helm repo add kyverno <https://kyverno.github.io/kyverno/>
helm repo update
helm install kyverno kyverno/kyverno -n kyverno --create-namespace \\
--set admissionController.replicas=3 \\
--set backgroundController.replicas=2 \\
--set cleanupController.replicas=2 \\
--set reportsController.replicas=2
kubectl -n kyverno get pods
kubectl create ns prod
kubectl create ns beta
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: restrict-latest-tag
annotations:
policies.kyverno.io/title: Restrict Latest Tag
policies.kyverno.io/category: Pod Security
policies.kyverno.io/severity: high
policies.kyverno.io/subject: Pod
policies.kyverno.io/description: >-
This policy restricts the use of the 'latest' tag in the 'prod' namespace.
spec:
validationFailureAction: enforce
background: true
rules:
- name: disallow-latest-tag-in-prod
match:
any:
- resources:
kinds:
- Pod
namespaces:
- prod
validate:
message: "Using 'latest' tag is not allowed in 'prod' namespace."
pattern:
spec:
containers:
- image: "!*:latest"
---
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: enforce-labels
annotations:
policies.kyverno.io/title: Enforce Labels
policies.kyverno.io/category: Pod Security
policies.kyverno.io/severity: high
policies.kyverno.io/subject: Pod
policies.kyverno.io/description: >-
This policy enforces specific labels in 'prod' and 'beta' namespaces.
spec:
validationFailureAction: enforce
background: true
rules:
- name: require-prod-label
match:
any:
- resources:
kinds:
- Pod
namespaces:
- prod
validate:
message: "Pods in 'prod' namespace must have label 'cloudhrdk.com/env: prod'."
pattern:
metadata:
labels:
cloudhrdk.com/env: "prod"
- name: require-beta-label
match:
any:
- resources:
kinds:
- Pod
namespaces:
- beta
validate:
message: "Pods in 'beta' namespace must have label 'cloudhrdk.com/env: beta'."
pattern:
metadata:
labels:
cloudhrdk.com/env: "beta"
kubectl apply -f kyverno.yaml