Suresh Kumar
sureshdsk.dev

sureshdsk.dev

How to use Kyverno CLI to validate k8s manifests?

How to use Kyverno CLI to validate k8s manifests?

Suresh Kumar's photo
Suresh Kumar
·Apr 24, 2022·

2 min read

Subscribe to my newsletter and never miss my upcoming articles

In the previous article, we have seen what is Kyverno, its features, its use-cases and hot it works. In this article we will install kyverno cli in our local machine and explore its usecases.

Install Kyverno CLI

  • The Kyverno CLI is designed to validate and test policy behavior to resources prior to adding them to a cluster.
  • Used in CI/CD pipelines to validate manifests before they are deployed.
  • Can be integrated into precommit hooks

Install Kyverno CLI via Krew

Krew is the plugin manager for kubectl command-line tool. If do not have krew installed already, please follow the instructions --> krew.sigs.k8s.io/docs/user-guide/setup/inst..

# Install Kyverno CLI using kubectl krew plugin manager
kubectl krew install kyverno

# test the Kyverno CLI
kubectl kyverno version

Install Kyverno CLI via Brew (MacOS)

# Install Kyverno CLI using brew
brew install kyverno

# test the Kyverno CLI
kyverno version

Kyverno CLI Commands

Apply

  • Performs a dry run on one or more policies for the given manifest(s)
  • Executes mutate policies and shows mutated resource as an output
kyverno apply /path/to/policy.yaml --resource /path/to/resource.yaml

Test

  • tests policy from a git repo or local directory
  • recursively looks for YAML files in a directory and executes tests
  • kyverno test definition consists of test name, policies, resources and expected results.

An example test would look like

name: disallow_latest_tag
policies:
  - policy.yaml
resources:
  - resource.yaml
results:
  - policy: disallow-latest-tag
    rule: require-image-tag
    resource: myapp-pod
    kind: Pod
    result: pass
  - policy: disallow-latest-tag
    rule: validate-image-tag
    resource: myapp-pod
    kind: Pod
    result: pass

To Run the test,

kyverno test /path/to/yamls

Validate

  • check if a policy is syntactically valid.
  • can validate multiple policy resource description files or a folder containing policy resource description files.
kyverno validate /path/to/policy1.yaml /path/to/policy2.yaml /path/to/folderFullOfPolicies

Jp

Kyverno CLI also provides a utility called jp to work with JMESPath and expressions.

$ echo '{"foo": "BAR"}' | kyverno jp 'to_lower(foo)'
"bar"
$ cat pod.json
{
  "apiVersion": "v1",
  "kind": "Pod",
  "metadata": {
    "name": "mypod",
    "namespace": "foo"
  },
  "spec": {
    "containers": [
      {
        "name": "busybox",
        "image": "busybox"
      }
    ]
  }
}

$ kyverno jp -f pod.json 'spec.containers[0].name' -u
busybox

Kyverno precommit hooks

Kyverno can be integrated into precommit hooks to test and validate policies. To setup precommit hook, checkout -> github.com/kyverno/pre-commit-hook

.pre-commit-config.yaml

repos:
  - repo: https://github.com/kyverno/pre-commit-hook
    rev: v1.0.0
    hooks:
      - id: kyverno-test
        args: ["kyverno-policies"]
      - id: kyverno-validate
        args: ["kyverno-policies"]

If you like this article, subscribe to the newsletter and Connect with me on twitter to get updates on my future articles. ✅

Did you find this article valuable?

Support Suresh Kumar by becoming a sponsor. Any amount is appreciated!

Learn more about Hashnode Sponsors
 
Share this