Security in Kubernetes shifts the security enforcement with Admission Controllers the flow of these systems can be enhanced with utilization of tools such as Open Policy Agent which leverages rego to define parameters that must be met prior to authorization of operations requested against the Kubernetes api server.
What is Kyverno?
Kyverno is (greek for “govern”), a open-source software project that utilizes a policy engine and rather learning rego for using OPA you can leverage kubernetes YAML manifests so no need to invest more time in a new language. Kyverno does validations, mutations and generations along with clean up.
Like any tool this can be as powerful as the operator behind it but also the security practice team in ensuring guard rails are implemented.
For today’s demo I’m launching a cluster in Azure Kubernetes Service from a pre-existing script running v1.25 so a little behind but in lieu of some testing I have to update this region’s latest version.
Requirements
- Kubernetes Cluster Node (Ideally two)
- Installation of Kyverno
Okay now the boring stuff is out the door let’s show some hands on, I’m currently running in my shell I’ve just authorized into the control plane
Let’s start with installing our tool with the below commands
kubectl create -f https://github.com/kyverno/kyverno/releases/download/v1.10.0/install.yaml
From the image above we can see we are deploying quite a lot in our cluster so let’s visualize this to see what we just performed.
After running ‘kubectl get crds | grep kyverno*
We can see all associated custom resource definitions we’ve applied to our cluster, now let’s take a peek at the pods created in the namespace associated.
So we have a quite amount of items that are onboarded essentially the admission controller will be a piece of the architecture that
Photo credit from https://kyverno.io/docs/introduction/
The webhook controller will watch installed policies and modifies received webhooks to ensure requests only have resources according to the policies.
For this demo we will be performing Mutation
Mutation is the ability to change or “mutate” a resource defined by the documentation this can also be used for desired state of resources.
Below is a modified Mutation
kubectl create -f- << EOF
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: required-labels
spec:
rules:
- name: required-labels
match:
any:
- resources:
kinds:
- Pod
mutate:
patchStrategicMerge:
metadata:
labels:
+(department): development
EOF
So from the policy defined in YAML we are defining that any resources related to “Pod” have to include a label such as department=<department name>.
You can easily validate this by running the following command kubectl get clusterpolicy
I’ve quickly ran the kubectl run busybox –image busybox:latest
We’ve added our label we’ve defined as code – department=development.
Let’s try running a new pod with a tag but with different values on the k/v store.
Now we can run the same command to see what labels are met just with the value we’ve input as “Research” so we’ve ensured a label was applied to our workload container (nginx) declaratively.
While this was a simple example this is one iteration of how you can extend policies utilizing Kyverno. Other documentation related to mutate get more complex and also has many use cases. https://kyverno.io/docs/writing-policies/mutate/
Ensure you don’t incur any dormant charges and delete the resource group that houses your AKS service and resources consumed.
Summary and Perspective
Aligning with the 4C’s of Cloud Native principals we are primarily utilizing this to protect the cluster and container layer with declaratively utilizing Policy-as-Code. Nirmata also offers enterprise support for a paid version that enhances your ability a break down of the differences are listed below I’ve used documentation as reference. If you evaluating how can you safe guard your cluster and utilize YAML as a native resource definition you simplify the construct of the syntax. Additional areas of course are adding to the software supply chain ensure your images are pulled from vetted repos, ideally (private).
