Kyverno

A Carvel package for Kyverno, a policy engine designed for Kubernetes. It can validate, mutate, and generate configurations using admission controls and background scans.

🚀  Getting Started

Prerequisites

• Kubernetes 1.28+

• Carvel kctrl CLI.

• Carvel kapp-controller deployed in your Kubernetes cluster. You can install it with Carvel kapp (recommended choice) or kubectl.

  kapp deploy -a kapp-controller -y \
    -f https://github.com/carvel-dev/kapp-controller/releases/latest/download/release.yml

Installation

Add the Kadras package repository to your Kubernetes cluster:

kctrl package repository add -r kadras-packages \
  --url ghcr.io/kadras-io/kadras-packages \
  -n kadras-system --create-namespace

Installation without package repository

The recommended way of installing the Kyverno package is via the Kadras package repository. If you prefer not using the repository, you can add the package definition directly using kapp or kubectl.

kubectl create namespace kadras-system
kapp deploy -a kyverno-package -n kadras-system -y \
  -f https://github.com/kadras-io/package-for-kyverno/releases/latest/download/metadata.yml \
  -f https://github.com/kadras-io/package-for-kyverno/releases/latest/download/package.yml

Install the Kyverno package:

kctrl package install -i kyverno \
  -p kyverno.packages.kadras.io \
  -v ${VERSION} \
  -n kadras-system

Note You can find the ${VERSION} value by retrieving the list of package versions available in the Kadras package repository installed on your cluster.

kctrl package available list -p kyverno.packages.kadras.io -n kadras-system

Verify the installed packages and their status:

kctrl package installed list -n kadras-system

📙  Documentation

Documentation, tutorials and examples for this package are available in the docs folder. For documentation specific to Kyverno, check out kyverno.io.

🎯  Configuration

The Kyverno package can be customized via a values.yml file.

tracing:
  enabled: true
  endpoint: opentelemetrycollector.kyverno.svc.cluster.local
  port: 4317

Reference the values.yml file from the kctrl command when installing or upgrading the package.

kctrl package install -i kyverno \
  -p kyverno.packages.kadras.io \
  -v ${VERSION} \
  -n kadras-system \
  --values-file values.yml

Values

The Kyverno package has the following configurable properties.

Configurable properties

Config	Default	Description
optional_components.background_controller	true	Whether to deploy the Background Controller, responsible for processing of generate and mutate-existing rules.
optional_components.cleanup_controller	true	Whether to deploy the Cleanup Controller, responsible for processing CleanupPolicy resources.
optional_components.reports_controller	true	Whether to deploy the Reports Controller, responsible for handling PolicyReport resources.
ca_cert_data	""	PEM-encoded certificate data to trust TLS connections with a custom CA.

Settings for the controllers.

Config	Default	Description
admission_controller.replicas	1	The number of replicas for the Admission Controller. In order to enable high availability, it should be at least 3 (2 is not permitted).
background_controller.replicas	1	The number of replicas for the Background Controller. In order to enable high availability, it should be greater than 1.
cleanup_controller.replicas	1	The number of replicas for the Cleanup Controller. In order to enable high availability, it should be greater than 1.
reports_controller.replicas	1	The number of replicas for the Reports Controller. In order to enable high availability, it should be greater than 1.

Settings for logging.

Config	Default	Description
logging.level	2	Number of the log level verbosity (from 1 to 6).
logging.encoding	text	Log encoding format. Options: text, json.

Settings for metrics.

Config	Default	Description
metrics.type	prometheus	Whether to use OpenTelemetry (grpc) or Prometheus (prometheus) for exporting metrics.
metrics.collector	""	The endpoint where the OpenTelemetry-based collector receives telemetry data. For example, opentelemetrycollector.kyverno.svc.cluster.local:4317.

Settings for tracing.

Config	Default	Description
tracing.enabled	false	Whether to configure Kyverno to export OpenTelemetry traces to a distributed tracing backend.
tracing.endpoint	""	The endpoint where the distributed tracing backend accepts OpenTelemetry traces. For example, opentelemetrycollector.kyverno.svc.cluster.local.
tracing.port	4317	The port exposed by the distributed tracing backend to accept OpenTelemetry traces.
tracing.ca_cert_secret	""	The Secret containing the certificate which is used by the Opentelemetry Tracing Client. If empty string is set, an insecure connection will be used.

Settings for the corporate proxy.

Config	Default	Description
proxy.https_proxy	""	The HTTPS proxy to use for network traffic.
proxy.http_proxy	""	The HTTP proxy to use for network traffic.
proxy.no_proxy	""	A comma-separated list of hostnames, IP addresses, or IP ranges in CIDR format that should not use the proxy.

🛡️  Security

The security process for reporting vulnerabilities is described in SECURITY.md.

🖊️  License

This project is licensed under the Apache License 2.0. See LICENSE for more information.