In the previous article, we have seen what is Kyverno, its features, its use-cases and hot it works. In this article we will install kyverno cli in our local machine and explore its usecases.
Install Kyverno CLI
- The Kyverno CLI is designed to validate and test policy behavior to resources prior to adding them to a cluster.
- Used in CI/CD pipelines to validate manifests before they are deployed.
- Can be integrated into precommit hooks
Install Kyverno CLI via Krew
Krew is the plugin manager for kubectl command-line tool. If do not have krew installed already, please follow the instructions --> krew.sigs.k8s.io/docs/user-guide/setup/inst..
# Install Kyverno CLI using kubectl krew plugin manager
kubectl krew install kyverno
# test the Kyverno CLI
kubectl kyverno version
Install Kyverno CLI via Brew (MacOS)
# Install Kyverno CLI using brew
brew install kyverno
# test the Kyverno CLI
kyverno version
Kyverno CLI Commands
Apply
- Performs a dry run on one or more policies for the given manifest(s)
- Executes mutate policies and shows mutated resource as an output
kyverno apply /path/to/policy.yaml --resource /path/to/resource.yaml
Test
- tests policy from a git repo or local directory
- recursively looks for YAML files in a directory and executes tests
- kyverno test definition consists of test name, policies, resources and expected results.
An example test would look like
name: disallow_latest_tag
policies:
- policy.yaml
resources:
- resource.yaml
results:
- policy: disallow-latest-tag
rule: require-image-tag
resource: myapp-pod
kind: Pod
result: pass
- policy: disallow-latest-tag
rule: validate-image-tag
resource: myapp-pod
kind: Pod
result: pass
To Run the test,
kyverno test /path/to/yamls
Validate
- check if a policy is syntactically valid.
- can validate multiple policy resource description files or a folder containing policy resource description files.
kyverno validate /path/to/policy1.yaml /path/to/policy2.yaml /path/to/folderFullOfPolicies
Jp
Kyverno CLI also provides a utility called jp
to work with JMESPath and expressions.
$ echo '{"foo": "BAR"}' | kyverno jp 'to_lower(foo)'
"bar"
$ cat pod.json
{
"apiVersion": "v1",
"kind": "Pod",
"metadata": {
"name": "mypod",
"namespace": "foo"
},
"spec": {
"containers": [
{
"name": "busybox",
"image": "busybox"
}
]
}
}
$ kyverno jp -f pod.json 'spec.containers[0].name' -u
busybox
Kyverno precommit hooks
Kyverno can be integrated into precommit hooks to test and validate policies. To setup precommit hook, checkout -> github.com/kyverno/pre-commit-hook
.pre-commit-config.yaml
repos:
- repo: https://github.com/kyverno/pre-commit-hook
rev: v1.0.0
hooks:
- id: kyverno-test
args: ["kyverno-policies"]
- id: kyverno-validate
args: ["kyverno-policies"]
If you like this article, subscribe to the newsletter and Connect with me on twitter to get updates on my future articles. ✅