A Pod securityContext entry defines fields such as the user and group which should be used to run the Pod.
      Sometimes choosing default values for users rather than blocking is a better alternative to not impede
      such Pod definitions. This policy will mutate a Pod to set `runAsNonRoot`, runAsUser`, `runAsGroup`, and `fsGroup` fields
      within the Pod securityContext if they are not already set.      
spec:
  rules:
  - name: add-default-securitycontext
    match:
      resources:
        kinds:
        - Pod
    mutate:
      patchStrategicMerge:
        spec:
          securityContext:
            +(runAsNonRoot): true
            +(runAsUser): 1000
            +(runAsGroup): 3000
            +(fsGroup): 2000

Install

helm chart를 사용하여 설치합니다. HA를 구성하기위해 replicaCount를 3으로 설정하였습니다.

# values.yaml

replicaCount: 3

podAntiAffinity:
  requiredDuringSchedulingIgnoredDuringExecution:
    - labelSelector:
        matchExpressions:
        - key: app.kubernetes.io/name
          operator: In
          values:
          - kyverno
      topologyKey: kubernetes.io/hostname

$ helm repo add kyverno https://kyverno.github.io/kyverno/
$ helm repo update
$ helm install kyverno kyverno/kyverno -n kyverno -f values.yaml --create-namespace

참고

Kyverno

 

Policies