Kyverno – Blog posts about Kyverno releaseshttps://release-1-10-0--kyverno.netlify.app/blog/releases/Recent content in Blog posts about Kyverno releases on KyvernoHugo -- gohugo.ioen-usBlog: Kyverno 1.10 Releasedhttps://release-1-10-0--kyverno.netlify.app/blog/2023/05/30/kyverno-1.10-released/Tue, 30 May 2023 00:00:00 +0000https://release-1-10-0--kyverno.netlify.app/blog/2023/05/30/kyverno-1.10-released/ <p><img src="kyverno-horizontal.png" alt="kyverno"></p> <p>The Kyverno team are proud to announce the release of Kyverno 1.10, a minor release in terms of version number but a major release in every other regard. With around four months in the making and after four pre-releases and nearly 500 pull requests merged, Kyverno 1.10 is one of the largest releases in the history of the project and features a ton of new and highly-requested features and a staggering number of fixes and improvements. It also brings with it some breaking changes so please read thoroughly. We can&rsquo;t wait for you to see what&rsquo;s inside so let&rsquo;s get started!</p> <h2 id="key-new-features-of-kyverno-110">Key New Features of Kyverno 1.10</h2> <p>Kyverno 1.10 contains several new and significant features including decomposing Kyverno into smaller pieces, external service calls, Notary v2 support, and a major revamp of generate rules.</p> <h3 id="increased-scalability-with-service-decomposition">Increased Scalability with Service Decomposition</h3> <p>In previous versions of Kyverno, everything except the cleanup controller (introduced in 1.9) was packaged in a single container. This made sense in the early days, but as Kyverno began to grow in capability and complexity, the single-deployment model just wasn&rsquo;t going to cut it. Users also wanted a way to only install what they needed and not get everything else that came along with it. Beginning in Kyverno 1.10, the major capabilities of Kyverno have been broken out into separate deployments allowing you to switch on or off the ones you want. What this looks like is shown below.</p> <p><img src="kyverno-installation.png" alt="kyverno"></p> <p>The four major components of Kyverno and their primary functions are as follows:</p> <ul> <li><strong>Admission Controller</strong>: The heart of Kyverno, the Admission Controller receives and processes webhook requests from the Kubernetes API server and is responsible for validate, mutate, and verifyImages rules along with Policy Exceptions. It also performs most of the validations on policies themselves. This is the only required component of Kyverno which must be installed.</li> <li><strong>Reports Controller</strong>: Responsible for processing of Kyverno&rsquo;s Policy Reports including performing background reporting scans.</li> <li><strong>Background Controller</strong>: Not to be confused with background scans, the Background Controller handles all the generate rules and mutate rules when they impact existing resources (which all happen in the background).</li> <li><strong>Cleanup Controller</strong>: Takes care of all the cleanup tasks according to cleanup policies.</li> </ul> <p>Because Kyverno is now decomposed into separate controllers, each controller can be scaled independently although they all don&rsquo;t necessarily handle it differently. We recommend reading the <a href="https://release-1-10-0--kyverno.netlify.app/docs/high-availability/">High Availability page</a> for more details on the internals of these controllers and how scale and availability are handled per controller.</p> <h3 id="extensibility-via-external-service-calls">Extensibility via External Service Calls</h3> <p>Kyverno is already able to gather data from external sources as a factor in its policy-making decisions, for example from the Kubernetes API, OCI image registries, and ConfigMaps. However, one of the most requested features has been the ability for it to make calls to services other than the Kubernetes API server for the same reasons. We&rsquo;re happy to say that as of Kyverno 1.10, this feature now exists! It is new and a bit limited at this point so we can get an understanding of how folks intend to use it, but it allows performing GET and POST requests against another service in the cluster along with specifying a certificate authority bundle for establishing trust against HTTPS servers. A sample of what this looks like is shown below.</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">check-namespaces </span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Enforce</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">call-extension</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="w"> </span>- <span class="l">ConfigMap</span><span class="w"> </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="w"> </span><span class="nt">context</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">result</span><span class="w"> </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="w"> </span><span class="nt">apiCall</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="w"> </span><span class="nt">method</span><span class="p">:</span><span class="w"> </span><span class="l">POST</span><span class="w"> </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="w"> </span><span class="nt">data</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="l">somekey</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ somevariable }}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span><span class="nt">service</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span><span class="nt">url</span><span class="p">:</span><span class="w"> </span><span class="l">http://sample.myservice/someendpoint</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span><span class="nt">caBundle</span><span class="p">:</span><span class="w"> </span><span class="p">|-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="sd"> -----BEGIN CERTIFICATE----- </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="sd"> &lt;snip&gt; </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="sd"> -----END