Day 6 — Open Policy Agent(OPA) vs Kyverno

  • Kyverno
Source: https://kubernetes.io/blog/2019/03/21/a-guide-to-kubernetes-admission-controllers/
kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper/master/deploy/gatekeeper.yamlnamespace/gatekeeper-system createdresourcequota/gatekeeper-critical-pods createdcustomresourcedefinition.apiextensions.k8s.io/configs.config.gatekeeper.sh createdcustomresourcedefinition.apiextensions.k8s.io/constraintpodstatuses.status.gatekeeper.sh createdcustomresourcedefinition.apiextensions.k8s.io/constrainttemplatepodstatuses.status.gatekeeper.sh createdcustomresourcedefinition.apiextensions.k8s.io/constrainttemplates.templates.gatekeeper.sh createdcustomresourcedefinition.apiextensions.k8s.io/providers.externaldata.gatekeeper.sh createdserviceaccount/gatekeeper-admin createdWarning: policy/v1beta1 PodSecurityPolicy is deprecated in v1.21+, unavailable in v1.25+podsecuritypolicy.policy/gatekeeper-admin createdrole.rbac.authorization.k8s.io/gatekeeper-manager-role createdclusterrole.rbac.authorization.k8s.io/gatekeeper-manager-role createdrolebinding.rbac.authorization.k8s.io/gatekeeper-manager-rolebinding createdclusterrolebinding.rbac.authorization.k8s.io/gatekeeper-manager-rolebinding createdsecret/gatekeeper-webhook-server-cert createdservice/gatekeeper-webhook-service createddeployment.apps/gatekeeper-audit createddeployment.apps/gatekeeper-controller-manager createdWarning: policy/v1beta1 PodDisruptionBudget is deprecated in v1.21+, unavailable in v1.25+; use policy/v1 PodDisruptionBudgetpoddisruptionbudget.policy/gatekeeper-controller-manager createdvalidatingwebhookconfiguration.admissionregistration.k8s.io/gatekeeper-validating-webhook-configuration created
kubectl get nsNAME                 STATUS   AGEdefault              Active   2d10hgatekeeper-system    Active   22skube-node-lease      Active   2d10hkube-public          Active   2d10hkube-system          Active   2d10hlocal-path-storage   Active   2d10h
kubectl get crdNAME                                                 CREATED ATconfigs.config.gatekeeper.sh                         2021-11-01T04:11:42Zconstraintpodstatuses.status.gatekeeper.sh           2021-11-01T04:11:42Zconstrainttemplatepodstatuses.status.gatekeeper.sh   2021-11-01T04:11:42Zconstrainttemplates.templates.gatekeeper.sh          2021-11-01T04:11:42Zproviders.externaldata.gatekeeper.sh                 2021-11-01T04:11:42Z
kubectl get all -n gatekeeper-systemNAME                                                 READY   STATUS    RESTARTS   AGEpod/gatekeeper-audit-76bc76bfb6-wsclz                1/1     Running   0          26spod/gatekeeper-controller-manager-5c6c56cccf-7jsjf   1/1     Running   0          26spod/gatekeeper-controller-manager-5c6c56cccf-8558v   1/1     Running   0          26spod/gatekeeper-controller-manager-5c6c56cccf-8wlxb   1/1     Running   0          26sNAME                                 TYPE        CLUSTER-IP     EXTERNAL-IP   PORT(S)   AGEservice/gatekeeper-webhook-service   ClusterIP   10.96.43.235   <none>        443/TCP   26sNAME                                            READY   UP-TO-DATE   AVAILABLE   AGEdeployment.apps/gatekeeper-audit                1/1     1            1           26sdeployment.apps/gatekeeper-controller-manager   3/3     3            3           26sNAME                                                       DESIRED   CURRENT   READY   AGEreplicaset.apps/gatekeeper-audit-76bc76bfb6                1         1         1       26sreplicaset.apps/gatekeeper-controller-manager-5c6c56cccf   3         3         3       26s
kubectl create -f template.yamlconstrainttemplate.templates.gatekeeper.sh/k8salwaysdeny created
kubectl get constrainttemplatesNAME            AGEk8salwaysdeny   22s> kubectl get crd |grep -i denyk8salwaysdeny.constraints.gatekeeper.sh              2021-11-01T04:22:28Z
