Kyverno PSP Guide
Kyverno is more flexible and can Enforce security and compliance standards beyond what PSA provides.
It installs as an admission webhook in your cluster. It checks every pod/deployment before creation. If your pod breaks a rule → Kyverno warns or blocks it.
✅ Install Kyverno ✅ Apply essential security policies (best practices)
✅ Step 1: Install Kyverno
kubectl create -f https://github.com/kyverno/kyverno/releases/download/v1.14.4/install.yamlCheck:
kubectl get pods -n kyvernoYou should see Kyverno pods running.
✅ Step 2: Apply Essential Security Policies
Here are must-have policies for production clusters:
1. Disallow Privileged Containers
Prevent pods from running with privileged: true:
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: disallow-privileged
spec:
validationFailureAction: Enforce
background: true
rules:
- name: check-privileged
match:
resources:
kinds:
- Pod
validate:
message: "Privileged mode is not allowed."
pattern:
spec:
containers:
- securityContext:
privileged: "false"Apply:
kubectl apply -f disallow-privileged.yaml2. Require runAsNonRoot
Enforce running containers as non-root:
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: require-run-as-non-root
spec:
validationFailureAction: Enforce
background: true
rules:
- name: run-as-non-root
match:
resources:
kinds:
- Pod
validate:
message: "Containers must set runAsNonRoot=true."
pattern:
spec:
containers:
- securityContext:
runAsNonRoot: true3. Disallow Privilege Escalation
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: disallow-privilege-escalation
spec:
validationFailureAction: Enforce
background: true
rules:
- name: no-priv-escalation
match:
resources:
kinds:
- Pod
validate:
message: "Privilege escalation is not allowed."
pattern:
spec:
containers:
- securityContext:
allowPrivilegeEscalation: "false"4. Restrict HostPath Volumes
Block access to host file system:
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: disallow-hostpath
spec:
validationFailureAction: Enforce
background: true
rules:
- name: no-hostpath
match:
resources:
kinds:
- Pod
validate:
message: "HostPath volumes are not allowed."
pattern:
spec:
=(volumes):
- X(hostPath): "null"5. Enforce Image Registry Policy
Allow only trusted image registries:
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: restrict-image-registries
spec:
validationFailureAction: Enforce
background: true
rules:
- name: allow-only-approved-registries
match:
resources:
kinds:
- Pod
validate:
message: "Images must be from approved registries: ghcr.io, docker.io, your-registry.com."
pattern:
spec:
containers:
- image: "ghcr.io/* | docker.io/* | your-registry.com/*"✅ How to Apply All Policies
Save these YAMLs in a folder (e.g., kyverno-policies/) and apply:
kubectl apply -f kyverno-policies/Keep Note: validationFailureAction: Enforce/Audit Enforce blocks the creation of resources that violate the policy, while Audit allows them but logs violations.
-
Mutating Admission Controller → Can add/change things (like injecting a sidecar or setting defaults).
-
Validating Admission Controller → Can allow or deny the object based on rules.
✅ Step 3: Verify
Try to create a privileged pod:
kubectl run test --image=nginx --overrides='{"spec":{"containers":[{"name":"test","image":"nginx","securityContext":{"privileged":true}}]}}'It should be blocked.
✅ Essential Kyverno Policies for Production
1. Block latest Image Tag
Reason: Using latest can cause unpredictable deployments.
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: disallow-latest-tag
spec:
validationFailureAction: Enforce
background: true
rules:
- name: validate-image-tag
match:
resources:
kinds:
- Pod
validate:
message: "Using 'latest' tag is not allowed. Use a specific version."
pattern:
spec:
containers:
- image: "!*:latest"2. Enforce Read-Only Root Filesystem
Prevents tampering inside containers.
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: require-readonly-rootfs
spec:
validationFailureAction: Enforce
background: true
rules:
- name: check-readonly-rootfs
match:
resources:
kinds:
- Pod
validate:
message: "Containers must set readOnlyRootFilesystem=true."
pattern:
spec:
containers:
- securityContext:
readOnlyRootFilesystem: true3. Limit Container Capabilities
Drop all Linux capabilities except required ones.
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: restrict-capabilities
spec:
validationFailureAction: Enforce
background: true
rules:
- name: drop-all-add-none
match:
resources:
kinds:
- Pod
validate:
message: "Containers must drop all capabilities."
pattern:
spec:
containers:
- securityContext:
capabilities:
drop: ["ALL"]4. Require CPU & Memory Limits
Guarantee resource allocation to prevent noisy neighbor issues.