CERTIFICATE----- </span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;This shall not pass due to item {{ fookey}}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span><span class="nt">deny</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span><span class="nt">conditions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span><span class="nt">all</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ result.allowed }}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">Equals</span><span class="w"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="kc">false</span><span class="w"> </span></span></span></code></pre></div><p>And, by the way, in addition to POST calls to external services, we&rsquo;ve also enhanced the existing <code>apiCall</code> context variable to be able to POST to the Kubernetes API making it possible to <a href="https://release-1-10-0--kyverno.netlify.app/policies/other/check-subjectaccessreview/check-subjectaccessreview/">do things like</a> pass a <a href="https://kubernetes.io/docs/reference/kubernetes-api/authorization-resources/subject-access-review-v1/">SubjectAccessReview</a> which will make permissions assessments much easier.</p> <h3 id="software-supply-chain-security-with-cncf-notary">Software Supply Chain Security with CNCF Notary</h3> <p>The <a href="https://notaryproject.dev/">Notary project</a> is another project, like Sigstore, aiming to solve software supply chain security through OCI image signing. Notary is currently in its second version and differentiates itself from Sigstore by using OCI artifacts to store image signatures. Although Kyverno has had support for verifying signatures and attestations from Sigstore&rsquo;s Cosign project for a while now, we wanted to add support for Notary so that no matter what technology you use to sign your images, Kyverno will be there for you.</p> <p>Starting in Kyverno 1.10, we&rsquo;ve added a new <code>type</code> field to verifyImages rules allowing you to specify the signatory used, either <code>Notary</code> or <code>Cosign</code>. An example of what this looks like is shown below.</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v2beta1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">check-image-notary</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Enforce</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">webhookTimeoutSeconds</span><span class="p">:</span><span class="w"> </span><span class="m">30</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">failurePolicy</span><span class="p">:</span><span class="w"> </span><span class="l">Fail </span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">verify-signature-notary</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="w"> </span>- <span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="w"> </span><span class="nt">verifyImages</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="w"> </span>- <span class="nt">type</span><span class="p">:</span><span class="w"> </span><span class="l">Notary</span><span class="w"> </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="w"> </span><span class="nt">imageReferences</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"> </span>- <span class="s2">&#34;mytest.azurecr.io/user/net-monitor:v1&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span><span class="nt">attestors</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span>- <span class="nt">count</span><span class="p">:</span><span class="w"> </span><span class="m">1</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span><span class="nt">entries</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span>- <span class="nt">certificates</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span><span class="nt">cert</span><span class="p">:</span><span class="w"> </span><span class="p">|-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="sd"> -----BEGIN CERTIFICATE----- </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="sd"> &lt;snip&gt; </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="sd"> -----END CERTIFICATE-----</span><span class="w"> </span></span></span></code></pre></div><p>While this addition supports simple Notary v2 verification, if needing to call an external service when using an extension, the external service call feature as shown earlier can be used.</p> <h3 id="generate-rule-refactoring">Generate Rule Refactoring</h3> <p>Even though generate rules have been a cornerstone of Kyverno for a while now, we did a significant overhaul on them to add new functionality, fix issues, improve the user experience, and just in general give it a major face lift. Specifically, one of the new features in generate rules which has been a frequent request is to allow the triggering resource to share the same synchronize life cycle as the generated resource. Users told us they want to be able to remove or change a trigger while sync is on and have that influence the resource that trigger was responsible for generating. This is now a reality in Kyverno 1.10 and will help in multitenancy use cases where generate rules are so frequently employed.</p> <p>We didn&rsquo;t stop there, though, we also added new features like triggering on DELETE requests, triggering on subresources, and performing permissions checks up front when the generate rule is created, helping to avoid failures down the line in case you forgot to add them. These features and many more can be found inside Kyverno 1.10 when using generate rules. We also had to make some tough decisions that lead to a couple breaking changes, so please read the release notes carefully if you&rsquo;re a user of generate rules. And although we&rsquo;ll talk about upgrades below, we strongly suggest removing and then reintroducing them in your cluster (or at least in a test cluster somewhere) to allow Kyverno to validate the new restrictions put into effect in 1.10.</p> <h2 id="other-additions-and-enhancements">Other Additions and Enhancements</h2> <p>There are loads of other additions and enhancements to be found in Kyverno 1.10 and we simply can&rsquo;t cover them all, but here are the most notable ones.