> kubectl create -f constraints.yamlk8salwaysdeny.constraints.gatekeeper.sh/deny-pod-creation created> kubectl get k8salwaysdenyNAME                AGEdeny-pod-creation   36s
> kubectl run nginx --image=nginxError from server ([deny-pod-creation] Pod creation denied): admission webhook "validation.gatekeeper.sh" denied the request: [deny-pod-creation] Pod creation denied
> kubectl describe k8sAlwaysDeny deny-pod-creationName:         deny-pod-creationNamespace:Labels:       <none>Annotations:  <none>API Version:  constraints.gatekeeper.sh/v1beta1Kind:         K8sAlwaysDenyMetadata:Creation Timestamp:  2021-11-01T04:26:52ZGeneration:          1Managed Fields:API Version:  constraints.gatekeeper.sh/v1beta1Fields Type:  FieldsV1fieldsV1:f:status:Manager:      gatekeeperOperation:    UpdateTime:         2021-11-01T04:26:52ZAPI Version:  constraints.gatekeeper.sh/v1beta1Fields Type:  FieldsV1fieldsV1:f:spec:.:f:match:.:f:kinds:f:parameters:.:f:message:Manager:         kubectl-createOperation:       UpdateTime:            2021-11-01T04:26:52ZResource Version:  1908UID:               c19da666-371b-4d84-be71-8db885e0f643Spec:Match:Kinds:API Groups:Kinds:PodParameters:Message:  Pod creation deniedStatus:Audit Timestamp:  2021-11-01T04:27:51ZBy Pod:Constraint UID:       c19da666-371b-4d84-be71-8db885e0f643Enforced:             trueId:                   gatekeeper-audit-76bc76bfb6-wsclzObserved Generation:  1Operations:auditstatusConstraint UID:       c19da666-371b-4d84-be71-8db885e0f643Enforced:             trueId:                   gatekeeper-controller-manager-5c6c56cccf-7jsjfObserved Generation:  1Operations:webhookConstraint UID:       c19da666-371b-4d84-be71-8db885e0f643Enforced:             trueId:                   gatekeeper-controller-manager-5c6c56cccf-8558vObserved Generation:  1Operations:webhookConstraint UID:       c19da666-371b-4d84-be71-8db885e0f643Enforced:             trueId:                   gatekeeper-controller-manager-5c6c56cccf-8wlxbObserved Generation:  1Operations:webhookTotal Violations:  17Violations:Enforcement Action:  denyKind:                PodMessage:             Pod creation deniedName:                gatekeeper-audit-76bc76bfb6-wsclzNamespace:           gatekeeper-systemEnforcement Action:  denyKind:                PodMessage:             Pod creation deniedName:                gatekeeper-controller-manager-5c6c56cccf-7jsjfNamespace:           gatekeeper-systemEnforcement Action:  denyKind:                PodMessage:             Pod creation deniedName:                gatekeeper-controller-manager-5c6c56cccf-8558vNamespace:           gatekeeper-systemEnforcement Action:  denyKind:                PodMessage:             Pod creation deniedName:                gatekeeper-controller-manager-5c6c56cccf-8wlxbNamespace:           gatekeeper-systemEnforcement Action:  denyKind:                PodMessage:             Pod creation deniedName:                coredns-558bd4d5db-9pwptNamespace:           kube-systemEnforcement Action:  denyKind:                PodMessage:             Pod creation deniedName:                coredns-558bd4d5db-bk8w2Namespace:           kube-systemEnforcement Action:  denyKind:                PodMessage:             Pod creation deniedName:                etcd-my-kind-cluster-control-planeNamespace:           kube-systemEnforcement Action:  denyKind:                PodMessage:             Pod creation deniedName:                kindnet-hbhv6Namespace:           kube-systemEnforcement Action:  denyKind:                PodMessage:             Pod creation deniedName:                kindnet-tnh79Namespace:           kube-systemEnforcement Action:  denyKind:                PodMessage:             Pod creation deniedName:                kindnet-xg4l4Namespace:           kube-systemEnforcement Action:  denyKind:                PodMessage:             Pod creation deniedName:                kube-apiserver-my-kind-cluster-control-planeNamespace:           