Marketplace

Kyverno & Kyverno Policies

Updated September 24, 2024

Kyverno is an application to manage security policies in Kubernetes. Security policies appear in Kyverno as Kubernetes resources.
Kyverno supports tools, such as kubectl, git, and kustomize. You can use the Kyverno command-line interface to test policies and validate resources as part of the CI/CD pipeline.

Kyverno-policies is a Kyverno extension.
Kyverno-policies includes an implementation of Kubernetes Pod Security Standards (PSS). When you install the extension, you can select a policy mode: audit (notify only) or enforce (block). The original policies are stored in a separate Kyverno-policies repository.

You can send notifications from Kyverno to other systems using the kyverno-policy-reporter extensions. Kyverno-policy-reporter supports export to Yandex Object Storage (s3).

Tip

To find vulnerabilities in Kubernetes clusters, use Chaos Mesh. Vulnerability detection will help you configure security policies.

Deployment instructions
  1. Create a node group for Kyverno.
  2. Configure the application:
    • Namespace: Select a namespace or create a new one. Make sure it contains no applications or objects; otherwise, Kyverno will not run properly.
    • Application name: Enter a name for the application.
    • Kyverno policies activation: Select the kyverno-policies extensions for an automatic install in Kyverno.
    • Pod Security Standard profile: Select the Pod Security Standard profile: baseline, restricted, or privileged. If the field is left blank, it will be set to baseline by default.
    • Validation failure action: Select a response to Kyverno triggering: audit (notify only) or enforce (block). If the field is left blank, it will be set to audit by default.
  3. Click Install.
  4. Wait for the application to change its status to Deployed.

For more information about tracking when Kyverno is triggered, see the instructions.

If you no longer need the application, delete it. Next, clear the application’s webhook configurations, or else the cluster will not run properly.

Billing type
Free
Type
Kubernetes® Application
Category
Security
Publisher
Yandex Cloud
Use cases
  • Managing the environment independently from workload configurations.
  • Scanning the current workload to optimize Kubernetes cluster performance.
  • Blocking or modifying API calls to optimize Kubernetes cluster performance.
  • Validating, mutating, and generating Kubernetes resources.
  • Ensuring the security of the OCI image supply chain.
Technical support

Yandex Cloud technical support is available 24/7 to respond to requests. Available support modes and response times depend on your support plan. You can enable paid support in the management console. Learn more about requesting technical support.

Product composition
Helm chartVersion
Pull-command
Documentation
multi-kyverno1.0.0Open
Docker imageVersion
Pull-command
yandex-cloud/marketplace/kyvernoprev1.6.3
yandex-cloud/marketplace/kyvernov1.6.3
yandex-cloud/marketplace/kyvernoprev1.7.5
yandex-cloud/marketplace/kyvernov1.7.5
yandex-cloud/marketplace/kyvernoprev1.8.5
yandex-cloud/marketplace/kyvernov1.8.5
yandex-cloud/marketplace/kyvernoprev1.9.2
yandex-cloud/marketplace/kyvernov1.9.2
yandex-cloud/marketplace/cleanup-controllerv1.9.2
yandex-cloud/marketplace/bitnami/kubectl1.27.2
yandex-cloud/marketplace/busybox1.36.1
Terms
By using this product you agree to the and the terms and conditions of the following software: Yandex Cloud Marketplace Terms of Use
Billing type
Free
Type
Kubernetes® Application
Category
Security
Publisher
Yandex Cloud