Kyverno
Definition
Kyverno is a policy engine designed for Kubernetes that allows users to manage and enforce policies for Kubernetes resources. It operates by validating, mutating, and generating configurations to ensure that Kubernetes clusters adhere to organizational policies and security standards. Kyverno policies are written in YAML and can be used to automate security best practices, compliance requirements, and operational guidelines within Kubernetes environments.
Secure Settings Example
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: require-run-as-non-root
spec:
rules:
- name: check-run-as-non-root
match:
resources:
kinds:
- Pod
validate:
message: "Running as root user is not allowed."
pattern:
spec:
securityContext:
runAsNonRoot: true
Insecure Settings Example
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: allow-run-as-root
spec:
rules:
- name: allow-run-as-root
match:
resources:
kinds:
- Pod
validate:
message: "Running as root user is allowed."
pattern:
spec:
securityContext:
runAsNonRoot: false