Contact UsGet started
© 2024 Iron Hive LLC Belgrade

Setting up Kyverno & Kyverno Policies

Written by
Updated at September 3, 2024

The Kyverno application and its Kyverno policies extension are used for managing Kubernetes security policies. They appear in Kyverno as Kubernetes resources.

To integrate Kyverno & Kyverno Pоlicies into Managed Service for Kubernetes:

  1. Install the Kyverno & Kyverno Pоlicies application
  2. Check how the policy works for the baseline profile
  3. Create your own Kyverno policy and check how it works

If you no longer need the resources you created, delete them.

Getting started

  1. Create a Managed Service for Kubernetes cluster and node group.

    1. If you do not have a network yet, create one.

    2. If you do not have any subnets yet, create them in the availability zones where your Kubernetes cluster and node group will be created.

    3. Create security groups for the Managed Service for Kubernetes cluster and its node groups.

      Warning

      The configuration of security groups determines the performance and availability of the cluster and the services and applications running in it.

    4. Create a Managed Service for Kubernetes cluster and a node group in any suitable configuration. When creating them, specify the security groups prepared earlier.

    1. If you do not have Terraform yet, install it.

    2. Get the authentication credentials. You can add them to environment variables or specify them later in the provider configuration file.

    3. Configure and initialize a provider. There is no need to create a provider configuration file manually, you can download it.

    4. Place the configuration file in a separate working directory and specify the parameter values. If you did not add the authentication credentials to environment variables, specify them in the configuration file.

    5. Download the k8s-cluster.tf cluster configuration file to the same working directory. The file describes:

      • Network.

      • Subnet.

      • Managed Service for Kubernetes cluster.

      • Service account required to use the Managed Service for Kubernetes cluster and node group.

      • Security groups which contain rules required for the Managed Service for Kubernetes cluster and its node groups.

        Warning

        The configuration of security groups determines the performance and availability of the cluster and the services and applications running in it.

    6. Specify the following in the configuration file:

      • Folder ID.
      • Kubernetes version for the Managed Service for Kubernetes cluster and node groups.
      • Kubernetes cluster CIDR.
      • Name of the service account. It must be unique within the folder.

    7. Make sure the Terraform configuration files are correct using this command:

      terraform validate

      If there are any errors in the configuration files, Terraform will point them out.

    8. Create the required infrastructure:

      1. Run the command to view planned changes:

        terraform plan

        If the resource configuration descriptions are correct, the terminal will display a list of the resources to modify and their parameters. This is a test step. No resources are updated.

      2. If you are happy with the planned changes, apply them:

        1. Run the command:

          terraform apply

        2. Confirm the update of resources.

        3. Wait for the operation to complete.

      All the required resources will be created in the specified folder. You can check resource availability and their settings in the management console.

  2. Install kubectl and configure it to work with the created cluster.

Install the Kyverno & Kyverno Pоlicies application

Follow this guide to install Kyverno & Kyverno Pоlicies with the following settings:

  • Pod Security Standard profile: baseline
  • Validation failure action: enforce

The baseline Pod Security Standard profile already contains a minimum restriction policy that prevents known privilege abuses.

Check how the policy works for the baseline profile

  • Create a pod named nginx with standard parameters:

    kubectl run nginx --image nginx

    Result:

    pod/nginx created

    Such a pod will satisfy the policy requirements for the baseline profile.

  • Create a pod named nginx in privileged mode:

    kubectl run nginx --image nginx --privileged=true

    Result:

    Error from server: admission webhook "validate.kyverno.svc-fail" denied the request:

policy Pod/default/nginx for resource violation:

disallow-privileged-containers:
  privileged-containers: 'validation error: Privileged mode is disallowed. The fields
    spec.containers[*].securityContext.privileged and spec.initContainers[*].securityContext.privileged
    must be unset or set to `false`. rule privileged-containers failed at path /spec/containers/0/securityContext/privileged/'

    The policy rules for the baseline profile prohibit creating pods in privileged mode.

Note

Although the policies are designed for pods, Kyverno applies them to any resources able to create pods.

Create your own Kyverno policy and check how it works

  1. Create a policy that will require that all pods have the app.kubernetes.io/name label:

    1. Save the specification for ClusterPolicy creation in a YAML file named policy.yaml:

      apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: require-labels
spec:
  validationFailureAction: Enforce
  rules:
  - name: check-for-labels
    match:
      any:
      - resources:
          kinds:
          - Pod
    validate:
      message: "label 'app.kubernetes.io/name' is required"
      pattern:
        metadata:
          labels:
            app.kubernetes.io/name: "?*"

    2. Run this command:

      kubectl apply -f policy.yaml

      Result:

      clusterpolicy.kyverno.io/require-labels created

  2. (Optional) Install Policy Reporter in your Managed Service for Kubernetes cluster to be able to save and process policy results.

Test Kyverno & Kyverno Pоlicies

  • Create a pod named nginx with no app.kubernetes.io/name Kubernetes label:

    kubectl run nginx --image nginx

    Result:

    Error from server: admission webhook "validate.kyverno.svc-fail" denied the request:
resource Pod/default/nginx was blocked due to the following policies

require-labels:
  check-for-labels: 'validation error: label ''app.kubernetes.io/name'' is required.
    Rule check-for-labels failed at path /metadata/labels/app.kubernetes.io/name/'

  • Create a pod named nginx with the app.kubernetes.io/name label:

    kubectl run nginx --image nginx --labels app.kubernetes.io/name=nginx

    Result:

    pod/nginx created

Delete the resources you created

Some resources are not free of charge. To avoid paying for them, delete the resources you no longer need:

  1. In the command line, go to the directory with the current Terraform configuration file with an infrastructure plan.

  2. Delete the k8s-cluster.tf configuration file.

  3. Make sure the Terraform configuration files are correct using this command:

    terraform validate

    If there are any errors in the configuration files, Terraform will point them out.

  4. Confirm updating the resources.

    1. Run the command to view planned changes:

      terraform plan

      If the resource configuration descriptions are correct, the terminal will display a list of the resources to modify and their parameters. This is a test step. No resources are updated.

    2. If you are happy with the planned changes, apply them:

      1. Run the command:

        terraform apply

      2. Confirm the update of resources.

      3. Wait for the operation to complete.

    All the resources described in the k8s-cluster.tf configuration file will be deleted.

Previous
Using Jaeger to trace requests in Managed Service for YDB
Next
Using Metrics Provider to stream metrics