kube-systemEnforcement Action:  denyKind:                PodMessage:             Pod creation deniedName:                kube-controller-manager-my-kind-cluster-control-planeNamespace:           kube-systemEnforcement Action:  denyKind:                PodMessage:             Pod creation deniedName:                kube-proxy-46bnbNamespace:           kube-systemEnforcement Action:  denyKind:                PodMessage:             Pod creation deniedName:                kube-proxy-6x9zgNamespace:           kube-systemEnforcement Action:  denyKind:                PodMessage:             Pod creation deniedName:                kube-proxy-7mtwwNamespace:           kube-systemEnforcement Action:  denyKind:                PodMessage:             Pod creation deniedName:                kube-scheduler-my-kind-cluster-control-planeNamespace:           kube-systemEnforcement Action:  denyKind:                PodMessage:             Pod creation deniedName:                local-path-provisioner-547f784dff-g6qwdNamespace:           local-path-storageEvents:                  <none>
  • Support Kubernetes and other systems like CI/CD, microservices, etc
  • Community support
  • The policy is complex and hard to read
kubectl create -f https://raw.githubusercontent.com/kyverno/kyverno/release-1.5/definitions/release/install.yamlnamespace/kyverno createdcustomresourcedefinition.apiextensions.k8s.io/clusterpolicies.kyverno.io createdcustomresourcedefinition.apiextensions.k8s.io/clusterpolicyreports.wgpolicyk8s.io createdcustomresourcedefinition.apiextensions.k8s.io/clusterreportchangerequests.kyverno.io createdcustomresourcedefinition.apiextensions.k8s.io/generaterequests.kyverno.io createdcustomresourcedefinition.apiextensions.k8s.io/policies.kyverno.io createdcustomresourcedefinition.apiextensions.k8s.io/policyreports.wgpolicyk8s.io createdcustomresourcedefinition.apiextensions.k8s.io/reportchangerequests.kyverno.io createdserviceaccount/kyverno-service-account createdclusterrole.rbac.authorization.k8s.io/kyverno:admin-policies createdclusterrole.rbac.authorization.k8s.io/kyverno:admin-policyreport createdclusterrole.rbac.authorization.k8s.io/kyverno:admin-reportchangerequest createdclusterrole.rbac.authorization.k8s.io/kyverno:customresources createdclusterrole.rbac.authorization.k8s.io/kyverno:generatecontroller createdclusterrole.rbac.authorization.k8s.io/kyverno:leaderelection createdclusterrole.rbac.authorization.k8s.io/kyverno:policycontroller createdclusterrole.rbac.authorization.k8s.io/kyverno:userinfo createdclusterrole.rbac.authorization.k8s.io/kyverno:webhook createdclusterrolebinding.rbac.authorization.k8s.io/kyverno:customresources createdclusterrolebinding.rbac.authorization.k8s.io/kyverno:generatecontroller createdclusterrolebinding.rbac.authorization.k8s.io/kyverno:leaderelection createdclusterrolebinding.rbac.authorization.k8s.io/kyverno:policycontroller createdclusterrolebinding.rbac.authorization.k8s.io/kyverno:userinfo createdclusterrolebinding.rbac.authorization.k8s.io/kyverno:webhook createdconfigmap/kyverno createdconfigmap/kyverno-metrics createdservice/kyverno-svc createdservice/kyverno-svc-metrics createddeployment.apps/kyverno createdWarning: policy/v1beta1 PodDisruptionBudget is deprecated in v1.21+, unavailable in v1.25+; use policy/v1 PodDisruptionBudgetpoddisruptionbudget.policy/kyverno created
kubectl create -f policy.yamlclusterpolicy.kyverno.io/require-labels created
> kubectl run nginx --image nginxError from server: admission webhook "validate.kyverno.svc-fail" denied the request:resource Pod/default/nginx was blocked due to the following policiesrequire-labels:check-for-labels: 'validation error: label ''app.kubernetes.io/name'' is required.Rule check-for-labels failed at path /metadata/labels/app.kubernetes.io/name/'
  • Easy to read
  • Relatively new

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store