</p> <p>Operations can now be specified directly in <code>match</code> and <code>exclude</code> blocks obviating the need for preconditions. This enhancement can simplify your rules by moving that condition to match on <code>CREATE</code>, for example, up into the <code>match</code> block. Specifying operations like this is also a requirement if you want to generate something based upon a <code>DELETE</code> operation.</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln">1</span><span class="cl"><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">2</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">3</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">4</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">5</span><span class="cl"><span class="w"> </span>- <span class="l">Service</span><span class="w"> </span></span></span><span class="line"><span class="ln">6</span><span class="cl"><span class="w"> </span><span class="nt">operations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">7</span><span class="cl"><span class="w"> </span>- <span class="l">CREATE</span><span class="w"> </span></span></span></code></pre></div><p>Policy Exceptions have been enhanced in 1.10 to add support for background scanning, useful when you consume a Policy Report and want to see that fail result to go away, and wildcards in the <code>ruleNames[]</code> field. The latter will assist when you might have several rules in a policy which begin with the same prefix.</p> <p>A number of significant enhancements were made to Policy Reports in Kyverno 1.10 which dramatically improve performance, reduce time to aggregate reports, and lower resource consumption. Another enhancement some users may rejoice in hearing is that background scans will now, by default (but configurable, of course) consider Kyverno&rsquo;s resource filters when producing reports. So if you&rsquo;ve excluded a Namespace in the <a href="https://release-1-10-0--kyverno.netlify.app/docs/installation/customization/#resource-filters">resource filter</a>, by default you won&rsquo;t see any reports for it either when coming from background scans.</p> <p>Context variables are now lazily evaluated (JIT) which means no more failed rules when preconditions don&rsquo;t pass. Variables are often used in conditions and so they will follow the same circuit-breaking mechanisms already in place for those conditions. This should also have the benefit of reducing API calls in rules where they may not always be needed.</p> <p>Speaking of conditions, there&rsquo;s now a new <code>message</code> field that&rsquo;s available for use in conditions everywhere they&rsquo;re used throughout Kyverno which will allow you to append the contents of that field in the message response returned by Kyverno. This is especially handy in verifyImages rules where the reason why an attestation verification failed can be narrowed down to the exact condition. And if there are multiple, they&rsquo;ll be appended to each other. Very handy indeed.</p> <p>Kyverno 1.10 has three new JMESPath filters, <code>image_normalize()</code>, <code>trim_prefix()</code>, and <code>to_boolean()</code> in addition to some enhancements to existing filters. A couple of those enhancements to call out are the <code>sum()</code> filter can now sum quantities like memory making it valuable for adding up all the memory requests in a Pod to figure out whether it should be allowed or not. And the <code>x509_decode()</code> filter now supports decoding of Certificate Signing Requests so you can apply additional security checks if you use that API.</p> <p>Lastly, the documentation and policy library were greatly refreshed and improved as of this release. Not just that, but all Kyverno policies in the library can now be found on <a href="https://artifacthub.io/packages/search?kind=15&amp;sort=relevance&amp;page=1">Artifact Hub</a> making Kyverno policies presently the fourth largest artifact type.</p> <h2 id="potentially-breaking-changes">Potentially Breaking Changes</h2> <p>As we hope you&rsquo;ve seen, Kyverno 1.10 has some truly amazing features and enhancements in store for you, but making all this happen plus the hundreds of fixes we didn&rsquo;t cover here meant we had to make some important decisions. We&rsquo;d like to make you aware of these breaking changes up front so there are no surprises.</p> <p>First, due to the decomposition efforts, the Kyverno Helm chart had to basically be rewritten. This is reflected in a major version number increment from 2 to 3. As such, there is no direct upgrade path when coming from v2 of the chart and attempts to do so will be blocked by default. We&rsquo;ve written up a Helm upgrade and migration guide <a href="https://github.com/kyverno/kyverno/blob/release-1.10/charts/kyverno/README.md#migrating-from-v2-to-v3">here</a> and we strongly recommend you give that a good read. Although we also publish a YAML manifest as part of each release, there again a direct upgrade is not supported. In short, we recommend a backup-uninstall-reinstall-restore method when approaching this release, but the write-up has more details.</p> <p>For rules which matched on certain types of subresources like <code>PodExecOptions</code>, you&rsquo;ll need to move to the canonical format of them such as <code>Pod/exec</code>. A simple change to make, and Kyverno will let you know if you try to create it the other way.</p> <p>And, finally, because of the number of issues we sorted regarding generate rules in this release, we had to put a few more guardrails in place to ensure the correct user experience was being met. Some fields now no longer support defining variables, some others may be immutable after rule creation, and a few fields will now be required whereas they previously were not. The latter we&rsquo;ve tried to limit to situations in which policies are newly seen and not which pre-exist in the cluster.</p> <p>For these breaking changes, and others, please carefully read the extensive and (yes, sorry) lengthy release notes <a href="https://github.com/kyverno/kyverno/releases">here</a>.