3 min to read

Kyverno 101

Managing policies in Kubernetes

Featured image

5 Essential Policies to Implement in Your Kubernetes Cluster with Kyverno

What is Kyverno?

Kyverno is a policy-as-code solution that originated in the Kubernetes ecosystem and has expanded to support external environments. It enables users to apply policies to JSON payloads in their pipelines—validating, mutating, generating, and cleaning up resources.

Kyverno integrates seamlessly with various tools such as Sixty and Cosign for image verification, and provides a suite of testing tools through its Chainsaw project. Through features like image verification, resource autotuning, and just-in-time provisioning, Kyverno enables Kubernetes administrators to automate and enforce policies effectively.

1. Pod Security Policies

Pod security is fundamental to Kubernetes, as pods are the basic unit of execution. Kyverno lets you enforce Pod Security Policies (PSPs) through declarative YAML files, providing fine-grained control over pod security. You can implement these policies either in your CI/CD pipelines or directly within your clusters.

Kyverno’s pod security policies enhance the built-in capabilities of Kubernetes with benefits including:

These policies prevent misconfigurations that could expose vulnerabilities while enforcing best practices in pod deployments.

2. Just-in-Time Resource Provisioning

Kyverno enables Kubernetes clusters to dynamically provision critical resources, including Roles, RoleBindings, and permissions. This feature is especially valuable for self-service environments like namespace-as-a-service, where developers can create namespaces with automatically applied permissions.

Operating as a controller inside your cluster, Kyverno creates resources on demand through just-in-time provisioning. This approach particularly benefits air-gapped environments and real-time resource provisioning, ensuring resource availability while maintaining organizational policies.

3. Image Verification

Container image security and integrity are crucial. Kyverno works with Cosign, Notary, and Sixty to verify image signatures and check for attestations during admission. This prevents deploying malicious or misconfigured container images in your clusters.

For enhanced image management, Kyverno supports S BOMs (Software Bill of Materials), enabling you to scan and verify container image contents for vulnerabilities and compliance with organizational standards.

4. Autotuning of Resources

Efficient resource management can dramatically reduce costs in dynamic environments. Kyverno offers automatic resource allocation tuning based on real-time usage.

Through integration with the Vertical Pod Autoscaler (VPA), Kyverno automatically generates and adjusts VPA resources based on workload performance. It offers two modes:

This policy proves especially valuable in development and test clusters, delivering significant cost savings.

5. Cleanup and Resource Deletion

Clusters naturally accumulate unused or expired resources over time, creating inefficiencies and overhead. Kyverno addresses this by enabling administrators to set Time-to-Live (TTL) policies, automatically cleaning up unused resources.

Kyverno’s policy-based automation handles:

These policies maintain cluster optimization without manual intervention, minimizing resource sprawl and performance degradation.

Wrapping Up

Lets summarize what we learned today, the five essential policy types for Kubernetes clusters:

  1. Pod Security Policies for enforcing security standards at the pod level.
  2. Just-in-Time Provisioning to automate resource creation and management.
  3. Image Verification for ensuring the integrity and security of container images.
  4. Autotuning of Resources to optimize resource usage and reduce costs.
  5. Cleanup and Resource Deletion to keep your clusters clean and efficient.

Build On!