Kyverno, a CNCF incubating project, is a flexible and powerful policy engine for Kubernetes environments that allows users to define, validate, and enforce policies for. While the most popular policies for Kyverno can vary depending on the specific use case and environment, here are some of the most common policies that are frequently used as observed in the Kyverno community:
- Resource limits: Kyverno can be used to enforce resource limits for Kubernetes resources, such as CPU and memory usage, to ensure that applications don’t consume too many resources and cause performance issues. Sample policy.
- Namespace isolation: Kyverno can be used to enforce policies that isolate namespaces in Kubernetes environments, which helps prevent applications from accessing resources outside their intended namespace. Here are some policies that can be used to enforce multi-tenancy.
- Security context: Kyverno can be used to enforce security context policies for Kubernetes resources, such as requiring specific security settings or permissions for containers. Sample policies.
- Image policies: Kyverno can be used to enforce policies that limit the use of certain container images or verify the image signature before deploying images. Sample image verification policies.
- Network policies: Kyverno can be used to enforce network policies for Kubernetes resources, such as restricting network traffic between pods or namespaces. Sample policies.
- Labeling: Kyverno can be used to enforce policies that require specific labels for Kubernetes resources, which can help with resource management and organization. Require labels policy.
- Pod affinity/anti-affinity: Kyverno can be used to enforce policies that define pod affinity or anti-affinity rules, which help ensure that pods are scheduled on specific nodes or avoid being scheduled on the same node. Sample policy.
- Secrets management: Kyverno can be used to enforce policies that define how secrets are managed and accessed within Kubernetes environments, such as limiting access to specific namespaces, enforcing encryption or generating default secrets. Some sample policies.
- RBAC policies: Kyverno can be used to enforce Role-Based Access Control (RBAC) policies for Kubernetes resources, such as defining specific permissions or roles for users or groups. Sample RBAC policies.
- Compliance: Kyverno can be used to enforce compliance policies for Kubernetes resources, such as ensuring that resources meet specific regulations or industry standards. For example, Pod Security Admission is required by several compliance standards.
In conclusion, Kyverno, created by Nirmata, provides a powerful and flexible way to enforce policies for Kubernetes, and the most popular Kyverno policies can vary depending on the specific use case and environment. However, the policies listed above are some of the most common policies that are frequently used by community members to improve the reliability, security, and compliance of Kubernetes environments for DevSecOps and platform engineering needs.
If you want to learn more about how to write Kyverno policies, check out this video, below.