</p> <h2 id="closing">Closing</h2> <p>Kyverno 1.10 is quite the loaded release as you can probably see. After about four months and close to 500 PRs, there were a tremendous number of changes from the Kyverno community. And if you were one of the many, many contributors who pitched in to make this release a reality, a hearty THANK YOU for all your work! Hopefully what you&rsquo;ve seen makes you excited to try out 1.10 for yourself. Come engage with us in the Kyverno channel on <a href="https://release-1-10-0--kyverno.netlify.app/community/#slack-channel">Kubernetes Slack</a>, attend one of our <a href="https://release-1-10-0--kyverno.netlify.app/community/#community-meetings">community meetings</a>, or just catch us on <a href="https://twitter.com/kyverno">Twitter</a>.</p> <p>And if you&rsquo;re already a Kyverno adopter, sign up to be an official adopter by updating the Adopters form <a href="https://github.com/kyverno/kyverno/blob/main/ADOPTERS.md">here</a>.</p>Blog: Kyverno 1.9 Releasedhttps://release-1-10-0--kyverno.netlify.app/blog/2023/02/01/kyverno-1.9-released/Wed, 01 Feb 2023 00:00:00 +0000https://release-1-10-0--kyverno.netlify.app/blog/2023/02/01/kyverno-1.9-released/ <p><img src="kyverno-horizontal.png" alt="kyverno"></p> <p>With the ringing in of the new year the Kyverno team is proud to announce the release of Kyverno 1.9.0, a release that we&rsquo;ve been working hard on over the past several months and which is full of massive new features include TWO brand new rule types, several community-requested enhancements, and loads of fixes and improvements. Without any further ado, let&rsquo;s dive right in and show you what&rsquo;s in the bag.</p> <h2 id="key-new-features-of-kyverno-19">Key New Features of Kyverno 1.9</h2> <h3 id="policy-exceptions">Policy Exceptions</h3> <p>Something we&rsquo;ve heard for a while now from the community was that they love the ease with which Kyverno can <a href="https://release-1-10-0--kyverno.netlify.app/docs/writing-policies/match-exclude/">select resources</a> (and, really, just ease of use in general) for action by policies but that this was limiting in certain ways. It may not be scalable to modify every policy with the same exclusions, and, secondarily, in real-world ops scenarios everyone has special exceptions that need careful handling. So we&rsquo;re excited to show off our new PolicyExceptions in 1.9!</p> <p>A <a href="https://release-1-10-0--kyverno.netlify.app/docs/writing-policies/exceptions/">PolicyException</a> is a new type of policy and Custom Resource in Kyverno 1.9 which allows you to create an exception to any existing Kyverno policy in a way which is decoupled from the policy itself and so doesn&rsquo;t involve modifying the policy.</p> <p>Here&rsquo;s what it would look like to allow a special exception to one of the <a href="https://release-1-10-0--kyverno.netlify.app/policies/pod-security/">Pod Security Standard</a> <a href="https://release-1-10-0--kyverno.netlify.app/policies/?policytypes=Pod%2520Security%2520Standards%2520(Baseline)%2BPod%2520Security%2520Standards%2520(Restricted)">policies</a> but only for a very specific resource named <code>important-tool</code>.</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v2alpha1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">PolicyException</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">delta-exception</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">namespace</span><span class="p">:</span><span class="w"> </span><span class="l">delta</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">exceptions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span>- <span class="nt">policyName</span><span class="p">:</span><span class="w"> </span><span class="l">disallow-host-namespaces</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">ruleNames</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span>- <span class="l">host-namespaces</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span>- <span class="l">autogen-host-namespaces</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="w"> </span>- <span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="w"> </span>- <span class="l">Deployment</span><span class="w"> </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="w"> </span><span class="nt">namespaces</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"> </span>- <span class="l">delta</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span><span class="nt">names</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span>- <span class="l">important-tool*</span><span class="w"> </span></span></span></code></pre></div><p>Once a PolicyException is created, a resource which is selected by the exception and also applies to the policy and rule combo named in the exception will be allowed to circumvent the policy. As shown, it&rsquo;ll be quite useful, we think, for users who want those one-time exceptions to validate rules which are in <code>Enforce</code> mode although it works for other situations and rules as well. Access to creating PolicyExceptions can be controlled through a combination of Kubernetes RBAC, your own GitOps review processes, <a href="https://release-1-10-0--kyverno.netlify.app/docs/writing-policies/validate/#manifest-validation">YAML signing</a> for integrity and tamper-prevention checks, and even Kyverno validate policies.</p> <h3 id="cleanup-policies">Cleanup Policies</h3> <p>With Kyverno&rsquo;s unique <a href="https://release-1-10-0--kyverno.netlify.app/docs/writing-policies/generate/">generation rule</a>, which remains one of its most popular abilities and is beloved by ops teams everywhere, it has proven that Kyverno is far more capable than a simple admission controller which can only deliver &ldquo;yes&rdquo; or &ldquo;no&rdquo; responses. Generation, especially when combined with validation and mutation, unlocks tremendous power and turns Kyverno into a true tool of automation. That was a great first step, but we knew we could do more. We heard there was a piece missing from the story and that piece was the ability to delete as well as create. Well, we&rsquo;re really happy to say that as of Kyverno 1.9, our second new policy type will allow you to do just that: cleanup resources on a scheduled basis.