In a recent session at KubeCon, Jim Bugwadia, co-founder of Nirmata and Kyverno maintainer, shared five must-have policies that Kubernetes administrators should consider using to enhance their cluster security and efficiency. Kyverno, a powerful policy-as-code solution, has been helping organizations streamline their policy enforcement with fine-grained control. Jim provided a comprehensive overview of its capabilities and demonstrated how it can simplify operations, enhance security, and optimize resources in a Kubernetes environment.

What is Kyverno?

Kyverno is a policy-as-code solution that originated within the Kubernetes ecosystem but has since expanded to support external environments as well. It allows users to apply policies to JSON payloads in their pipelines, validating, mutating, generating, and cleaning up resources.

Kyverno integrates seamlessly with various tools such as Sixty and Cosign for image verification, and it also provides a suite of testing tools through its Chainsaw project. With features like image verification, resource autotuning, and just-in-time provisioning, Kyverno empowers Kubernetes administrators to automate and enforce policies effectively.

1. Pod Security Policies

Pod security is fundamental to Kubernetes, as pods are the basic unit of execution. With Kyverno, you can enforce Pod Security Policies (PSPs) through declarative YAML files, enabling fine-grained control over pod security. This can be done either in your CI/CD pipelines or directly within your clusters.

Kyverno’s pod security policies extend the built-in capabilities of Kubernetes, offering additional benefits such as:

• Fine-grained enforcement
• CLI testing tools to validate policies before deployment
• Built-in reporting tools for ongoing monitoring

These policies help prevent misconfigurations that could expose vulnerabilities and enforce best practices in pod deployments.

2. Just-in-Time Resource Provisioning

Kyverno allows Kubernetes clusters to provision critical resources, such as Roles, RoleBindings, and permissions, dynamically. This functionality is particularly useful when creating self-service environments like namespace-as-a-service, where developers can create their own namespaces with the required permissions automatically applied.

With just-in-time provisioning, Kyverno acts like a controller running inside your cluster, creating resources on demand. This is especially beneficial for air-gapped environments or real-time resource provisioning, ensuring that resources are always available when needed and adhere to organizational policies.

3. Image Verification

Ensuring the security and integrity of container images is critical. Kyverno integrates with Cosign, Notary, and Sixty, allowing you to verify image signatures and check for attestations at the time of admission. This helps prevent the deployment of malicious or improperly configured container images in your clusters.

For more robust image management, Kyverno supports S BOMs (Software Bill of Materials), allowing you to scan and verify the contents of container images, checking for vulnerabilities or compliance violations based on your organization’s standards.

4. Autotuning of Resources

Managing resources efficiently can significantly reduce costs, especially in dynamic environments. Kyverno provides the ability to autotune resource allocations automatically, based on real-time usage.

By integrating with the Vertical Pod Autoscaler (VPA), Kyverno can automatically generate VPA resources, adjusting them based on workload performance. This can be done in two modes:

• Recommendation Mode: The VPA suggests resource changes.
• Mutation Mode: The VPA automatically adjusts overused resources.

This policy is particularly valuable in development and test clusters, where resource efficiency can lead to significant cost savings. Jim cited a case study from Adidas, where using autotuning saved about 50% in costs in their development environments.

5. Cleanup and Resource Deletion

Over time, clusters accumulate unused or expired resources, leading to inefficiencies and unnecessary overhead. Kyverno helps manage this by allowing administrators to set Time-to-Live (TTL) policies for resources, ensuring that unused resources are cleaned up automatically.

Kyverno’s policy-based automation can apply to:

• Leases for namespaces and resources
• Expired resources that no longer serve a purpose

These policies ensure that clusters remain optimized without manual intervention, reducing the risk of resource sprawl and performance degradation.

Wrapping Up

Jim concluded by recapping the five essential policy types for Kubernetes clusters:

1. Pod Security Policies for enforcing security standards at the pod level.
2. Just-in-Time Provisioning to automate resource creation and management.
3. Image Verification for ensuring the integrity and security of container images.
4. Autotuning of Resources to optimize resource usage and reduce costs.
5. Cleanup and Resource Deletion to keep your clusters clean and efficient.

With these policies in place, Kubernetes administrators can automate many aspects of cluster management, reducing human error and improving security, compliance, and resource efficiency. Kyverno makes it easy to implement these policies with its flexible, code-driven approach, enabling teams to focus on building reliable applications rather than managing infrastructure.

To learn how to automate security and operations, check out Nirmata Control Hub today.