DEV Community

Jeg
Jeg

Posted on

Kyverno - Namespace restriction policy

Following are the helm commands to install kyverno using helm:

 helm repo add kyverno https://kyverno.github.io/kyverno helm repo update helm install kyverno kyverno/kyverno -n kyverno --create-namespace To uninstall kyverno from helm: helm uninstall kyverno -n kyverno 
Enter fullscreen mode Exit fullscreen mode

Chart version: 3.4.1
Kyverno version: v1.14.1

The following components will get installed in the cluster:

  • CRDs
  • Admission controller
  • Reports controller
  • Cleanup controller
  • Background controller

kyverno.yaml:

apiVersion: kyverno.io/v1 kind: ClusterPolicy metadata: name: namespace-restriction spec: rules: - name: require namespace standard names match: any: - resources: kinds: - Namespace validate: failureAction: Enforce message: "You must have the proper naming standard for namespace creation" pattern: metadata: name: dev 
Enter fullscreen mode Exit fullscreen mode

Adding multiple values with "or" condition for the namespace names:

 apiVersion: kyverno.io/v1 kind: ClusterPolicy metadata: name: namespace-restriction spec: rules: - name: require namespace standard names match: any: - resources: kinds: - Namespace validate: failureAction: Enforce message: "You must have the proper naming standard for namespace creation" pattern: metadata: name: app-poc-* | app-prod-* | app-test* 
Enter fullscreen mode Exit fullscreen mode
kubectl get ClusterPolicy NAME ADMISSION BACKGROUND READY AGE MESSAGE namespace-restriction true true True 2m49s Ready 
Enter fullscreen mode Exit fullscreen mode

The namespace yaml is now created with a different namespace name:

namespace.yaml:

 apiVersion: v1 kind: Namespace metadata: name: development labels: name: development 
Enter fullscreen mode Exit fullscreen mode

Following is the error thrown:

Error from server: error when creating "namespace.yaml": admission webhook "validate.kyverno.svc-fail" denied the request: resource Namespace//development was blocked due to the following policies namespace-restriction: require namespace standard names: 'validation error: You must have the proper naming standard for namespace creation. rule require namespace standard names failed at path /metadata/name/' 
Enter fullscreen mode Exit fullscreen mode

By applying the policy, the existing pods and namespace will not get disturbed. The cluster policy is for the entire cluster.

Yaml file to install kyverno from Argocd:

apiVersion: argoproj.io/v1alpha1 kind: Application metadata: name: kyverno namespace: argocd spec: destination: namespace: kyverno server: https://kubernetes.default.svc project: default source: chart: kyverno repoURL: https://kyverno.github.io/kyverno targetRevision: 3.4.1 syncPolicy: automated: prune: true selfHeal: false syncOptions: - CreateNamespace=true - Replace=true 
Enter fullscreen mode Exit fullscreen mode

Top comments (0)