DEV Community

Cover image for How to use Kyverno CLI to validate k8s manifests?
Kubernetes Community Days Chennai profile image Suresh Kumar
Suresh Kumar for Kubernetes Community Days Chennai

Posted on • Originally published at sureshdsk.dev

How to use Kyverno CLI to validate k8s manifests?

#kubernetes #devops #devsecops #cloudnative

In the previous article, we have seen what is Kyverno, its features, its use-cases and hot it works. In this article we will install kyverno cli in our local machine and explore its usecases.

Install Kyverno CLI

  • The Kyverno CLI is designed to validate and test policy behavior to resources prior to adding them to a cluster.
  • Used in CI/CD pipelines to validate manifests before they are deployed.
  • Can be integrated into precommit hooks

Install Kyverno CLI via Krew

Krew is the plugin manager for kubectl command-line tool. If do not have krew installed already, please follow the instructions --> https://krew.sigs.k8s.io/docs/user-guide/setup/install/

# Install Kyverno CLI using kubectl krew plugin manager kubectl krew install kyverno # test the Kyverno CLI kubectl kyverno version
Enter fullscreen mode Exit fullscreen mode

Install Kyverno CLI via Brew (MacOS) 

# Install Kyverno CLI using brew brew install kyverno # test the Kyverno CLI kyverno version
Enter fullscreen mode Exit fullscreen mode

Kyverno CLI Commands

Apply

  • Performs a dry run on one or more policies for the given manifest(s)
  • Executes mutate policies and shows mutated resource as an output 
kyverno apply /path/to/policy.yaml --resource /path/to/resource.yaml
Enter fullscreen mode Exit fullscreen mode

Test

  • tests policy from a git repo or local directory
  • recursively looks for YAML files in a directory and executes tests
  • kyverno test definition consists of test name, policies, resources and expected results.

An example test would look like

name: disallow_latest_tag policies: - policy.yaml resources: - resource.yaml results: - policy: disallow-latest-tag rule: require-image-tag resource: myapp-pod kind: Pod result: pass - policy: disallow-latest-tag rule: validate-image-tag resource: myapp-pod kind: Pod result: pass
Enter fullscreen mode Exit fullscreen mode

To Run the test,

kyverno test /path/to/yamls
Enter fullscreen mode Exit fullscreen mode

Validate

  • check if a policy is syntactically valid.
  • can validate multiple policy resource description files or a folder containing policy resource description files. 
kyverno validate /path/to/policy1.yaml /path/to/policy2.yaml /path/to/folderFullOfPolicies
Enter fullscreen mode Exit fullscreen mode

Jp

Kyverno CLI also provides a utility called jp to work with JMESPath and expressions.

$ echo '{"foo": "BAR"}' | kyverno jp 'to_lower(foo)' "bar"
Enter fullscreen mode Exit fullscreen mode 
$ cat pod.json { "apiVersion": "v1", "kind": "Pod", "metadata": { "name": "mypod", "namespace": "foo" }, "spec": { "containers": [ { "name": "busybox", "image": "busybox" } ] } } $ kyverno jp -f pod.json 'spec.containers[0].name' -u busybox
Enter fullscreen mode Exit fullscreen mode

Kyverno precommit hooks

Kyverno can be integrated into precommit hooks to test and validate policies. To setup precommit hook, checkout -> https://github.com/kyverno/pre-commit-hook

.pre-commit-config.yaml

repos: - repo: https://github.com/kyverno/pre-commit-hook rev: v1.0.0 hooks: - id: kyverno-test args: ["kyverno-policies"] - id: kyverno-validate args: ["kyverno-policies"]
Enter fullscreen mode Exit fullscreen mode

If you like this article, subscribe to the newsletter and Connect with me on twitter to get updates on my future articles. โœ…

Top comments (0)