Whats new in Kyverno Release 1.11!

Whats new in Kyverno Release 1.11!

kyverno v1.11.0 3

The Kyverno team is delighted to share a new Kyverno release, v1.11! This release marks a significant milestone for Kyverno, with an extensive development period of around five months, including eight pre-releases and the merging of over 500 pull requests. We are incredibly proud of the progress made and cannot wait for you to explore the remarkable additions in Kyverno 1.11!

New Features

ValidatingAdmissionPolicy Support

In Kyverno 1.11, a new sub-rule validate.cel was introduced. This sub-rule type allows users to use Common Expression Language (CEL) expressions for resource validation. CEL was initially introduced in Kubernetes for the validation rules of CustomResourceDefinitions and is now also utilized by Kubernetes ValidatingAdmissionPolicies

For example, this policy ensures that deployment replicas are less than 4.

apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
 name: check-deployment-replicas
spec:
 validationFailureAction: Enforce
 background: false
 rules:
   - name: check-deployment-replicas
     match:
       any:
       - resources:
           kinds:
             - Deployment
     validate:
       cel:
         expressions:
           - expression: "object.spec.replicas < 4"
             message:  "Deployment spec.replicas must be less than 4."

It is possible to generate Kubernetes ValidatingAdmissionPolicies and their bindings from the Kyverno policy mentioned above. With this feature, Kyverno now offers complete policy management for Kubernetes ValidatingAdmissionPolicies. This includes the ability to apply ValidatingAdmissionPolicies to resources using the command-line interface (CLI) and to obtain PolicyReports for them.

Policy Report Enhancements

In previous versions of Kyverno, PolicyReports were generated and grouped per namespace per policy. The AdmissionReports and BackgroundScanReports were retained in the cluster for remediation purposes. However, this posed a challenge for large clusters as it led to resource overload in etcd. 

With the introduction of Kyverno 1.11, a PolicyReport is now created for each individual resource and will be automatically removed if the corresponding resource is deleted. To avoid repetition in every result, the scope field in the report is utilized to indicate resource metadata. Additionally, AdmissionReports and BackgroundScanReports are now considered ephemeral resources and are cleaned up once they are aggregated into the final reports. Below is a snippet of a PolicyReport.

apiVersion: wgpolicyk8s.io/v1alpha2
kind: PolicyReport
metadata:
 name: 0f8f65db-3bfa-4178-af8d-d66fc765b17e
 namespace: default
 ownerReferences:
 - apiVersion: v1
   kind: Service
   name: kubernetes
   uid: 0f8f65db-3bfa-4178-af8d-d66fc765b17e
results:
- category: Networking
 message: validation rule 'disallow-LoadBalancer' passed.
 policy: disallow-loadbalancer-service
 result: pass
 rule: disallow-LoadBalancer
 source: kyverno
......
scope:
 apiVersion: v1
 kind: Service
 name: kubernetes
 namespace: default
 uid: 0f8f65db-3bfa-4178-af8d-d66fc765b17e
summary:
 pass: 1
......

Notary Updates

In Kyverno version 1.11, support for verifying OCI 1.1 attestations using Notary has been added. The following policy will verify the signature on the sbom/cyclone-dx attestation and check if the license version of all the components in the SBOM is GPL-3.0.

apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: check-image-attestation
spec:
  validationFailureAction: Enforce
  webhookTimeoutSeconds: 30
  failurePolicy: Fail  
  rules:
    - name: verify-attestation-notary
      match:
        any:
        - resources:
            kinds:
              - Pod
      context:
      - name: keys
        configMap:
          name: keys
          namespace: kyverno
      verifyImages:
      - type: Notary
        imageReferences:
          - "ghcr.io/kyverno/test-verify-image*"
        attestations:
          - type: sbom/cyclone-dx
            attestors:
            - entries:
              - certificates: 
                  cert: |-
                    -----BEGIN CERTIFICATE-----
                    <snip>
                    -----END CERTIFICATE-----
            conditions:
            - all:
              - key: "{{ components[].licenses[].expression }}"
                operator: AllIn
                value: ["GPL-3.0"]

Cosign 2.0 Support

Kyverno 1.11 also adds support for Cosign 2.0 and all the behavioral changes in Cosign 2.0 are supported in Kyverno. Tlogs and SCTs are now verified by default and can be turned off using rekor.ignoreTlogs and ctlog.IgnoreSCT attributes in a policy. Rekor public keys and ctlog public keys can now be specified in policies to verify Tlogs and SCT timestamps without setting up TUF for Sigstore or passing a Rekor URL.

Full support for private Sigstore deployments has also been added. Private Sigstore deployments can be used by passing the TUF root and mirror in the Kyverno deployment or Helm chart.

Image Verification Cache

Image verification requires multiple network calls and can be time-consuming. We have also added caching for image verification that will cache successful image verification outcomes. It is a TTL-based cache and the size and TTL configuration can be configured in the deployment. 