</p> <p>A Kyverno <a href="https://release-1-10-0--kyverno.netlify.app/docs/writing-policies/cleanup/">CleanupPolicy</a> brings the all-familiar <code>match</code> and <code>exclude</code> capabilities with the powerful expressions and <a href="https://release-1-10-0--kyverno.netlify.app/docs/writing-policies/jmespath/">JMESPath</a> filtering system together with a scheduler which allows you to very granularly select and filter resources you want removed in your cluster based on a recurring schedule. Just take a look at the below sample.</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v2alpha1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterCleanupPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">clean-nekkid-pods</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">pod-policies.kyverno.io/autogen-controllers</span><span class="p">:</span><span class="w"> </span><span class="l">none</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"> </span>- <span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="w"> </span><span class="nt">conditions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="w"> </span><span class="nt">all</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ target.metadata.ownerReferences[] || `[]` }}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">Equals</span><span class="w"> </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="p">[]</span><span class="w"> </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="w"> </span><span class="nt">schedule</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;0 0 * * *&#34;</span><span class="w"> </span></span></span></code></pre></div><p>Here is a ClusterCleanupPolicy which, as you might have guessed, applies cluster-wide, and which will find and remove Pods with no ownerReferences every day at midnight. Cleanup policies like these can be super helpful to keep clutter to a minimum and fit nicely into existing automation workflows.</p> <p>A policy-based approach is only the first step, and in the second phase we intend on implementing automated cleanup based on a reserved label or annotation assigned to resources.</p> <h3 id="distributed-tracing">Distributed Tracing</h3> <p>In the 1.8 release, we added OpenTelemetry support, but in this release we wanted to one-up ourselves and add in more observability to provide insights on <em>exactly</em> what Kyverno is doing to your resources. So in 1.9, we&rsquo;ve added full support for distributed tracing. With distributed tracing instrumented in Kyverno, you can see every rule and even every external call (in the case of OCI registry lookups) Kyverno is making and how long each span took. This is super helpful not just from a visibility but also a troubleshooting and even auditability standpoint. With traces in hand sent to your collector, you can see the rules which matched the resource and were processed so you know everything is working properly.</p> <p><img src="kyverno-tracing.png" alt="tracing"></p> <h3 id="extended-support-for-subresources">Extended Support for Subresources</h3> <p>Kyverno has had support for some subresources for a few releases now (ephemeral containers have been supported since 1.7), but there were still gaps. Specifically, Kyverno had problems with the Scale subresource, which can be tricky to deal with, as well as mutations to the Status subresource. This meant that a couple real-world use cases that have come up simply weren&rsquo;t possible to implement in Kyverno policies. With Kyverno 1.9, that should be a thing of the past and most, if not all, subresources can be handled quite well.</p> <p>With this enhanced support, you can now easily match on the precise subresource you want (even using wildcards) and Kyverno will figure it out. For example, advertising <a href="https://kubernetes.io/docs/tasks/administer-cluster/extended-resource-node/">extended resources</a> to Kubernetes nodes is important for use cases like GPUs and FPGAs, and with a Kyverno <a href="https://release-1-10-0--kyverno.netlify.app/docs/writing-policies/mutate/">mutate</a> rule targeted at Node/status, it&rsquo;s now incredibly simple and doesn&rsquo;t require any custom webhooks. The below policy will add the <code>example.com/dongle</code> resource to new Nodes brought up in the cluster.</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">advertise-resource</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span><span class="kc">false</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">advertise-dongle</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="w"> </span>- <span class="l">Node/status</span><span class="w"> </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="w"> </span><span class="nt">mutate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="w"> </span><span class="nt">patchStrategicMerge</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="w"> </span><span class="nt">status</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="w"> </span><span class="nt">capacity</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="w"> </span><span class="nt">example.com/dongle</span><span class="p">:</span><span class="w"> </span><span class="m">2</span><span class="w"> </span></span></span></code></pre></div><h3 id="configmap-caching">ConfigMap Caching</h3> <p>ConfigMaps are a common source of data not just to Pods but to Kyverno policies as well. Kyverno has long had support for <a href="https://release-1-10-0--kyverno.netlify.app/docs/writing-policies/external-data-sources/#variables-from-configmaps">dynamic lookups from ConfigMaps</a> without requiring any pre-syncing, and in most use cases this was fine. But as more users flocked to Kyverno with ever larger clusters, these additional API calls produced some unwanted overhead. Starting in Kyverno 1.9, if you would like Kyverno to cache the ConfigMaps you need for policy decisions, simply assign the label <code>cache.kyverno.io/enabled: &quot;true&quot;</code> to any ConfigMap and Kyverno will automatically cache it for you. Nothing else you need to do.