Installing Kyverno & Kyverno Policies
Kyvernokubectl
, git
, and kustomize
. You can use the Kyverno command line interface to test policies and validate resources as part of the CI/CD pipeline.
Kyverno policies
You can send notifications from Kyverno to other systems using the Policy reporter extension.
Tip
To find vulnerabilities in Kubernetes clusters, use Chaos Mesh. Vulnerability detection will help you configure security policies.
Getting started
Make sure that the security groups for the Managed Service for Kubernetes cluster and its node groups are configured correctly. If any rule is missing, add it.
Warning
The configuration of security groups determines the performance and availability of the cluster and the services and applications running in it.
Installation using Yandex Cloud Marketplace
- Go to the folder page
and select Managed Service for Kubernetes. - Click the Managed Service for Kubernetes cluster name and select the
Marketplace tab. - Under Application available for installation, select Kyverno & Kyverno Policies and click Go to install.
- Configure the application:
- Namespace: Select or create a namespace for Kyverno. Make sure it contains no applications or objects; otherwise, Kyverno will not run properly.
- Application name: Specify the app name.
- Activating Kyverno Policies: Select to install the Kyverno Policies extension.
- Pod Security Standard profile: Select a Pod Security Standard profile
:baseline
: Policy with minimum restrictions that prevents known privilege abuses.restricted
: Policy with severe restrictions in line with state-of-the-art pod security procedures.privileged
: Unrestricted policy granting maximum privilege.
- Validation failure action: Select a response to Kyverno triggering:
audit
: Notify.enforce
: Block.
- Click Install.
- Wait for the application to change its status to
Deployed
.
Installation using a Helm chart
-
Install Helm
v3.7.0 or higher. -
Install kubectl
and configure it to work with the created cluster. -
To install a Helm chart
with Kyverno, run the following command:export HELM_EXPERIMENTAL_OCI=1 && \ helm pull oci://cr.yandex/yc-marketplace/multi-kyverno \ --version 1.0.0 \ --untar && \ helm install \ --namespace <namespace> \ --create-namespace \ multi-kyverno ./multi-kyverno/
Select a namespace that does not contain any applications or objects, or else Kyverno will not run properly.
Application versions
For each Kubernetes version, a certain Kyverno version is supported. The required Kyverno version is installed by default depending on your Kubernetes version.
Kubernetes version | Kyverno version | Documentation |
---|---|---|
1.21 or older | 1.6 | Kyverno 1.6 documentation |
1.22 | 1.7 | Kyverno 1.7 documentation |
1.23 | 1.8 | Kyverno 1.8 documentation |
1.24 and higher | 1.9 | Kyverno 1.9 documentation |
Deleting the application
If you no longer need the Kyverno application, delete it:
- Go to the folder page
and select Managed Service for Kubernetes. - Click the Kubernetes cluster name and select the
Marketplace tab. - Under Installed applications, in the Kyverno & Kyverno Policies line, click Installed applications and then click Uninstall.
- Connect to the cluster using kubectl.
- Clear the application's webhook configurations
, or else the cluster will not run properly.
-
Connect to the cluster using kubectl.
-
Delete the application:
helm uninstall --namespace <namespace> multi-kyverno ./multi-kyverno/
-
Clear the application's webhook configurations
, or else the cluster will not run properly.