Kyverno v1.8.0: Native Pod Security, YAML signing, and More

Kyverno v1.8.0: Native Pod Security, YAML signing, and More

This blog is also posted on the Kyverno site.

Following on the heels of the 1.7 release of Kyverno, the Kyverno team is proud to present version 1.8.0, which is another huge leap forward not just in terms of features and functionality but of optimizations, performance, and other improvements required in strict or high-scale environments. And in addition to those, a tremendous amount of work went into refactoring and other housekeeping items that make Kyverno cleaner and more efficient – making future development (and contributions) easier, quicker, and ultimately more maintainable. We’ll walk through the largest of these features in this article.

Key New Features of Kyverno 1.8.0

Pod Security Integration

The successor to Kubernetes’ Pod Security Policy (PSP) is Pod Security Admission, enabled by default in 1.23 and stable now in 1.25. This new technology implements a set of standards dubbed Pod Security Standards. Pod Security Admission brings many benefits over PSPs but also some fairly important caveats. Starting in 1.8.0, Kyverno has a new validate subrule called podSecurity which internally uses the same libraries as Pod Security Admission but allows for much simpler implementation of those standards while offering flexible exemptions not found in Pod Security Admission. Shown below is an example of this new podSecurity rule in action which implements the entire restricted profile of the Pod Security Standards across the entire cluster.

apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: podsecurity-restricted  
spec:
  background: true
  validationFailureAction: audit
  rules:
  - name: restricted
    match:
      any:
      - resources:
          kinds:
          - Pod
    validate:
      podSecurity:
        level: restricted
        version: latest

YAML Manifest Verification

Although Kyverno has integrated with Sigstore tooling for some time now, offering capabilities like container image signature verification and attestation verification, Kyverno 1.8.0 steps this up one notch further by bringing support for Sigstore’s manifest project. With this integration, Kyverno is now additionally able to verify signatures on Kubernetes YAML manifests to ensure, like container images, that they haven’t been tampered with. Once a manifest has been signed with a private key of a user’s choosing, a new Kyverno policy may be written which verifies the signature and comparing the signed (original) manifest contents with the current contents. Shown here is an example of such a policy which verifies the key used to sign Deployments.

apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: verify-manifest-integrity   
spec:
  validationFailureAction: audit
  background: true
  rules:
    - name: verify-deployment-allow-replicas
      match:
        any:
        - resources:
            kinds:
              - Deployment
      validate:
        manifests:
          attestors:
          - count: 1
            entries:
            - keys:
                publicKeys: |-
                  -----BEGIN PUBLIC KEY-----
                  MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEStoX3dPCFYFD2uPgTjZOf1I5UFTa
                  1tIu7uoGoyTxJqqEq7K2aqU+vy+aK76uQ5mcllc+TymVtcLk10kcKvb3FQ==
                  -----END PUBLIC KEY-----                  
          ignoreFields:
          - objects:
            - kind: Deployment
            fields:
            - spec.replicas

Signing of manifests is a great way to bolster the security of your Kubernetes cluster, but it also requires some flexibility. Teams often need to change values and certain fields (in addition to Kubernetes itself needing to sometimes change them). That’s why with this new rule type there is an object where you can specify which fields to ignore when verifying those manifests. In the previous policy, it provides an exception for the replicas field of a Deployment allowing only the value of this field to deviate from what was originally signed.

Cloning Multiple Resources

One of the defining capabilities of Kyverno is its simple way of generating new Kubernetes resources as opposed to just validating or mutating them. We’ve seen tremendous adoption of this policy-based ability by software teams and users all over the place. One of the most common use cases for this generate ability is in multi-tenancy or Namespace-as-a-Service provisioning processes. But something we heard loud and clear was that users needed to clone more than just a single resource at a time. Very often, when provisioning a new Namespace, a variety of resources are required before handing that over. For example, Secrets, ConfigMaps, Custom Resources, and others are commonly required. In Kyverno 1.8.0, we’ve brought you this ability by now allowing a single generate rule to define, in a selective manner, and clone multiple resources from the same source Namespace. As you can see from the below policy, whenever a new Namespace is created, all the Secrets and ConfigMaps in the staging Namespace which have been labeled with allowedToBeClone=true will be cloned into the new Namespace.

apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: provision-namespaces
spec:
  rules:
  - name: sync-secrets-configmaps
    match:
      any:
      - resources:
          kinds:
          - Namespace
    generate:
      namespace: "{{request.object.metadata.name}}"
      synchronize: true
      cloneList:
        namespace: staging
        kinds:
          - v1/Secret
          - v1/ConfigMap
        selector:
          matchLabels:
            allowedToBeCloned: "true"

GitOps-Friendly Rule Auto-Generation Is Here To Stay

We covered in the 1.7.0 release blog how we were taking steps to make Kyverno’s valuable rule auto-generation capability more friendly for GitOps users by not touching the spec portion of a Kyverno policy. Now in 1.8.0, that feature is on by default and no feature flags are required, allowing users of popular GitOps tools like Flux and ArgoCD to deploy Kyverno policies through their tooling without having to slightly adapt their definitions to account for these changes.

Other Additions and Enhancements

Kyverno 1.8.0 is such a substantial release it’s hard to cover all of its features, but here are a few others to note.

  • OpenTelemetry support was added for those who want an alternative to Prometheus.
  • The CLI now supports testing of generate policies joining long-time support for validate and mutate rule testing.
  • On the JMESPath side, we have two new filters called random and x509_decode. The random filter gives Kyverno the ability to generate random strings of data but in a fully composable and easy-to-use way. The x509_decode filter allows Kyverno to interpret PEM-encoded X509 certificates and make policy decisions based upon their contents, excellent for doing things like checking certificate subjects, expiration dates, and more.
  • The reporting system received a total overhaul in this release which makes it both lighter on memory, faster to generate policy reports, and more reliable.
  • Over time with the tremendous development velocity achieved in Kyverno, we’ve added many new fields and changed others. Kyverno 1.8.0 introduces a new schema version v2beta1, which is what we’ll begin using in the near future as it brings all the various rule types fully up-to-date with the latest and greatest.
  • And on the sample policy library, almost forty new policies have been added including implementation of best practices for common service meshes like Istio and Linkerd, CI/CD tools like Tekton, and more. This brings the total up to around 230, making Kyverno, by far, the policy engine with the largest number of samples designed to help get you running faster and easier.

Potentially Breaking Changes

A couple of things of which to be aware prior to upgrading. First, the Helm chart registry URL has changed to ghcr.io/kyverno/charts/kyverno, so make sure to update your Helm repositories. And second, because we’ve revamped Kyverno’s reporting and background scanning abilities, the backgroundScan container flag you might have passed previously has changed to being a “true” or “false” value, simply either activating or deactivating background scans.

Closing

Just like in previous releases, Kyverno 1.8.0 is a huge release closing over 250 issues. The maintainers and contributors have been hard at work for the past few months trying to bring additional value to the community, so we hope you find this release useful. As always, we love the community and hope you engage with us on any one of our outlets.

Discover more about Kyverno v 1.8.0 for GitOps and DevOps needs here, and thanks for reading! You can also sign-up for a Free Trial to see what all the excitement is about. If you have any specific questions about v.1.8.0, please don’t hesitate to reach-out to Nirmata here.

Image by Christine Aubé from Pixabay 

Kubernetes Policy Comparison: Kyverno vs. OPA/Gatekeeper
No Comments

Post a Comment