</p> <h2 id="other-additions-and-enhancements">Other Additions and Enhancements</h2> <p>Some other cool features and status updates we&rsquo;re proud to share include new JSON logging format and the ability to dump out the full AdmissionReview contents the API server sends to Kyverno. The latter has been a common request from the community and should help in those situations where you&rsquo;re not quite sure how to write a certain policy. Both require setting a new container flag so check out the <a href="https://release-1-10-0--kyverno.netlify.app/docs/installation/customization/#container-flags">docs</a>.</p> <p>Kyverno now supports <a href="https://release-1-10-0--kyverno.netlify.app/docs/writing-policies/mutate/#nested-foreach">nested foreach loops</a> which are great especially for mutation use cases where you need tactical modifications or removals from complex nested objects like arrays within arrays.</p> <p>There are eleven new <a href="https://release-1-10-0--kyverno.netlify.app/docs/writing-policies/jmespath/#custom-filters">JMESPath filters</a> specifically for working with time. These filters include things like getting current time, converting it from different formats, and even translating the time to a Cron expression. These are sure to come in handy when writing policies which account for time in various ways.</p> <p>Pod controller <a href="https://release-1-10-0--kyverno.netlify.app/docs/writing-policies/autogen/">rule auto-generation</a>, another of Kyverno&rsquo;s hallmark capabilities which if you&rsquo;re not familiar allows Kyverno to translate rules solely for Pods to all other major Pod controllers, added support for ReplicaSet and ReplicationController. There&rsquo;s nothing policy authors need to do and Kyverno will now add these two resources into the auto-gen rules for you.</p> <p>The Kyverno CLI now has experimental support for uploading and downloading Kyverno policies as OCI artifacts. This is great for storing policies alongside container images using the same, common semantics. In the future, we&rsquo;re planning on doing more with this support so keep a lookout.</p> <p>We&rsquo;re preparing for the movement away from v1 of our policy schema which has served us well for a while now. As we go towards v2beta1, which is available in 1.9, we get rid of deprecated and obsoleted fields to make a nice and tidy policy. We ask you to start moving in the direction of v2beta1 now to make the removal process much smoother.</p> <p>Kyverno 1.9 brings support for Kubernetes 1.26. Kyverno follows an <a href="https://release-1-10-0--kyverno.netlify.app/docs/installation/#compatibility-matrix">N-2 support policy</a>, and so to ensure we&rsquo;re staying current, we&rsquo;re now building and testing up to 1.26.</p> <p>We have long been a champion of software supply chain security and insist on enacting these practices ourselves. With the 1.9 release, Kyverno now generates and attests to <a href="https://slsa.dev/spec/v0.1/index">SLSA provenance</a> which anyone on their end can publicly <a href="https://release-1-10-0--kyverno.netlify.app/docs/security/#verifying-provenance">verify</a>. We believe this and other policies by which we abide makes us adherent to SLSA <a href="https://slsa.dev/spec/v0.1/levels">Level 3</a> and will be working with the <a href="https://openssf.org/">Open Source Security Foundation</a> to ensure this is the case.</p> <p>And last but not least, the <a href="https://release-1-10-0--kyverno.netlify.app/policies/">Kyverno policy library</a>, the largest community-driven library of any policy engine for Kubernetes, has received another large bump putting it well over the 250 mark. Included in this library update is a new <a href="https://release-1-10-0--kyverno.netlify.app/policies/gatekeeper/">table</a> which maps Gatekeeper policies to Kyverno policies, helpful for users of both tools to see how to accomplish some common use cases in these engines.</p> <h2 id="potentially-breaking-changes">Potentially Breaking Changes</h2> <p>One change we do want to make you aware of, which actually came in 1.8.3, which could be breaking is a schema modification for verifying a container image attestation. Due to some upstream changes in Sigstore&rsquo;s <a href="https://github.com/sigstore/cosign">cosign</a>, we had to move the attestors under the attestation being verified. This necessitated a schema change which you can find in the <a href="https://release-1-10-0--kyverno.netlify.app/docs/writing-policies/verify-images/#verifying-image-attestations">documentation</a>. So if you have Kyverno policies which verified image attestations, please update them to the new schema so they continue to work in 1.9.</p> <h2 id="closing">Closing</h2> <p>With so many new features, enhancements, and well over 200 fixes, there&rsquo;s so much to get excited about in this release. Hopefully what you&rsquo;ve seen makes you excited to try out the 1.9 release and provide your feedback. Come engage with us in the Kyverno channel on <a href="https://release-1-10-0--kyverno.netlify.app/community/#slack-channel">Kubernetes Slack</a>, attend one of our <a href="https://release-1-10-0--kyverno.netlify.app/community/#community-meetings">community meetings</a>, or just catch us on <a href="https://twitter.com/kyverno">Twitter</a>.</p>Blog: Kyverno 1.8 Releasedhttps://release-1-10-0--kyverno.netlify.app/blog/2022/10/24/kyverno-1.8-released/Mon, 24 Oct 2022 00:00:00 +0000https://release-1-10-0--kyverno.netlify.app/blog/2022/10/24/kyverno-1.8-released/ <p><img src="kyverno.png" alt="kyverno"></p> <p>Following on the heels of the 1.7 release of Kyverno, the Kyverno team is proud to present version 1.8 which is another huge leap forward not just in terms of features and functionality but of optimizations, performance, and other improvements required in strict or high-scale environments. And in addition to those, a tremendous amount of work went into refactoring and other housekeeping items that make Kyverno cleaner and more efficient making future development (and contributions) easier, quicker, and ultimately more maintainable. We&rsquo;ll walk through the largest of these features in this article.