We are super excited to announce the 1.3.6 release of Kyverno. Features in this release focussed on supporting advanced capabilities when writing or testing Kyverno policies.
Here is what’s included in this release:
Operator support for lists
Previously, Kyverno supported operators on scalar values. This feature extends operator support for list / array values.
Example policy: Check if the command for any container in a pod contains ‘-c’ option
Here is the sample YAML that can be used to test this policy
apiVersion: batch/v1
kind: Job
metadata:
name: hello
spec:
template:
spec:
containers:
- name: hello
image: busybox
command: ['sh', '-c', 'echo "Hello, Kubernetes!" && sleep 3600']
restartPolicy: OnFailureapiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: check-resource-command
spec:
validationFailureAction: enforce
background: false
rules:
- name: check-resource-command
exclude:
resources:
namespaces:
- kube-system
match:
resources:
kinds:
- Pod
validate:
message: "The command should not contain '-c'"
anyPattern:
- spec:
containers:
- =(command): ["!-c"]Applying this YAML to the cluster will return an error since the ‘command’ contains ‘-c’
JMESPath enhancements
You can now include JMESPath in patchesJson6902 for resource mutation.
Example policy: Modify host name to include domain suffix
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: mutate-ingress-host
spec:
rules:
- name: mutate-rules-host
match:
resources:
kinds:
- Ingress
mutate:
patchesJson6902: |-
- op: replace
path: /spec/rules/0/host
value: {{request.object.spec.rules[0].host}}.mycompany.comSample YAML: The host will be modified when the policy is applied.
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: kuard
namespace: ingress
labels:
app: kuard
spec:
rules:
- host: kuard
http:
paths:
- backend:
service:
name: kuard
port:
number: 8080
path: /
pathType: ImplementationSpecific
tls:
- hosts:
- kuardSupport for string manipulation functions
Additional support has been added for advanced string manipulation functions in JMESPath expressions. The following functions are now supported:
– compare
– contains
– equal_fold
– replace_all
– replace
– to_upper
– to_lower
– trim, split
– regex_replace_all
– regex_replace_all_literal
– regex_match
– labels_match
Detailed description of these functions is available in the documentation.
Example policy: Replace all matching hosts to the new one.
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: replace-host
spec:
background: false
rules:
- name: replace-host
match:
resources:
kinds:
- Ingress
mutate:
patchesJson6902: |-
- op: replace
path: /spec/rules/0/host
value: {{ replace_all(request.object.spec.rules[0].host, 'staging.mycompany.com', 'mirror.mycompany.com') }}Example policy: Using label matching, to check if NetworkPolicy exists for every pod
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: require-network-policy
annotations:
spec:
validationFailureAction: audit
rules:
- name: require-network-policy
match:
resources:
kinds:
- Pod
context:
- name: policies_count
apiCall:
urlPath: "/apis/networking.k8s.io/v1/namespaces/{{request.namespace}}/networkpolicies"
jmesPath: "items[?label_match(spec.podSelector.matchLabels, `{{request.object.metadata.labels}}`)] | length(@)"
validate:
message: "Every pod requires a matching network policy"
deny:
conditions:
- key: "{{policies_count}}"
operator: LessThan
value: 1CLI support for external data lookup
This improvement allows passing data into the CLI using ConfigMap or API call. The data can be passed to the CLI in the following format:
policies:
- name: <policy name>
rules:
- name: <rule name>
values:
<variable>: <value>Example policy: This policy gets the environment name from a configmap and can be tested using the CLI and passing in the data.
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: cm-variable-example
annotations:
pod-policies.kyverno.io/autogen-controllers: DaemonSet,Deployment,StatefulSet
spec:
validationFailureAction: enforce
background: false
rules:
- name: example-configmap-lookup
context:
- name: dictionary
configMap:
name: mycmap
namespace: default
match:
resources:
kinds:
- Pod
mutate:
patchStrategicMerge:
metadata:
labels:
my-environment-name: "{{dictionary.data.env}}"Sample YAML:
apiVersion: v1
kind: Pod
metadata:
name: nginx-config-test
spec:
containers:
- image: nginx:latest
name: test-nginx
Sample values.yaml:
policies:
- name: cm-variable-example
rules:
- name: example-configmap-lookup
values:
dictionary.data.env: dev1Now you can use the CLI to test this policy as follows:
kyverno apply cm_variable_example.yaml -r nginx.yaml -f value.yamlOutput:
applying 1 policy to 1 resource...
mutate policy cm-variable-example applied to default/Pod/nginx-config-test:
apiVersion: v1
kind: Pod
metadata:
labels:
my-environment-name: dev1
name: nginx-config-test
namespace: default
spec:
containers:
- image: nginx:latest
name: test-nginx
---
pass: 1, fail: 0, warn: 0, error: 0, skip: 0The enhancements in this release enable more flexibility when writing Kyverno policies while allowing you to address more complex use cases without increasing your learning curve. Test drive this new release and please share your feedback with the team. You can reach out to the Kyverno team on the #kyverno Slack channel or mailing list.
Also, if you are already using Kyverno and looking to simplify policy management across your clusters, please checkout the Nirmata Policy Manager for Kyverno. You can register for early access here: https://nirmata.com/nirmata-policy-manager/.
Sorry, the comment form is closed at this time.