Following are the helm commands to install kyverno using helm:
helm repo add kyverno https://kyverno.github.io/kyverno helm repo update helm install kyverno kyverno/kyverno -n kyverno --create-namespace To uninstall kyverno from helm: helm uninstall kyverno -n kyverno
Chart version: 3.4.1
Kyverno version: v1.14.1
The following components will get installed in the cluster:
- CRDs
- Admission controller
- Reports controller
- Cleanup controller
- Background controller
kyverno.yaml:
apiVersion: kyverno.io/v1 kind: ClusterPolicy metadata: name: namespace-restriction spec: rules: - name: require namespace standard names match: any: - resources: kinds: - Namespace validate: failureAction: Enforce message: "You must have the proper naming standard for namespace creation" pattern: metadata: name: dev
Adding multiple values with "or" condition for the namespace names:
apiVersion: kyverno.io/v1 kind: ClusterPolicy metadata: name: namespace-restriction spec: rules: - name: require namespace standard names match: any: - resources: kinds: - Namespace validate: failureAction: Enforce message: "You must have the proper naming standard for namespace creation" pattern: metadata: name: app-poc-* | app-prod-* | app-test*
kubectl get ClusterPolicy NAME ADMISSION BACKGROUND READY AGE MESSAGE namespace-restriction true true True 2m49s Ready
The namespace yaml is now created with a different namespace name:
namespace.yaml:
apiVersion: v1 kind: Namespace metadata: name: development labels: name: development
Following is the error thrown:
Error from server: error when creating "namespace.yaml": admission webhook "validate.kyverno.svc-fail" denied the request: resource Namespace//development was blocked due to the following policies namespace-restriction: require namespace standard names: 'validation error: You must have the proper naming standard for namespace creation. rule require namespace standard names failed at path /metadata/name/'
By applying the policy, the existing pods and namespace will not get disturbed. The cluster policy is for the entire cluster.
Yaml file to install kyverno from Argocd:
apiVersion: argoproj.io/v1alpha1 kind: Application metadata: name: kyverno namespace: argocd spec: destination: namespace: kyverno server: https://kubernetes.default.svc project: default source: chart: kyverno repoURL: https://kyverno.github.io/kyverno targetRevision: 3.4.1 syncPolicy: automated: prune: true selfHeal: false syncOptions: - CreateNamespace=true - Replace=true
Top comments (0)