Note: Users upgrading from Kyverno v1.10 to v1.11 who have image verification policies using cosign will have to explicitly disable Tlogs and SCT verification in their policy using the rekor.ignoreTlogs and ctlog.IgnoreSCT fields if they did not use Rekor while signing the image.

Cleanup via TTL label

The cleanup ability was introduced in Kyverno 1.9 via the cleanup type of policy. This release introduced another option to clean up resources via a reserved time-to-live (TTL) label cleanup.kyverno.io/ttl. By assigning this label to any resource with required permissions granted to Kyverno, the resource will be removed at the designated time. In this release, the cleanup policy no longer relies on CronJobs to perform the job.

For example, the creation of this Pod will cause Kyverno to clean it up after two minutes and without the presence of a cleanup policy.

apiVersion: v1
kind: Pod
metadata:
 labels:
   cleanup.kyverno.io/ttl: 2m
 name: foo
spec:
 containers:
 - args:
   - sleep
   - 1d
   image: busybox:1.35
   name: foo

Because this is a label, there is an opportunity to chain other Kyverno functionality around it. For example, it is possible to use a Kyverno mutate rule to assign this label to matching resources. A validate rule could be written prohibiting, for example, users from the infra-ops group from assigning the label to resources in certain Namespaces. Or, Kyverno could generate a new resource with this label as part of the resource definition.

CLI Refactoring and New Test Schema

In Kyverno 1.11, we have made significant improvements to the CLI, enhancing its stability and usability. A new test manifest schema was introduced to the Kyverno test command, now you can validate your test.yaml and get helpful error reports during execution. Here’s a snippet of a test.yaml and an error is displayed as part of the execution result.

apiVerion: cli.kyverno.io/v1alpha1
kind: Test
metadata:
  name: mytest
policies:
- policy.yaml
resources:
- pod.yaml
results:
- policy: evil-policy-match-foreign-pods
  rule: evil-validatio
  resource: nginx
  status: pass
$ kubectl-kyverno test ./scratch/cli
No test yamls available
Test errors:
    failed to load test file (json: cannot unmarshal array into Go value of type api.Test)

Moreover, we have added three new commands to the Kyverno CLI: create, docs, and an experimental fix. The create command creates various resources that can be used for the Kyverno CLI, including test.yaml and the values file that are used for the test command. With the fix command, you can now easily resolve any issues and ensure that your Kyverno resources are up-to-date and optimized. The docs command enables automatic generation of comprehensive documentation for the Kyverno CLI. It makes it a lot easier for users to access the information they need and stay up-to-date with all the CLI capabilities.

Other Additions

As with previous minor releases, certain features have progressed to the next phase. The PolicyExceptions and Cleanup policies moved from alpha to beta status, and PolicyExceptions are enabled by default in 1.11.

The Kyverno CLI can now be installed via a GitHub Action, which currently supports GitHub-provided Linux, macOS, and Windows.

Kyverno JSON

Although not part of 1.11.0, the Kyverno team launched a new sub-project Kyverno JSON, which extends Kyverno beyond Kubernetes. Now, platform engineering teams can use Kyverno’s declarative policies to validate any JSON payload including Terraform files, Dockerfiles, Cloud configurations, and service authorization requests. 

Kyverno JSON can be consumed as a CLI, a Golang API, or a web service with a REST API. Read more at: https://www.cncf.io/blog/2023/11/06/kyverno-expands-beyond-kubernetes/.

Kyverno Chainsaw

Another sub-project launched was Kyverno Chainsaw, an end-to-end declarative test tool for Kubernetes controllers. Chainsaw emerged from a real need for testing Kyverno controllers and policy behaviors in continuous integration environments. You can learn more about it at: https://kyverno.github.io/chainsaw/.  

Security Hardening

In addition to the mentioned features, enhancements, and fixes, the Kyverno project completed a fuzzing security audit and is undergoing a thorough third-party security review. The security review is being conducted in collaboration with the CNCF, Ada Logics, and OSTIF

The review exposed a high-severity vulnerability CVE-2023-47630 involving the possibility of users consuming insecure images pulled from a compromised registry. In addition, four CVEs CVE-2023-42813, CVE-2023-42814, CVE-2023-42815, CVE-2023-42816 were identified in unreleased code (i.e. on the main branch), which could potentially allow an attacker to cause a denial of service of Kyverno by exploiting the Notary verifier.

Closing

Kyverno 1.11 is here, and we want to express our heartfelt gratitude to all the contributors who made this release possible! This release is jam-packed with awesome new features and improvements that we can’t wait for you to try out. For a more complete list of all the features, changes, and fixes, please see the release notes on GitHub.

Join our community on Kubernetes Slack, attend our community meetings, and connect with us on Twitter. Thank you for your support, and we can’t wait to see what amazing things you’ll achieve with Kyverno 1.11!

Are you interested in learning more about how to secure your Kubernetes clusters using Kyverno? Check out this ebook: Securing Kubernetes Using Policy-as-code powered by Kyverno

Verifying images and attestations using AWS Signer, Notation and Kyverno.
Mitigating the Latest Kubernetes NGINX Ingress Controller CVEs
No Comments

Sorry, the comment form is closed at this time.