What’s new in Kyverno 1.3.6!

What’s new in Kyverno 1.3.6!

We are super excited to announce the 1.3.6 release of Kyverno. Features in this release focussed on supporting advanced capabilities when writing or testing Kyverno policies. 

Here is what’s included in this release:

Operator support for lists

Previously, Kyverno supported operators on scalar values. This feature extends operator support for list / array values.

Example policy: Check if the command for any container in a pod contains ‘-c’ option

Here is the sample YAML that can be used to test this policy

apiVersion: batch/v1
kind: Job
metadata:
  name: hello
spec:
  template:
    spec:
      containers:
      - name: hello
        image: busybox
        command: ['sh', '-c', 'echo "Hello, Kubernetes!" && sleep 3600']
      restartPolicy: OnFailure
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: check-resource-command
spec:
  validationFailureAction: enforce
  background: false
  rules:
  - name: check-resource-command
    exclude:
      resources:
        namespaces:
        - kube-system
    match:
      resources:
        kinds:
        - Pod
    validate:
      message: "The command should not contain '-c'"
      anyPattern:
      - spec:
          containers:
            - =(command): ["!-c"]

Applying this YAML to the cluster will return an error since the ‘command’ contains ‘-c’

JMESPath enhancements

You can now include JMESPath in patchesJson6902 for resource mutation.

Example policy: Modify host name to include domain suffix

apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: mutate-ingress-host
spec:
  rules:
  - name: mutate-rules-host
    match:
      resources:
        kinds:
        - Ingress
    mutate:
      patchesJson6902: |-
        - op: replace
          path: /spec/rules/0/host
          value: {{request.object.spec.rules[0].host}}.mycompany.com

Sample YAML: The host will be modified when the policy is applied.

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: kuard
  namespace: ingress
  labels:
    app: kuard
spec:
  rules:
  - host: kuard
    http:
      paths:
      - backend:
          service: 
            name: kuard
            port: 
              number: 8080
        path: /
        pathType: ImplementationSpecific
  tls:
  - hosts:
    - kuard

Support for string manipulation functions

Additional support has been added for advanced string manipulation functions in JMESPath expressions. The following functions are now supported:
– compare
– contains
– equal_fold
– replace_all
– replace
– to_upper
– to_lower
– trim, split
– regex_replace_all
– regex_replace_all_literal
– regex_match
– labels_match

Detailed description of these functions is available in the documentation.

Example policy: Replace all matching hosts to the new one.

apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: replace-host
spec:
  background: false
  rules:
    - name: replace-host
      match:
        resources:
          kinds:
          - Ingress
      mutate:
        patchesJson6902: |-
          - op: replace
            path: /spec/rules/0/host
            value: {{ replace_all(request.object.spec.rules[0].host, 'staging.mycompany.com', 'mirror.mycompany.com') }}

Example policy: Using label matching, to check if NetworkPolicy exists for every pod

apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: require-network-policy
  annotations:
spec:
  validationFailureAction: audit
  rules:
  - name: require-network-policy
    match:
      resources:
        kinds:
        - Pod
    context:
    - name: policies_count
      apiCall:
        urlPath: "/apis/networking.k8s.io/v1/namespaces/{{request.namespace}}/networkpolicies"
        jmesPath: "items[?label_match(spec.podSelector.matchLabels, `{{request.object.metadata.labels}}`)] | length(@)"
    validate:
      message: "Every pod requires a matching network policy"
      deny:
        conditions:
        - key: "{{policies_count}}"
          operator: LessThan
          value: 1

CLI support for external data lookup

This improvement allows passing data into the CLI using ConfigMap or API call. The data can be passed to the CLI in the following format:

policies:
  - name: <policy name>
    rules:
      - name: <rule name>
        values:
          <variable>: <value>

Example policy: This policy gets the environment name from a configmap and can be tested using the CLI and passing in the data.

apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: cm-variable-example
  annotations:
    pod-policies.kyverno.io/autogen-controllers: DaemonSet,Deployment,StatefulSet
spec:
  validationFailureAction: enforce
  background: false
  rules:
    - name: example-configmap-lookup
      context:
      - name: dictionary
        configMap:
          name: mycmap
          namespace: default
      match:
        resources:
          kinds:
          - Pod
      mutate:
        patchStrategicMerge:
          metadata:
            labels:
              my-environment-name: "{{dictionary.data.env}}"

Sample YAML:

apiVersion: v1
kind: Pod
metadata:
  name: nginx-config-test
spec:
  containers:
  - image: nginx:latest
    name: test-nginx

Sample values.yaml:

policies:
  - name: cm-variable-example
    rules:
      - name: example-configmap-lookup
        values:
          dictionary.data.env: dev1

Now you can use the CLI to test this policy as follows:

kyverno apply cm_variable_example.yaml -r nginx.yaml -f value.yaml

Output:

applying 1 policy to 1 resource... 

mutate policy cm-variable-example applied to default/Pod/nginx-config-test:
apiVersion: v1
kind: Pod
metadata:
  labels:
    my-environment-name: dev1
  name: nginx-config-test
  namespace: default
spec:
  containers:
  - image: nginx:latest
    name: test-nginx

---

pass: 1, fail: 0, warn: 0, error: 0, skip: 0

The enhancements in this release enable more flexibility when writing Kyverno policies while allowing you to address more complex use cases without increasing your learning curve. Test drive this new release and please share your feedback with the team. You can reach out to the Kyverno team on the #kyverno Slack channel or mailing list.

Also, if you are already using Kyverno and looking to simplify policy management across your clusters, please checkout the Nirmata Policy Manager for Kyverno. You can register for early access here: https://nirmata.com/nirmata-policy-manager/.

Removing Pod Security Policies (PSP) from Kubernetes & What To Do Next? Try Kyverno!
What's new in Kyverno 1.3.5: Multiple generate workers, Images variable, Kyverno CLI update, and more...
No Comments

Sorry, the comment form is closed at this time.