Kyverno, a CNCF incubation project, is a Kubernetes-native policy engine that helps secure, automate, and manage clusters using Policy-as-Code. To optimize policy enforcement performance, especially in large clusters, Kyverno introduces features like GlobalContextEntry and Projections. These features reduce API server loads and speed up policy processing times, making Kyverno policies more efficient.

GlobalContextEntry

The GlobalContextEntry is a Custom Resource Definition (CRD) that acts as a shared cache for external data, accessible across all Kyverno policies. It helps avoid redundancy when multiple policies need to access the same data.
Key aspects of GlobalContextEntry:

• Shared Cache: It serves as a shared cache for external data, which can be accessed globally across Kyverno policies.
• Reduces API Costs: By fetching data once and reusing it across multiple policies, it reduces redundant API costs.
• Data Fetching and Storage: When a GlobalContextEntry is created, Kyverno fetches data (Kubernetes resources or data from external systems) and stores it. Policies can then reference this data without needing to fetch it each time.
• Types of Global Context Entries: There are two types: Kubernetes resources and API calls. The Kubernetes resource uses informers and watchers to monitor Kubernetes resources, while the API call can specify a URL to retrieve data from.
• Refresh Interval: The API call has a configurable refresh interval, acting as a TTL to determine how often a new request is made to update the cache.
• Context as Template Variables: In each Kyverno policy, the context functions as template variables, storing variables whose values can be loaded.

You can read more about GlobalContextEntry in this Nirmata blog post.

Projections

Projections further enhance performance by optimizing how data is processed and stored in the cache.
Key features of Projections:

• JMESPath Expressions on Write Time: Projections apply JMESPath expressions when writing data to the cache, rather than when reading it.
• Reduced Memory Usage: By applying the JSON path expression during the write operation, only the computed data is stored, reducing memory usage. Instead of storing the entire resource, only the necessary fields are stored.
• Context Configuration: When using projections, the context in the policy specifies the name of the GlobalContextEntry and the name of the projection.

Performance Improvement

Tests demonstrate significant performance improvements when using GlobalContextEntry and Projections. In one test involving 1,000 requests:

• Switching to GlobalContextEntry resulted in a tenfold increase in performance.
• Using Projections in addition to GlobalContextEntry doubled the performance compared to using GlobalContextEntry alone.

By implementing GlobalContextEntry and Projections, Kyverno optimizes policy enforcement, reduces API server loads, and accelerates policy processing times, especially in large Kubernetes clusters.
Need more information? You can contact Nirmata easily.

Ready to engage and see for yourself what all the DevOps buzz is about? Request a demo here.