Installing Kyverno & Kyverno Policies
Kyverno is an application to manage Kubernetes security policies. Security policies appear in Kyverno as Kubernetes resources. Kyverno supports kubectl, git, and kustomize. You can use the Kyverno command line interface to test policies and validate resources as part of the CI/CD pipeline.
Kyverno policies is a Kyverno extension. Kyverno policies includes an implementation of Kubernetes Pod Security Standards (PSS). The original policies are stored in a separate Kyverno-policies repository.
You can send notifications from Kyverno to other systems using the Policy reporter extension.
Tip
To find vulnerabilities in Kubernetes clusters, use Chaos Mesh. Vulnerability detection will help you configure security policies.
Getting started
Make sure that the security groups for the Managed Service for Kubernetes cluster and its node groups are configured correctly. If any rule is missing, add it.
Warning
The configuration of security groups determines the performance and availability of the cluster and the services and applications running in it.
Installation using Yandex Cloud Marketplace
- Navigate to the folder dashboard and select Managed Service for Kubernetes.
- Click the name of the Managed Service for Kubernetes cluster you need and select the Marketplace tab.
- Under Application available for installation, select Kyverno & Kyverno Policies and click Go to install.
- Configure the application:
- Namespace: Create a new namespace, e.g.,
kyverno-space. If you leave the default namespace, Kyverno may work incorrectly. - Application name: Specify the application name.
- Activating Kyverno Policies: Select to install the Kyverno Policies extension.
- Pod Security Standard profile: Select a Pod Security Standard profile:
baseline: Policy with minimum restrictions which prevents known risks of privilege abuse.restricted: Policy with severe restrictions aligned with the latest pod security practices.privileged: Unrestricted policy granting maximum privileges.
- Validation failure action: Select a response to Kyverno triggering:
audit: Notify.enforce: Block.
- Namespace: Create a new namespace, e.g.,
- Click Install.
- Wait for the application to change its status to
Deployed.
Installation using a Helm chart
-
Install Helm v3.8.0 or higher.
-
Install kubect and configure it to work with the new cluster.
-
To install a Helm chart with Kyverno, run the following command:
helm pull oci://cr.yandex/yc-marketplace/multi-kyverno \ --version 1.0.0 \ --untar && \ helm install \ --namespace <namespace> \ --create-namespace \ multi-kyverno ./multi-kyverno/If you set
namespaceto the default namespace, Kyverno may work incorrectly. We recommend you to specify a value different from all existing namespaces (e.g.,kyverno-space).Note
If you are using a Helm version below 3.8.0, append the
export HELM_EXPERIMENTAL_OCI=1 && \string to the command to enable Open Container Initiative (OCI) support in the Helm client.
Application versions
For each Kubernetes version, a certain Kyverno version is supported. The required Kyverno version is installed by default depending on your Kubernetes version.
| Kubernetes version | Kyverno version | Documentation |
|---|---|---|
| 1.21 or older | 1.6 | Kyverno 1.6 documentation |
| 1.22 | 1.7 | Kyverno 1.7 documentation |
| 1.23 | 1.8 | Kyverno 1.8 documentation |
| 1.24 and higher | 1.9 | Kyverno 1.9 documentation |
Uninstalling the application
If you no longer need the Kyverno application, uninstall it:
- Navigate to the folder dashboard and select Managed Service for Kubernetes.
- Click the name of the Kubernetes cluster you need and select the Marketplace tab.
- Under Installed applications, in the row of the Kyverno & Kyverno Policies application, first click
and then Uninstall. - Connect to the cluster using kubectl.
- Clear the application's webhook configurations, or else the cluster will not run properly.
-
Connect to the cluster using kubectl.
-
Delete the application:
helm uninstall --namespace <namespace> multi-kyverno ./multi-kyverno/ -
Clear the application's webhook configurations, or else the cluster will not run properly.