</p> <h2 id="key-new-features-of-kyverno-18">Key New Features of Kyverno 1.8</h2> <h3 id="pod-security-integration">Pod Security Integration</h3> <p>The successor to Kubernetes&rsquo; Pod Security Policy (PSP) is <a href="https://kubernetes.io/docs/concepts/security/pod-security-admission/">Pod Security Admission</a>, enabled by default in 1.23 and stable now in 1.25. This new technology implements a set of standards dubbed <a href="https://kubernetes.io/docs/concepts/security/pod-security-standards/">Pod Security Standards</a>. Pod Security Admission brings many benefits over PSPs but also some fairly important caveats. Starting in 1.8, Kyverno has a new validate subrule called podSecurity which internally uses the same libraries as Pod Security Admission but allows for much simpler implementation of those standards while offering flexible exemptions not found in Pod Security Admission. Shown below is an example of this new podSecurity rule in action which implements the entire restricted profile of the Pod Security Standards across the entire cluster.</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">podsecurity-restricted</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">audit</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">restricted</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="w"> </span>- <span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="w"> </span><span class="nt">podSecurity</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="w"> </span><span class="nt">level</span><span class="p">:</span><span class="w"> </span><span class="l">restricted</span><span class="w"> </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="w"> </span><span class="nt">version</span><span class="p">:</span><span class="w"> </span><span class="l">latest</span><span class="w"> </span></span></span></code></pre></div><h3 id="yaml-manifest-verification">YAML Manifest Verification</h3> <p>Although Kyverno has integrated with <a href="https://www.sigstore.dev/">Sigstore</a> tooling for some time now, offering capabilities like <a href="https://release-1-10-0--kyverno.netlify.app/docs/writing-policies/verify-images/">container image signature verification and attestation verification</a>, Kyverno 1.8 steps this up one notch further by bringing support for Sigstore&rsquo;s <a href="https://github.com/sigstore/k8s-manifest-sigstore">manifest project</a>. With this integration, Kyverno is now additionally able to verify signatures on Kubernetes YAML manifests to ensure, like container images, that they haven&rsquo;t been tampered with. Once a manifest has been signed with a private key of a user&rsquo;s choosing, a new Kyverno policy may be written which verifies the signature and comparing the signed (original) manifest contents with the current contents. Shown here is an example of such a policy which verifies the key used to sign Deployments.</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">verify-manifest-integrity</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">audit</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">verify-deployment-allow-replicas</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="w"> </span>- <span class="l">Deployment</span><span class="w"> </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="w"> </span><span class="nt">manifests</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="w"> </span><span class="nt">attestors</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="w"> </span>- <span class="nt">count</span><span class="p">:</span><span class="w"> </span><span class="m">1</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"> </span><span class="nt">entries</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span>- <span class="nt">keys</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span><span class="nt">publicKeys</span><span class="p">:</span><span class="w"> </span><span class="p">|-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="sd"> -----BEGIN PUBLIC KEY----- </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="sd"> MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEStoX3dPCFYFD2uPgTjZOf1I5UFTa </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="sd"> 1tIu7uoGoyTxJqqEq7K2aqU+vy+aK76uQ5mcllc+TymVtcLk10kcKvb3FQ== </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="sd"> -----END PUBLIC KEY----- </span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span><span class="nt">ignoreFields</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span>- <span class="nt">objects</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span>- <span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">Deployment</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span><span class="nt">fields</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span>- <span class="l">spec.replicas</span><span class="w"> </span></span></span></code></pre></div><p>Signing of manifests is a great way to bolster the security of your cluster, but it also requires some flexibility. Teams often need to change values and certain fields (in addition to Kubernetes itself needing to sometimes change them). That&rsquo;s why with this new rule type there is an object where you can specify which fields to ignore when verifying those manifests. In the previous policy, it provides an exception for the replicas field of a Deployment allowing only the value of this field to deviate from what was originally signed.