Skip to main content

Using the host cluster's Kyverno hooks

If you want to enforce policies using Kyverno, and don't want to manage as many Kyverno installations as you have virtual clusters, you can make use of the External Admission Enforcement feature to enforce policies inside your virtual clusters with a single Kyverno installation.

Install Kyverno​

For the purpose of this guide, you should have Kyverno installed on your host cluster. You can either install it by running the following command or head here to install it differently.

kubectl create -f https://github.com/kyverno/kyverno/releases/download/v1.10.0/install.yaml

Create a Kyverno policy​

After installing Kyverno, create the following (or the one of your chosing) policy:

apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: add-labels
  annotations:
    policies.kyverno.io/title: Add Labels
    policies.kyverno.io/category: Sample
    policies.kyverno.io/minversion: 1.6.0
    policies.kyverno.io/severity: medium
    policies.kyverno.io/subject: Label
    policies.kyverno.io/description: >-
      Labels are used as an important source of metadata describing objects in various ways
      or triggering other functionality. Labels are also a very basic concept and should be
      used throughout Kubernetes. This policy performs a simple mutation which adds a label
      `foo=bar` to Pods, Services, ConfigMaps, and Secrets.
spec:
  rules:
  - name: add-labels
    match:
      any:
      - resources:
          kinds:
          - Pod
          - Service
          - ConfigMap
          - Secret
    mutate:
      patchStrategicMerge:
        metadata:
          labels:
            foo: bar

Import the hook into the vCluster​

Once the policy is created, this will update the kyverno-resource-mutating-webhook-cfg (or the corresponding validatingwebhookconfiguration) with the relevant resources and namespaces. You will need to copy this configuration into your values files or your template for it to be applied inside the vCluster in the .admission.mutatingWebhooks as a string.

Once the vCluster is updated with that configuration, objects will have to go through the Kyverno hooks and will be modified (or validated) accordingly.

Caveats​

Make sure that your Kyverno hooks don't rely on the host cluster's namespaces or logic tied to the specifics of it, since the objects that are going to reach it will have the object's raw metadata (and will for example reference namespaces that are only present inside the vCluster)