How to use Kyverno CLI to validate k8s manifests?

How to use Kyverno CLI to validate k8s manifests?

In the previous article, we have seen what is Kyverno, its features, its use-cases and hot it works. In this article we will install kyverno cli in our local machine and explore its usecases.

Install Kyverno CLI

  • The Kyverno CLI is designed to validate and test policy behavior to resources prior to adding them to a cluster.
  • Used in CI/CD pipelines to validate manifests before they are deployed.
  • Can be integrated into precommit hooks

Install Kyverno CLI via Krew

Krew is the plugin manager for kubectl command-line tool. If do not have krew installed already, please follow the instructions --> krew.sigs.k8s.io/docs/user-guide/setup/inst..

# Install Kyverno CLI using kubectl krew plugin manager
kubectl krew install kyverno

# test the Kyverno CLI
kubectl kyverno version

Install Kyverno CLI via Brew (MacOS)

# Install Kyverno CLI using brew
brew install kyverno

# test the Kyverno CLI
kyverno version

Kyverno CLI Commands

Apply

  • Performs a dry run on one or more policies for the given manifest(s)
  • Executes mutate policies and shows mutated resource as an output
kyverno apply /path/to/policy.yaml --resource /path/to/resource.yaml

Test

  • tests policy from a git repo or local directory
  • recursively looks for YAML files in a directory and executes tests
  • kyverno test definition consists of test name, policies, resources and expected results.

An example test would look like

name: disallow_latest_tag
policies:
  - policy.yaml
resources:
  - resource.yaml
results:
  - policy: disallow-latest-tag
    rule: require-image-tag
    resource: myapp-pod
    kind: Pod
    result: pass
  - policy: disallow-latest-tag
    rule: validate-image-tag
    resource: myapp-pod
    kind: Pod
    result: pass

To Run the test,

kyverno test /path/to/yamls

Validate

  • check if a policy is syntactically valid.
  • can validate multiple policy resource description files or a folder containing policy resource description files.
kyverno validate /path/to/policy1.yaml /path/to/policy2.yaml /path/to/folderFullOfPolicies

Jp

Kyverno CLI also provides a utility called jp to work with JMESPath and expressions.

$ echo '{"foo": "BAR"}' | kyverno jp 'to_lower(foo)'
"bar"
$ cat pod.json
{
  "apiVersion": "v1",
  "kind": "Pod",
  "metadata": {
    "name": "mypod",
    "namespace": "foo"
  },
  "spec": {
    "containers": [
      {
        "name": "busybox",
        "image": "busybox"
      }
    ]
  }
}

$ kyverno jp -f pod.json 'spec.containers[0].name' -u
busybox

Kyverno precommit hooks

Kyverno can be integrated into precommit hooks to test and validate policies. To setup precommit hook, checkout -> github.com/kyverno/pre-commit-hook

.pre-commit-config.yaml

repos:
  - repo: https://github.com/kyverno/pre-commit-hook
    rev: v1.0.0
    hooks:
      - id: kyverno-test
        args: ["kyverno-policies"]
      - id: kyverno-validate
        args: ["kyverno-policies"]

If you like this article, subscribe to the newsletter and Connect with me on twitter to get updates on my future articles. ✅

Did you find this article valuable?

Support sureshdsk.dev by becoming a sponsor. Any amount is appreciated!