</p> <h3 id="cloning-multiple-resources">Cloning Multiple Resources</h3> <p>One of the defining capabilities of Kyverno is its simple way of <a href="https://release-1-10-0--kyverno.netlify.app/docs/writing-policies/generate/">generating new Kubernetes resources</a> as opposed to just validating or mutating them. We&rsquo;ve seen tremendous adoption of this policy-based ability by software teams and users all over the place. One of the most common use cases for this generate ability is in multi-tenancy or Namespace-as-a-Service provisioning processes. But something we heard loud and clear was that users needed to clone more than just a single resource at a time. Very often, when provisioning a new Namespace, a variety of resources are required before handing that over. For example, Secrets, ConfigMaps, Custom Resources, and others are commonly required. In Kyverno 1.8, we&rsquo;ve brought you this ability by now allowing a single generate rule to define, in a selective manner, and clone multiple resources from the same source Namespace. As you can see from the below policy, whenever a new Namespace is created, all the Secrets and ConfigMaps in the <code>staging</code> Namespace which have been labeled with <code>allowedToBeClone=true</code> will be cloned into the new Namespace.</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">provision-namespaces</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">sync-secrets-configmaps</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"> </span>- <span class="l">Namespace</span><span class="w"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="w"> </span><span class="nt">generate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="w"> </span><span class="nt">namespace</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{request.object.metadata.name}}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="w"> </span><span class="nt">synchronize</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="w"> </span><span class="nt">cloneList</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="w"> </span><span class="nt">namespace</span><span class="p">:</span><span class="w"> </span><span class="l">staging</span><span class="w"> </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"> </span>- <span class="l">v1/Secret</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span>- <span class="l">v1/ConfigMap</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span><span class="nt">selector</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span><span class="nt">matchLabels</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span><span class="nt">allowedToBeCloned</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;true&#34;</span><span class="w"> </span></span></span></code></pre></div><h3 id="gitops-friendly-rule-auto-generation-is-here-to-stay">GitOps Friendly Rule Auto-Generation Is Here To Stay</h3> <p>In the 1.7 release, we introduced the new concept of moving Pod rule autogeneration out of <code>spec</code> and into <code>status</code> to be more kind to our GitOps users. Now in 1.8, that feature is on by default and no feature flags are required, allowing users of popular GitOps tools like Flux and ArgoCD to deploy Kyverno policies through their tooling without having to slightly adapt their definitions to account for these changes.</p> <h2 id="other-additions-and-enhancements">Other Additions and Enhancements</h2> <p>Kyverno 1.8 is such a substantial release it&rsquo;s hard to cover all of the features, but here are a few others to note.</p> <p>OpenTelemetry support was added for those who want an alternative to Prometheus.</p> <p>The CLI now supports testing of generate policies joining long-time support for validate and mutate rule testing.</p> <p>On the JMESPath side, we have two new filters called <code>random</code> and <code>x509_decode</code>. The <code>random</code> filter gives Kyverno the ability to generate random strings of data but in a fully composable and easy-to-use way. The <code>x509_decode</code> filter allows Kyverno to interpret PEM-encoded X509 certificates and make policy decisions based upon their contents, excellent for doing things like checking certificate subjects, expiration dates, and more.</p> <p>The reporting system received a total overhaul in this release which makes it both lighter on memory, faster to generate policy reports, and more reliable.</p> <p>Over time with the tremendous development velocity achieved in Kyverno, we&rsquo;ve added many new fields and changed others. Kyverno 1.8 introduces a new schema version <code>v2beta1</code> which is what we&rsquo;ll begin using in the near future as it brings all the various rule types fully up-to-date with the latest and greatest.</p> <p>And on the sample policy library, almost forty new policies have been added including implementation of best practices for common service meshes like Istio and Linkerd, CI/CD tools like Tekton, and more. This brings the total up to around 230 making Kyverno, by far, the policy engine with the <a href="https://release-1-10-0--kyverno.netlify.app/policies/">largest number of samples</a> designed to help get you running faster and easier.</p> <h2 id="potentially-breaking-changes">Potentially Breaking Changes</h2> <p>A couple things of which to be aware prior to upgrading. First, the Helm chart registry URL has changed to <code>ghcr.io/kyverno/charts/kyverno</code> so make sure to update your Helm repositories. And second, because we&rsquo;ve revamped Kyverno&rsquo;s reporting and background scanning abilities, the <code>backgroundScan</code> container flag you might have passed previously has changed to being a <code>true</code> or <code>false</code> value, simply either activating or deactivating background scans.</p> <h2 id="closing">Closing</h2> <p>Just like in previous releases, Kyverno 1.8 is a huge release <a href="https://github.com/kyverno/kyverno/releases/tag/v1.8.0">closing over 250 issues</a>. The maintainers and contributors have been hard at work for the past few months trying to bring additional value to the community, so we hope you find this release useful. As always, we love the community and hope you engage with us on any one of our outlets.</p>