Chapter 5. Admission Policies with Kyverno

Name: "Ship, Securely: The Hands-on DevSecOps Book"
Author: ""

Why this step

Linters warn, admission enforces. Policies prevent accidental drift (“works on my laptop”) from landing in the cluster.

Install Kyverno

make kyverno-install

Uses Helm in the Makefile. If you prefer official manifests, apply them instead.

Apply policies

Ensure the following are present under policies/:

disallow-latest.yaml
enforce-pod-security-basics.yaml
require-resources.yaml
require-probes.yaml
(optional) verify-image-signatures.yaml (paste your cosign.pub)

Then:

make kyverno-apply

Prove it works (intentional failure)

A deliberately non-compliant manifest lives at infra/k8s/bad/deploy-bad.yaml. Run:

make kyverno-bad-apply

Expected: kubectl shows one or more validation errors. The output is copied to artifacts/policy-tests.txt as evidence.

(Optional) Verify image signatures

If you sign locally:

cosign generate-key-pair        # once
make sbom sign_blob verify_blob # proves sbom signature
# If you also sign the IMAGE later:
# cosign sign --key cosign.key $(GOOD)
# Configure verify-image-signatures.yaml with your public key and re-apply.

Checklist

Kyverno installed and policies/*.yaml committed
A bad manifest was rejected; evidence saved to artifacts/policy-tests.txt
(Optional) verify-image-signatures policy references your cosign public key