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: require-resource-limits
spec:
validationFailureAction: Audit
background: true
rules:
- name: validate-limits
match:
resources:
kinds:
- Pod
validate:
message: "CPU and memory limits must be set."
pattern:
spec:
containers:
- resources:
limits:
cpu: "?*"
memory: "?*"5. Block Containers Running as Root (UID 0)
Even if runAsNonRoot is missed, Enforce UID check.
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: disallow-root-user
spec:
validationFailureAction: Enforce
background: true
rules:
- name: no-root-uid
match:
resources:
kinds:
- Pod
validate:
message: "Containers cannot run as root user."
deny:
conditions:
all:
- key: "{{ request.object.spec.containers[*].securityContext.runAsUser }}"
operator: In
value: [0]DOCS ------------------------------------------------------------------------------------
Kyverno Admission Control: Mutate, Validate, Enforce, and Audit
Overview
Kyverno is a Kubernetes-native policy engine that manages and secures Kubernetes resources using admission control. It acts as a validating and mutating admission webhook, enabling:
- Validation – Ensure configurations follow policies (block or warn)
- Mutation – Add or modify resource configuration dynamically
- Generation – Create new resources when needed
- Verification – Check image signatures for security
Kyverno policies are written in YAML, making it easier for Kubernetes users compared to writing complex Rego scripts (OPA).
What is Admission Control in Kubernetes?
When a resource is created or modified, the request flows through:
- Authentication & Authorization
- Admission Controllers (Mutating → Validating)
- Persistence in etcd
Kyverno hooks into this flow as an admission controller:
- Mutating Webhook – Modify resource before creation (e.g., add labels)
- Validating Webhook – Accept or reject resource (enforce policies)
Kyverno Policy Types
✅ 1. Mutate Policies
-
Automatically add, modify, or remove fields in resource manifests.
-
Example use cases:
- Add labels/annotations
- Inject sidecar containers
- Enforce default security settings
Example:
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: add-label
spec:
rules:
- name: add-kyverno-label
match:
resources:
kinds:
- Deployment
mutate:
patchStrategicMerge:
metadata:
labels:
kyverno: "true"✅ 2. Validate Policies
-
Ensure that resources meet security and compliance requirements.
-
Two modes:
- enforce → Block non-compliant resources
- audit → Report violations, but do not block
Example (Enforce Mode):
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: disallow-privileged
spec:
validationFailureAction: enforce # Block requests
rules:
- name: no-privileged
match:
resources:
kinds:
- Pod
validate:
message: "Privileged mode is not allowed."
pattern:
spec:
containers:
- securityContext:
privileged: "false"Example (Audit Mode):
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: audit-resources
spec:
validationFailureAction: audit # Only warn
rules:
- name: check-resources
match:
resources:
kinds:
- Pod
- Deployment
validate:
message: "Containers should have CPU/memory requests and limits."
pattern:
spec:
containers:
- resources:
requests:
cpu: "?*"
memory: "?*"
limits:
cpu: "?*"
memory: "?*"Enforce vs Audit Mode
| Mode | Behavior |
|---|---|
| enforce | Denies non-compliant resources (fails admission) |
| audit | Logs violation in PolicyReport, resource is allowed |
Kyverno Operations
| Operation | Purpose |
|---|---|
| Mutate | Add or modify resource configuration |
| Validate | Ensure resources follow rules (block or allow) |
| Generate | Create resources automatically |
| VerifyImages | Enforce signed images |
Where to See Policy Violations
- PolicyReports CRD:
kubectl get policyreport -A- Kyverno Logs:
kubectl logs -n kyverno deploy/kyvernoExample violation in logs:
Policy disallow-privileged applied in audit mode for Pod/mypod in namespace default
Validation failed: Privileged mode is not allowed.Examples for Common Use Cases
Mutate Example: Add Label
Add kyverno=true label if missing:
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: add-label
spec:
rules:
- name: add-kyverno-label
match:
resources:
kinds:
- Deployment
namespaces:
- ai-assistant
mutate:
patchStrategicMerge:
metadata:
labels:
kyverno: "true"Validate Example: Disallow Privileged Pods
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: disallow-privileged
spec:
validationFailureAction: enforce
rules:
- name: no-privileged
match:
resources:
kinds:
- Pod
validate:
message: "Privileged containers are not allowed."
pattern:
spec:
containers:
- securityContext:
privileged: "false"Key Benefits
- Kubernetes-native policies (YAML)
- Admission control without coding
- Easy enforce/audit switch
- Supports mutate + validate together
✅ Next Steps
- Install Kyverno:
kubectl create -f https://github.com/kyverno/kyverno/releases/download/v1.11.0/install.yaml-
Apply policies for:
- Security (No privileged containers, Run as non-root)
- Governance (Label enforcement, Registry restrictions)
- Best Practices (Resource limits, Probes)